Splunk Search

Search if an URL contains a user field

Sasquatchatmars
Communicator

Hi all,

I made a search where I use a regular expression to extract the username from the email address because we noticed that a lot of phishing mails contain that pattern. The following line is the expression 

| rex field=receiver_email "(?<user>[a-zA-Z]+.[a-zA-Z]+)\@"

Now I want to add the field "user" in a search query to very if in the content body of an email there is a URL with that field. 
the search line that I tried is 

| search content_body="<https://*user*>"

Of course this only verifies is the content equals to the string "user" but I don't know how to change it to the field value. 

So just as an example if the URL is 

A part of the content body

https://someurl.com/idontknow/blabla<USER>blabla

The rest of the content body

I should get a hit because the username is in that URL. 

 

Thank you very much,

Sasquatchatmars

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try using where rather than search, like this:

| makeresults 
| eval user="foo", content_body="<https://something.com/foo/otherstuff>"
| where match(content_body,"<https://.*".user.".*>")

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Sasquatchatmars
Communicator

Hi @richgalloway,

This was what I needed thank you!

Sasquatchatmars

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!