Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use the email sender from one search as input for another search?

adayton20
Contributor
‎12-07-2015 06:22 AM

Hello,

I'm still learning a lot about Splunk so bear with me.

My current search:

'get_phished' | stats values(recipient) as recipient by subject, filename, sender | search NOT recipient >2

The get_phished is actually a macro containing the following fields:

index=email recipient=insert_user_here OR recipient=insert_user_here, etc

The search results produce a table consisting of subject, filename, sender, and which users received the phishing email if the count is greater than 2.

What I would like to do is append another search that looks for additional emails not included in my manually updated list and add them in another category called new_targets.

From what I've noticed over the past few months, these senders are consistently using a random combination of existing phishing targets from previous attempts in conjunction with their newly acquired list of targets.

For example,

Week 1 phishing targets:
a@email.com
b@email.com
c@email.com

Week 2 phishing targets:
a@email.com
b@email.com
d@email.com

In the example above, in week 2, 1 new email was targeted in combination with some of the users from week 1.
I think this can be accomplished by searching against the sender from the original search and looking for additional recipients from that sender not included in the current list of recipients, but I’m not entirely sure how to do that.

Thoughts?

V/r
Andrew

0 Karma
Reply

sundareshr
Legend
‎12-07-2015 01:40 PM

There are a few options where you can do a sub-search (append, join etc), but sub-searches are very inefficient and have limitations. The most efficient way would be to include both sources in your search index=mail (source=list1 OR source=list2 ) and with the combination of dedupe and stats you should be able to get a distinct list of "phishers"

Hopefully this gives you some ideas to explore.

0 Karma
Reply

adayton20
Contributor
‎12-08-2015 05:56 AM

Appreciate the prompt response.

The sources are actually the same. Both sources I'm looking in areindex=email. I tried adding a subsearch that renames two fields in order to create the ability to compare them and then narrowing down the searches by searching for events that contain the same sender and where the recipient doesn't equal the new recipient. It isn't returning the results I'm looking for and instead just matching on the same sender and recipient fields and displaying them.

`GetPhished`
| stats values(recipient) as recipient by subject, filename, sender
| search NOT recipient >2
| join [| search index=email sourcetype=email_log filename=* | rename sender AS send | rename recipient AS new_recip | stats values(new_recip) as new_recip by send, subject, filename | search NOT new_recip >0]
| where sender = send AND recipient !=new_recip
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...