Hi guys,

I am sending 365 logs to my SIEM and I'd like to identify possible spam senders using these logs.

My SIEM alert rule only filters by 365 logs that happen 50 times in 1 minute and nothing else.

I've noticed that in this way the SIEM alerts many cases with don't fit as spam senders.

I realized that in the logs there is the field "action" with filters them in a better way but, I don't know what tag should I use on this field or any other field to catch messages sent on 365.

Does anyone know how to?

Thanks in advance.