Hi
Business - Retailer
Requirement - I need to know how to create a search for rewards announcements in a retail business in order to find fraudulent reward usage from a single or multiple ID's based on a certain pattern (making use of the same reward multiple times).
I can explain more if needed. need of help . thanks
From your sample data, it looks like you want to compare the email addresses after removing the dots. Your examples only show significant dots in the user name, and that could be done too, but as I'm thinking about this you could really just remove ALL the dots and compare which is a slightly simpler solution.
For that, you can use the command rex in sed mode. Here's an example of it.
... whatever search here that returns a field named "evil_email" that is the one you want to change...
| rex mode=sed field=evil_email "s/\.//g"
The rex says to take any period (which is escaped in the sample to \.
) and replace it with nothing - (there's nothing between the last two forward slashes). The g at the end means to do it "globally", or in other words replace that period every time you see it, not just the first time. That returns fields like ardentreasure@gmailcom
Once you have that, you could pipe that to something like
...
| rex mode=sed field=evil_email "s/\.//g"
| stats count by evil_email | search count>1
To return all the items where it's been used more than once. If you'd rather see the top 20, then instead of stats then search, you could use something like
...
| rex mode=sed field=evil_email "s/\.//g"
| top limit=20 evil_email
Does that help?
From your sample data, it looks like you want to compare the email addresses after removing the dots. Your examples only show significant dots in the user name, and that could be done too, but as I'm thinking about this you could really just remove ALL the dots and compare which is a slightly simpler solution.
For that, you can use the command rex in sed mode. Here's an example of it.
... whatever search here that returns a field named "evil_email" that is the one you want to change...
| rex mode=sed field=evil_email "s/\.//g"
The rex says to take any period (which is escaped in the sample to \.
) and replace it with nothing - (there's nothing between the last two forward slashes). The g at the end means to do it "globally", or in other words replace that period every time you see it, not just the first time. That returns fields like ardentreasure@gmailcom
Once you have that, you could pipe that to something like
...
| rex mode=sed field=evil_email "s/\.//g"
| stats count by evil_email | search count>1
To return all the items where it's been used more than once. If you'd rather see the top 20, then instead of stats then search, you could use something like
...
| rex mode=sed field=evil_email "s/\.//g"
| top limit=20 evil_email
Does that help?
If you provide sample data and preferred output, someone in the community will be able to help
@SUndareshr ,thanks for the response. Please let me know what sort of sample data is required . it would be very good if you could give me the understanding for the reward in terms of retail business.
Scenario : Our company provide customers reward those who enroll in their app, but it is limited 10 rewards per month but we could observer lots of multiple dot pattern ID's attempting with the similar ID. need to tackle this issue. pls suggest. let me know for more clarification.
do you have the pattern IDs in a log file? or csv file? i don't know your data, so you have to decide which file has the data that will help you determine the problem, injest that into splunk and send me a sample.
anyone in this community can help you with the query.
Sample 1 :
r.e.n.n.l.e.y.o.l.i.v.i.a@gmail.com
r.en.n.l.e.y.o.l.i.v.i.a@gmail.com
r.enn.l.e.y.o.l.i.v.i.a@gmail.com
r.ennl.e.y.o.l.i.v.i.a@gmail.com
r.ennle.y.o.l.i.v.i.a@gmail.com
r.ennley.o.l.i.v.i.a@gmail.com
r.ennleyo.l.i.v.i.a@gmail.com
re.n.n.l.e.y.o.l.i.v.i.a@gmail.com
re.nnl.e.y.o.l.i.v.i.a@gmail.com
re.nnle.y.o.l.i.v.i.a@gmail.com
re.nnley.o.l.i.v.i.a@gmail.com
re.nnleyo.l.i.v.i.a@gmail.com
ren.n.l.e.y.o.l.i.v.i.a@gmail.com
ren.nl.e.y.o.l.i.v.i.a@gmail.com
ren.nle.y.o.l.i.v.i.a@gmail.com
ren.nley.o.l.i.v.i.a@gmail.com
ren.nleyo.l.i.v.i.a@gmail.com
renn.l.e.y.o.l.i.v.i.a@gmail.com
renn.le.y.o.l.i.v.i.a@gmail.com
renn.ley.o.l.i.v.i.a@gmail.com
renn.leyo.l.i.v.i.a@gmail.com
rennl.e.y.o.l.i.v.i.a@gmail.com
rennl.ey.o.l.i.v.i.a@gmail.com
rennl.eyo.l.i.v.i.a@gmail.com
rennle.y.o.l.i.v.i.a@gmail.com
rennle.yo.l.i.v.i.a@gmail.com
rennley.o.l.i.v.i.a@gmail.com
Sample 2 :
a.r.d.e.n.tr.easure@gmail.com
a.r.d.e.ntr.easure@gmail.com
a.r.d.en.tr.easure@gmail.com
a.r.d.entr.easure@gmail.com
a.r.de.n.tr.easure@gmail.com
a.r.de.ntr.easure@gmail.com
a.r.den.tr.easure@gmail.com
a.r.dent.r.easure@gmail.com
a.rd.e.n.tr.easure@gmail.com
a.rd.e.ntr.easure@gmail.com
a.rd.en.tr.easure@gmail.com
a.rde.n.tr.easure@gmail.com
a.rde.ntr.easure@gmail.com
a.rden.tr.easure@gmail.com
a.rdent.r.easure@gmail.com
ar.d.e.n.tr.easure@gmail.com
ar.d.e.ntr.easure@gmail.com
ar.d.en.tr.easure@gmail.com
ar.d.entr.easure@gmail.com
ar.de.n.tr.easure@gmail.com
ar.de.ntr.easure@gmail.com
ar.den.tr.easure@gmail.com
ar.dent.r.easure@gmail.com
ard.e.n.tr.easure@gmail.com
ard.e.ntr.easure@gmail.com
ard.en.tr.easure@gmail.com
arde.n.tr.easure@gmail.com
arde.ntr.easure@gmail.com
arden.tr.easure@gmail.com
ardent.r.easure@gmail.com
Based on the above attempt, hackers trying the rewards purchase for multiple times as fraud attempt. hope now it is clear. thanks