Splunk Search
Highlighted

How to search email logs for potential SPAM IOC via character count or special characters in a field?

Motivator

We are ingesting some of our email logs, and one of the fields is 'Subject'.

I was wondering if anyone has created a search that looks for potential SPAM IOC via the following methods:

1) Character count - I'd like to create a search that creates buckets that shows a count of Subject length of 1-10, 11-20, 21-30, etc)
2) Number of special characters in the Subject field - once again create a search for the count of buckets from 1-3, 4-6, etc., or even the number of special characters in a row, such as two or ,more (!!, !!!, etc.).

Not limited to those two ideas of course, but would appreciate any feedback.

Thx

0 Karma
Highlighted

Re: How to search email logs for potential SPAM IOC via character count or special characters in a field?

Motivator

As a further refinement to this, is it possible in Splunk to weight evals, such as if a user sends or receives an email with a Subject over 200 characters in length, a weight or rating of 5 is assigned, if the recipient list is greater than 10 people a weight or rating of 5 is assigned, and so on so users with a higher weight/rating bubble up to the top of the report.

Thx

0 Karma
Highlighted

Re: How to search email logs for potential SPAM IOC via character count or special characters in a field?

Esteemed Legend

Are you looking for how to implement your ideas or confirmation on your ideas as appropriate for helping find spam?

0 Karma
Highlighted

Re: How to search email logs for potential SPAM IOC via character count or special characters in a field?

Motivator

Looking for ideas on how to implement if possible (as I would think others have tackled this before)

Thx

0 Karma
Highlighted

Re: How to search email logs for potential SPAM IOC via character count or special characters in a field?

Esteemed Legend

1: Like this:

... | eval SubjectLen=length(Subject) | bucket SubjectLen span=10

2: Like this:

... | eval SubjectLen=length(Subject)
| eval SubjectCopy=Subject | rex field=SubjectCopy mode=sed "s/[ListOfSpecialCharactersHere]//g"
| eval specialCharCount = SubjectLen - length(SubjectCopy)
| field - SubjectCopy

View solution in original post

0 Karma