Splunk Search

Search if an URL contains a user field

Sasquatchatmars
Communicator

Hi all,

I made a search where I use a regular expression to extract the username from the email address because we noticed that a lot of phishing mails contain that pattern. The following line is the expression 

| rex field=receiver_email "(?<user>[a-zA-Z]+.[a-zA-Z]+)\@"

Now I want to add the field "user" in a search query to very if in the content body of an email there is a URL with that field. 
the search line that I tried is 

| search content_body="<https://*user*>"

Of course this only verifies is the content equals to the string "user" but I don't know how to change it to the field value. 

So just as an example if the URL is 

A part of the content body

https://someurl.com/idontknow/blabla<USER>blabla

The rest of the content body

I should get a hit because the username is in that URL. 

 

Thank you very much,

Sasquatchatmars

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

 

---
If this reply helps you, Karma would be appreciated.

Sasquatchatmars
Communicator

Hi @richgalloway,

This was what I needed thank you!

Sasquatchatmars

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...