Solved: Search if an URL contains a user field

Sasquatchatmars · ‎10-14-2020

Hi all,

I made a search where I use a regular expression to extract the username from the email address because we noticed that a lot of phishing mails contain that pattern. The following line is the expression

| rex field=receiver_email "(?<user>[a-zA-Z]+.[a-zA-Z]+)\@"

Now I want to add the field "user" in a search query to very if in the content body of an email there is a URL with that field.
the search line that I tried is

| search content_body="<https://*user*>"

Of course this only verifies is the content equals to the string "user" but I don't know how to change it to the field value.

So just as an example if the URL is

A part of the content body

https://someurl.com/idontknow/blabla<USER>blabla

The rest of the content body

I should get a hit because the username is in that URL.

Thank you very much,

Sasquatchatmars

richgalloway · ‎10-14-2020

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-14-2020

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

---
If this reply helps you, Karma would be appreciated.

Sasquatchatmars · ‎10-15-2020

Hi @richgalloway,

This was what I needed thank you!

Sasquatchatmars

Search if an URL contains a user field

other

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024