- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sasquatchatmars
Communicator
10-14-2020
08:19 AM
Hi all,
I made a search where I use a regular expression to extract the username from the email address because we noticed that a lot of phishing mails contain that pattern. The following line is the expression
| rex field=receiver_email "(?<user>[a-zA-Z]+.[a-zA-Z]+)\@"
Now I want to add the field "user" in a search query to very if in the content body of an email there is a URL with that field.
the search line that I tried is
| search content_body="<https://*user*>"
Of course this only verifies is the content equals to the string "user" but I don't know how to change it to the field value.
So just as an example if the URL is
A part of the content body
https://someurl.com/idontknow/blabla<USER>blabla
The rest of the content body
I should get a hit because the username is in that URL.
Thank you very much,
Sasquatchatmars
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
richgalloway
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
SplunkTrust
10-14-2020
10:03 AM
Try using where rather than search, like this:
| makeresults
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
richgalloway
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
SplunkTrust
10-14-2020
10:03 AM
Try using where rather than search, like this:
| makeresults
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sasquatchatmars
Communicator
10-15-2020
01:06 AM
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)