Hi everyone,
I am looking for a search where a sender sent an email to a recipient **and for that email there are two DLP policies get triggered.**
Splunk is showing two events with same time stamp. One event against each Policy.
index=symantec_dlp Blocked!="Action Blocked" (Policy="DLP - xyz" OR Policy="DLP - abc") | stats values(Policy) as "POLICY", dc(Policy) as "Policy_Count", values(Recipients) by user | search Policy_Count=2
↧