topic Re: Phishing emails in Splunk Search

Phishing emails

of — Mon, 29 Jan 2024 13:42:00 GMT

Hi,

I want to create a search query that looks for users who have received phishing emails, clicked the link, or downloaded a file from the email.

Thanks

Re: Phishing emails

ITWhisperer — Mon, 29 Jan 2024 13:50:44 GMT

What events do you have in Splunk to work with?

Re: Phishing emails

of — Tue, 30 Jan 2024 09:40:55 GMT

Hi,

Thanks for your reply. We have a WAF and firewall and ingest their logs in Splunk.

Regards,

Re: Phishing emails

ITWhisperer — Tue, 30 Jan 2024 09:44:09 GMT

OK so what do those events look like? What data do they contain? Please share some anonymised examples.

Re: Phishing emails

PickleRick — Tue, 30 Jan 2024 11:18:19 GMT

WAF and firewall are typically _not_ solutions associated with email traffic or user's web-related behaviour so you might want to reconsider your sources list.