Splunk Search

help with correlation of (any of the ) multiple mail recipients (in same email) from yesterday to today

lmyrefelt
Builder

Hi,

Lets say that I have 10 users that are getting the same "spam" email sent to them. I would now like to be able to save these 10 email address and do a search over the last hour / 4 hours / 24 hours / whatever and see if any kombination of those same 10 users (or so) have recieved the same kind of message even in the future.

Lets say my users are named
A,B,C,D,E,F,G,H,I,J
and they all recieved the same kind of "spam" email yesterday.

I would now like to know if either of them, in combination recieved the "same email" again / together.
IE. did user A and B recieved the same email from "unkown source" OR did for exemple user E and G recieve the same email today ?

If so i would like to have an alert.

I was thinking to use some kind of lookup table for this ? However it is not really clear to me how i can go about to check if any combination of my users (in the lookup) received the same email ( as recipients together ) .

Is the question clear enough ?

Thanks!

I have already as per somesoni2:s suggestion a search that generates a lookup file that i in turn can use to check "todays" results.

However i belive i need to do a field join on all the possible combinations of recipients and check that agains a similar field join with "todays" multiple reciepients. Some kind of for loop over the recipients ? I am pretty sure i need to group together the possible combination of recipients and do a search for any of these kombinations ?

small log example;
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 From: evil@badmuthefcker.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 0 To: A@mail.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 1 To: B@mail.com
<22>Apr 14 16:16:09 Maillogs_syslog: Info: MID 92013738 ICID 64542651 RID 2 To: C@mail.com
<22>Apr 14 16:16:10 Maillogs_syslog: Info: MID 92013738 Subject '=?utf-7?B?U09TUEVDSEE6IEFDVFVBTElaQUNJK0FOTS1OIERFIENVRU5UQQ==?='

0 Karma

jpechols
New Member

Was there ever a final answer on how to do the search or setup and alert that lmyrefelt was asking about?

I am trying to do something similar to where I know an email is targeting several users over and over. I would like to create an alert for when an email is set to any combination of the users that have been targeted in the past.

Thoughts?

0 Karma

lmyrefelt
Builder

I am generating the lookup table basicly as per Your "example" .. and i dont think that really matters ... what i want to know if any combination (where they are 2 or more, like A+b, B+C, C+A, D+F , etc etc OR users C+A+H ) of these users have recieved the same email.

0 Karma

somesoni2
Revered Legend

Can you share your query that is generating lookup table file?

0 Karma

lmyrefelt
Builder

I have already as per somesoni2:s suggestion a search that generates a lookup file that i in turn can use to check "todays" results.

However i belive i need to do a field join on all the possible combinations of recipients and check that agains a similar field join with "todays" multiple reciepients. Some kind of for loop over the recipients ?

0 Karma

somesoni2
Revered Legend

I am assuming you're logging the occurrence of users getting spam email (lets say in sourcetype=spam). Then you could do following.

a) Create a scheduled search (frequency as per you need) which will collect the distinct email addresses from the logs getting spam emails and saved it to a lookup file.
Query could be like (just the sample)

sourcetype=spam emailType=spam | stats count by emailaddress | fields - count | outputlookup append=t lookup_spamreceipients.csv

b) After that you can create another scheduled search which will query the period you need worth of data and find out if the email addresses in lookup received spam emails again. Query will be something like this.

sourcetype=spam emailType=spam [|inputlookup lookup_spamreceipients.csv | dedup emailaddress | format ] | stats count | where count >0

Updated answer: Try something like this in your alert search.

your base search to get email address getting "evil email" for today earliest=@d latest=now [ search your base search to get email address getting "evil email" for yesterday earliest=-1d@d latest=@d | table emailaddress | format]

It would be helpful to answer the question if you can share some logs.

0 Karma

lmyrefelt
Builder

update with small log example

0 Karma

lmyrefelt
Builder

we dont have a sourcetype for "spam / evil emails" but we have other kind of indicators , except from the fact that it is multiple target emails for / to a set of users

0 Karma

lmyrefelt
Builder

HI and thanks for such a quick answer, from the top of my head i dont think it i will give what i am looking for.
I am not really intressted to know if the same users has recieved "yet another spam / evil mail" but rather that if any combination of the same users / recipient that "yesterday" recieved "evil email" also today, together recieved another "evil email" .

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...