Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Find like strings to detect phishing

jmsiegma
Path Finder
‎11-12-2014 06:00 PM

I would like to run a search on my logs so they detect fuzzy like strings. So in my current example we received a phishing e-mail with the string "ADP Past Due Invoice#{00000000}" with random numbers where there are zeros.

I turns out in this case it is easy to search because I can just leave the number off the search, but I would like to group like "subjects" no matter what the pattern is, and then dig deeper from there.

So for example, what if the string was "hello {user} your file is attached" I would like a search that would group all the subjects so I can see that there were say 100 of these type of messages being set to 100 unique users.

Is that possible?

Tags (1)
0 Karma
Reply

vasanthmss
Motivator
‎11-12-2014 07:22 PM

Try this,

..yoursearch| rex field=main "(?s) (?<user>.*) your file is attached" | stats count by user

sample search 

|stats count | eval main="hello Vasanth Kumar your file is attached,hello User One your file is attached,hello User two your file is attached,hello vasanth3 your file is attached" | eval main=split(main,",") | mvexpand main | rex field=main "(?s) (?<user>.*) your file is attached" | table main, user

Hope this will help you....
Cheers!

V
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...