Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find like strings to detect phishing

jmsiegma
Path Finder
‎11-12-2014 06:00 PM

I would like to run a search on my logs so they detect fuzzy like strings. So in my current example we received a phishing e-mail with the string "ADP Past Due Invoice#{00000000}" with random numbers where there are zeros.

I turns out in this case it is easy to search because I can just leave the number off the search, but I would like to group like "subjects" no matter what the pattern is, and then dig deeper from there.

So for example, what if the string was "hello {user} your file is attached" I would like a search that would group all the subjects so I can see that there were say 100 of these type of messages being set to 100 unique users.

Is that possible?

Tags (1)
0 Karma
Reply

vasanthmss
Motivator
‎11-12-2014 07:22 PM

Try this,

..yoursearch| rex field=main "(?s) (?<user>.*) your file is attached" | stats count by user

sample search 

|stats count | eval main="hello Vasanth Kumar your file is attached,hello User One your file is attached,hello User two your file is attached,hello vasanth3 your file is attached" | eval main=split(main,",") | mvexpand main | rex field=main "(?s) (?<user>.*) your file is attached" | table main, user

Hope this will help you....
Cheers!

V
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...