Correlation Query for spam email - not working


I have created a correlation rule with the following query, that runs every 5 mins. This is to detect if any external email address sends multiple emails to our internal email within given time (an hour), then it should trigger an alert. Please tell me what is the issue with it.

sequence by email.from.address, with maxspan=60m
[any where email.direction == "inbound"] with runs=2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.