Find like strings to detect phishing

jmsiegma · ‎11-12-2014

I would like to run a search on my logs so they detect fuzzy like strings. So in my current example we received a phishing e-mail with the string "ADP Past Due Invoice#{00000000}" with random numbers where there are zeros.

I turns out in this case it is easy to search because I can just leave the number off the search, but I would like to group like "subjects" no matter what the pattern is, and then dig deeper from there.

So for example, what if the string was "hello {user} your file is attached" I would like a search that would group all the subjects so I can see that there were say 100 of these type of messages being set to 100 unique users.

Is that possible?

vasanthmss · ‎11-12-2014

Try this,

..yoursearch| rex field=main "(?s) (?<user>.*) your file is attached" | stats count by user

sample search

|stats count | eval main="hello Vasanth Kumar your file is attached,hello User One your file is attached,hello User two your file is attached,hello vasanth3 your file is attached" | eval main=split(main,",") | mvexpand main | rex field=main "(?s) (?<user>.*) your file is attached" | table main, user

Hope this will help you....
Cheers!

V

Find like strings to detect phishing

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...