If we are more interested in looking for unusual or uncommon sender domains we can make use of some additional search processing tools within Gravwell to create a new enumerated field derived from data in an existing one.
Query 10:
Extracting data from a field to create a new field using the “ fields ” module
tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| count by sender_domain
| sort by count desc
| table sender_domain count
Query 11:
Using “ eval ” to compare values of a field (in this case the result of count)
tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| count by sender_domain
| sort by count desc
| eval count
