topic How to use the email sender from one search as input for another search? in Splunk Search

How to use the email sender from one search as input for another search?

adayton20 — Mon, 07 Dec 2015 14:22:24 GMT

Hello,

I'm still learning a lot about Splunk so bear with me.

My current search:

'get_phished' | stats values(recipient) as recipient by subject, filename, sender | search NOT recipient >2

The get_phished is actually a macro containing the following fields:

index=email recipient=insert_user_here OR recipient=insert_user_here, etc

The search results produce a table consisting of subject, filename, sender, and which users received the phishing email if the count is greater than 2.

What I would like to do is append another search that looks for additional emails not included in my manually updated list and add them in another category called new_targets.

From what I've noticed over the past few months, these senders are consistently using a random combination of existing phishing targets from previous attempts in conjunction with their newly acquired list of targets.

For example,

Week 1 phishing targets:
a@email.com
b@email.com
c@email.com

Week 2 phishing targets:
a@email.com
b@email.com
d@email.com

In the example above, in week 2, 1 new email was targeted in combination with some of the users from week 1.
I think this can be accomplished by searching against the sender from the original search and looking for additional recipients from that sender not included in the current list of recipients, but I’m not entirely sure how to do that.

Thoughts?

V/r
Andrew

Re: How to use the email sender from one search as input for another search?

sundareshr — Mon, 07 Dec 2015 21:40:52 GMT

There are a few options where you can do a sub-search (append, join etc), but sub-searches are very inefficient and have limitations. The most efficient way would be to include both sources in your search index=mail (source=list1 OR source=list2 ) and with the combination of dedupe and stats you should be able to get a distinct list of "phishers"

Hopefully this gives you some ideas to explore.

Re: How to use the email sender from one search as input for another search?

adayton20 — Tue, 08 Dec 2015 13:56:18 GMT

Appreciate the prompt response.

The sources are actually the same. Both sources I'm looking in areindex=email. I tried adding a subsearch that renames two fields in order to create the ability to compare them and then narrowing down the searches by searching for events that contain the same sender and where the recipient doesn't equal the new recipient. It isn't returning the results I'm looking for and instead just matching on the same sender and recipient fields and displaying them.

`GetPhished`
| stats values(recipient) as recipient by subject, filename, sender
| search NOT recipient >2
| join [| search index=email sourcetype=email_log filename=* | rename sender AS send | rename recipient AS new_recip | stats values(new_recip) as new_recip by send, subject, filename | search NOT new_recip >0]
| where sender = send AND recipient !=new_recip