Splunk Search

Find like strings to detect phishing

jmsiegma
Path Finder

I would like to run a search on my logs so they detect fuzzy like strings. So in my current example we received a phishing e-mail with the string "ADP Past Due Invoice#{00000000}" with random numbers where there are zeros.

I turns out in this case it is easy to search because I can just leave the number off the search, but I would like to group like "subjects" no matter what the pattern is, and then dig deeper from there.

So for example, what if the string was "hello {user} your file is attached" I would like a search that would group all the subjects so I can see that there were say 100 of these type of messages being set to 100 unique users.

Is that possible?

Tags (1)
0 Karma

vasanthmss
Motivator

Try this,

..yoursearch| rex field=main "(?s) (?<user>.*) your file is attached" | stats count by user

sample search

|stats count | eval main="hello Vasanth Kumar your file is attached,hello User One your file is attached,hello User two your file is attached,hello vasanth3 your file is attached" | eval main=split(main,",") | mvexpand main | rex field=main "(?s) (?<user>.*) your file is attached" | table main, user

Hope this will help you....
Cheers!

V
0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...