topic Wildcard for domain search in Splunk Enterprise Security

Wildcard for domain search

johnde — Fri, 10 May 2019 10:29:10 GMT

I am trying to find the domain that came in the logs but were faked to look similar for our domain.
So if my domain is abc.co I would like to list all entries that came for abc.co.xyz.com, abc.co.aaa.com, etc.
Thanks!

Re: Wildcard for domain search

koshyk — Fri, 10 May 2019 14:20:01 GMT

Please provide sample data for this. You can write the SPL in 1000's of ways if you don't provide sample data

Re: Wildcard for domain search

johnde — Fri, 10 May 2019 14:48:24 GMT

Thanks for the reply @koshyk .
I am new to SPL and still trying to figure out the right approach, what I am trying to find out is if someone faked our login page and redirected a user when they login with their credentials to our page.
Let's say our login page is is login.mydomain.co and someone created a sub-domain with our login page name, login.mydomain.co.fakedomain.com and this looks similar to our login page. Once a user enters the username password they are redirected to mydomain.co. I wanted to see if any of our users clicked on that link and entered the credentials based on the redirect.
fakedomain.com is not constant and it can be any value.

Re: Wildcard for domain search

woodcock — Fri, 10 May 2019 18:09:07 GMT

Can't you just do myfield=abc.co*? Also, check out this app:
https://splunkbase.splunk.com/app/3376/