Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find like strings to detect phishing

jmsiegma
Path Finder
‎11-12-2014 06:00 PM

I would like to run a search on my logs so they detect fuzzy like strings. So in my current example we received a phishing e-mail with the string "ADP Past Due Invoice#{00000000}" with random numbers where there are zeros.

I turns out in this case it is easy to search because I can just leave the number off the search, but I would like to group like "subjects" no matter what the pattern is, and then dig deeper from there.

So for example, what if the string was "hello {user} your file is attached" I would like a search that would group all the subjects so I can see that there were say 100 of these type of messages being set to 100 unique users.

Is that possible?

Tags (1)
0 Karma
Reply

vasanthmss
Motivator
‎11-12-2014 07:22 PM

Try this,

..yoursearch| rex field=main "(?s) (?<user>.*) your file is attached" | stats count by user

sample search 

|stats count | eval main="hello Vasanth Kumar your file is attached,hello User One your file is attached,hello User two your file is attached,hello vasanth3 your file is attached" | eval main=split(main,",") | mvexpand main | rex field=main "(?s) (?<user>.*) your file is attached" | table main, user

Hope this will help you....
Cheers!

V
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...