Dashboards & Visualizations

what the Referer URL field actually is?

soundchaos
Path Finder

My main goal right now is to see if there are users accessing our site through phishing sites or emails. We do not send any e-mails with links whatsoever, so I shouldn't see anyone referred through an email.

My (possibly uneducated) question is to clarify what exactly the Referer URL is giving me. If I was to pull a list of:

"... | top cs_Referer_"

I get results like "http://www.google.com/" with no search criteria, and also "google.com/MyWebsiteName/". Is it actually just the URL the user was on before they changed to ours, or is it actually based on clicking a link?

Given this info, what type of referer would I look for to see if they did click on a link in an email?

0 Karma
1 Solution

bluger_splunk
Splunk Employee
Splunk Employee

Hello --

The HTTP referrer is appended to the HTTP header by the browser whenever a user navigates to a URL from a link in another site. Google is commonly seen as a referrer because many people navigate to websites that they search for using their search engine. For instance, if you search for splunk on google.com and then click on the link to Splunks homepage, a google referrer will get appended to the HTTP header by your browser.

As far as I know, Email clients do not append HTTP referrers for links contained within the email. However, you should be able to track the HTTP referrers for sites that are linking to your site and then attempt to match the results against known bad domains to identify any malicious domains that are linking to your site.

If you're currently using Splunks Enterprise Security application, it comes preloaded with a bunch of threat intelligence sources that you can use to match against the referrer headers. If you don't currently use Splunks Enterprise Security application, there are still a number of public domain threat sources you can gather intel from and pass to splunk for matching.

Hope this helps.

~Brian

View solution in original post

bluger_splunk
Splunk Employee
Splunk Employee

Hello --

The HTTP referrer is appended to the HTTP header by the browser whenever a user navigates to a URL from a link in another site. Google is commonly seen as a referrer because many people navigate to websites that they search for using their search engine. For instance, if you search for splunk on google.com and then click on the link to Splunks homepage, a google referrer will get appended to the HTTP header by your browser.

As far as I know, Email clients do not append HTTP referrers for links contained within the email. However, you should be able to track the HTTP referrers for sites that are linking to your site and then attempt to match the results against known bad domains to identify any malicious domains that are linking to your site.

If you're currently using Splunks Enterprise Security application, it comes preloaded with a bunch of threat intelligence sources that you can use to match against the referrer headers. If you don't currently use Splunks Enterprise Security application, there are still a number of public domain threat sources you can gather intel from and pass to splunk for matching.

Hope this helps.

~Brian

bluger_splunk
Splunk Employee
Splunk Employee

Those appear to be referrers from Google's GMail and Microsoft's Live Mail public email services. If those were set as referrers then it would likely indicate a user followed a link provided in an email. Of which they would have had to of opened using their web browsers, instead of an email client like Outlook. Additionally, if an employee were to access their corporate email using their web browser, via Outlook Web Access or the like, their browser would generate a referrer header for any links that were followed from within any opened emails.

Hope this helps!

~Brian

soundchaos
Path Finder

Thanks for the answer, so based on this, would you happen to know what it means when referers are as such:
https://mail.google.com/mail/
https://bay179.mail.live.com/default.aspx

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...