Hosts Receiving High Volume Of Network Traffic From Email Server
This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.
Hosts Receiving High Volume Of Network Traffic From Email Server Help
This search requires you to be ingesting your network traffic and populating the NetworkTraffic data model. Your email servers must be categorized as "emailserver" for the search to work, as well. You may need to adjust the deviationthreshold and minimumdatasamples values based on the network traffic in your environment. The "deviationthreshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimumdatasamples" field is the minimum number of connections of data samples required for the statistic to be valid.
Open in Search