Splunk Search

Is it possible if a non matching domain is emailing us, it should display in a dashboard?

tonyxavierj
Engager

Hi

I am trying to explore more ways to check if business email compromise is being happening in our organization, just before the end user recognises it.

i have a list of domains that we usually communicate with,  there are around 490 domains I have listed and added to a csv file.  there is an index which is updated in realtime which have logs from mimecast. I would like to list out domains which are trying to establish email communication with our organization which are not there in the csv file.

so if a non matching domain is emailing us, it should display in a dashboard. is this possible?

Labels (1)
0 Karma

tonyxavierj
Engager

50000

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are limited to 50000 events - can you break the csv down into smaller files?

index= mimecast NOT [ | inputlookup Sender1.csv | return Sender ] AND NOT [ | inputlookup Sender2.csv | return Sender ] AND NOT [ | inputlookup Sender3.csv | return Sender ]
0 Karma

tonyxavierj
Engager

this is my search string
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

the number of rows in csv is now reduced to 34000

The search result is same if do search for
index=mimecast
or 
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

it is still not filtering or removing the email addresses listed in the csv.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try without the return

index=mimecast NOT [ | inputlookup Sender1.csv ]
0 Karma

tonyxavierj
Engager

no change,  it is still showing all the results.

no filtering applied.

0 Karma

tonyxavierj
Engager

gives error
Regex: regular expression is too large

if format is removed it gives results, but the results are same as without inputlookup
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How many rows does the csv file have?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A search for data in an index that is not in a CSV file would look something like this:

index=mimecast NOT [ | inputlookup domains.csv | return 1000 domain ]

I'm assuming the index and the CSV file use the same field names.  If that is not the case then a rename will be needed after the inputlookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tonyxavierj
Engager

Hi 

i tried with the following search 

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender ] 
Sender1 have a list of email address and the  field name is Sender

the results are same if i search with or without the filter. its is not omitting or removing the email address which are there in the csv file.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does this work better?

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender | format ] 
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...