Solved: Re: How to create a search to find user ID's that ...

Rias · ‎12-16-2015

Hi

Business - Retailer
Requirement - I need to know how to create a search for rewards announcements in a retail business in order to find fraudulent reward usage from a single or multiple ID's based on a certain pattern (making use of the same reward multiple times).

I can explain more if needed. need of help . thanks

Richfez · ‎12-17-2015

From your sample data, it looks like you want to compare the email addresses after removing the dots. Your examples only show significant dots in the user name, and that could be done too, but as I'm thinking about this you could really just remove ALL the dots and compare which is a slightly simpler solution.

For that, you can use the command rex in sed mode. Here's an example of it.

... whatever search here that returns a field named "evil_email" that is the one you want to change... 
| rex mode=sed field=evil_email "s/\.//g"

The rex says to take any period (which is escaped in the sample to \.) and replace it with nothing - (there's nothing between the last two forward slashes). The g at the end means to do it "globally", or in other words replace that period every time you see it, not just the first time. That returns fields like ardentreasure@gmailcom

Once you have that, you could pipe that to something like

...
| rex mode=sed field=evil_email "s/\.//g"
| stats count by evil_email | search count>1

To return all the items where it's been used more than once. If you'd rather see the top 20, then instead of stats then search, you could use something like

...
| rex mode=sed field=evil_email "s/\.//g"
| top limit=20 evil_email

Does that help?

View solution in original post

Richfez · ‎12-17-2015

From your sample data, it looks like you want to compare the email addresses after removing the dots. Your examples only show significant dots in the user name, and that could be done too, but as I'm thinking about this you could really just remove ALL the dots and compare which is a slightly simpler solution.

For that, you can use the command rex in sed mode. Here's an example of it.

... whatever search here that returns a field named "evil_email" that is the one you want to change... 
| rex mode=sed field=evil_email "s/\.//g"

The rex says to take any period (which is escaped in the sample to \.) and replace it with nothing - (there's nothing between the last two forward slashes). The g at the end means to do it "globally", or in other words replace that period every time you see it, not just the first time. That returns fields like ardentreasure@gmailcom

Once you have that, you could pipe that to something like

...
| rex mode=sed field=evil_email "s/\.//g"
| stats count by evil_email | search count>1

To return all the items where it's been used more than once. If you'd rather see the top 20, then instead of stats then search, you could use something like

...
| rex mode=sed field=evil_email "s/\.//g"
| top limit=20 evil_email

Does that help?

sundareshr · ‎12-17-2015

If you provide sample data and preferred output, someone in the community will be able to help

Rias · ‎12-17-2015

@SUndareshr ,thanks for the response. Please let me know what sort of sample data is required . it would be very good if you could give me the understanding for the reward in terms of retail business.

Scenario : Our company provide customers reward those who enroll in their app, but it is limited 10 rewards per month but we could observer lots of multiple dot pattern ID's attempting with the similar ID. need to tackle this issue. pls suggest. let me know for more clarification.

sundareshr · ‎12-17-2015

do you have the pattern IDs in a log file? or csv file? i don't know your data, so you have to decide which file has the data that will help you determine the problem, injest that into splunk and send me a sample.

anyone in this community can help you with the query.

Rias · ‎12-17-2015

Sample 1 :

r.e.n.n.l.e.y.o.l.i.v.i.a@gmail.com
r.en.n.l.e.y.o.l.i.v.i.a@gmail.com
r.enn.l.e.y.o.l.i.v.i.a@gmail.com
r.ennl.e.y.o.l.i.v.i.a@gmail.com
r.ennle.y.o.l.i.v.i.a@gmail.com
r.ennley.o.l.i.v.i.a@gmail.com
r.ennleyo.l.i.v.i.a@gmail.com
re.n.n.l.e.y.o.l.i.v.i.a@gmail.com
re.nnl.e.y.o.l.i.v.i.a@gmail.com
re.nnle.y.o.l.i.v.i.a@gmail.com
re.nnley.o.l.i.v.i.a@gmail.com
re.nnleyo.l.i.v.i.a@gmail.com
ren.n.l.e.y.o.l.i.v.i.a@gmail.com
ren.nl.e.y.o.l.i.v.i.a@gmail.com
ren.nle.y.o.l.i.v.i.a@gmail.com
ren.nley.o.l.i.v.i.a@gmail.com
ren.nleyo.l.i.v.i.a@gmail.com
renn.l.e.y.o.l.i.v.i.a@gmail.com
renn.le.y.o.l.i.v.i.a@gmail.com
renn.ley.o.l.i.v.i.a@gmail.com
renn.leyo.l.i.v.i.a@gmail.com
rennl.e.y.o.l.i.v.i.a@gmail.com
rennl.ey.o.l.i.v.i.a@gmail.com
rennl.eyo.l.i.v.i.a@gmail.com
rennle.y.o.l.i.v.i.a@gmail.com
rennle.yo.l.i.v.i.a@gmail.com
rennley.o.l.i.v.i.a@gmail.com

Sample 2 : 

a.r.d.e.n.tr.easure@gmail.com
a.r.d.e.ntr.easure@gmail.com
a.r.d.en.tr.easure@gmail.com
a.r.d.entr.easure@gmail.com
a.r.de.n.tr.easure@gmail.com
a.r.de.ntr.easure@gmail.com
a.r.den.tr.easure@gmail.com
a.r.dent.r.easure@gmail.com
a.rd.e.n.tr.easure@gmail.com
a.rd.e.ntr.easure@gmail.com
a.rd.en.tr.easure@gmail.com
a.rde.n.tr.easure@gmail.com
a.rde.ntr.easure@gmail.com
a.rden.tr.easure@gmail.com
a.rdent.r.easure@gmail.com
ar.d.e.n.tr.easure@gmail.com
ar.d.e.ntr.easure@gmail.com
ar.d.en.tr.easure@gmail.com
ar.d.entr.easure@gmail.com
ar.de.n.tr.easure@gmail.com
ar.de.ntr.easure@gmail.com
ar.den.tr.easure@gmail.com
ar.dent.r.easure@gmail.com
ard.e.n.tr.easure@gmail.com
ard.e.ntr.easure@gmail.com
ard.en.tr.easure@gmail.com
arde.n.tr.easure@gmail.com
arde.ntr.easure@gmail.com
arden.tr.easure@gmail.com
ardent.r.easure@gmail.com

Based on the above attempt, hackers trying the rewards purchase for multiple times as fraud attempt. hope now it is clear. thanks

How to create a search to find user ID's that are fraudulently using rewards for a retail business based on multiple uses of the same reward?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life