Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible if a non matching domain is emailing us, it should display in a dashboard?

tonyxavierj
Engager
‎02-09-2022 03:06 AM

Hi

I am trying to explore more ways to check if business email compromise is being happening in our organization, just before the end user recognises it.

i have a list of domains that we usually communicate with,  there are around 490 domains I have listed and added to a csv file.  there is an index which is updated in realtime which have logs from mimecast. I would like to list out domains which are trying to establish email communication with our organization which are not there in the csv file.

so if a non matching domain is emailing us, it should display in a dashboard. is this possible?

Labels (1)
Labels
0 Karma
Reply

tonyxavierj
Engager
‎02-09-2022 11:46 PM

50000

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 11:57 PM

Subsearches are limited to 50000 events - can you break the csv down into smaller files?

index= mimecast NOT [ | inputlookup Sender1.csv | return Sender ] AND NOT [ | inputlookup Sender2.csv | return Sender ] AND NOT [ | inputlookup Sender3.csv | return Sender ]
0 Karma
Reply

tonyxavierj
Engager
‎02-10-2022 01:59 AM

this is my search string
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

the number of rows in csv is now reduced to 34000

The search result is same if do search for
index=mimecast
or 
index=mimecast NOT [ | inputlookup Sender1.csv | return Sender ] 

it is still not filtering or removing the email addresses listed in the csv.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 02:44 AM

Try without the return

index=mimecast NOT [ | inputlookup Sender1.csv ]
0 Karma
Reply

tonyxavierj
Engager
‎02-10-2022 03:11 AM

no change,  it is still showing all the results.

no filtering applied.

0 Karma
Reply

tonyxavierj
Engager
‎02-09-2022 11:11 PM

gives error
Regex: regular expression is too large

if format is removed it gives results, but the results are same as without inputlookup
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 11:15 PM

How many rows does the csv file have?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2022 07:05 AM

A search for data in an index that is not in a CSV file would look something like this:

index=mimecast NOT [ | inputlookup domains.csv | return 1000 domain ]

I'm assuming the index and the CSV file use the same field names.  If that is not the case then a rename will be needed after the inputlookup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tonyxavierj
Engager
‎02-09-2022 10:31 PM

Hi 

i tried with the following search 

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender ] 
Sender1 have a list of email address and the  field name is Sender

the results are same if i search with or without the filter. its is not omitting or removing the email address which are there in the csv file.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 10:58 PM

Does this work better?

index= mimecast NOT [ | inputlookup Sender1.csv | return 1000 Sender | format ]
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...