- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use the email sender from one search as inp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use the email sender from one search as input for another search?
Hello,
I'm still learning a lot about Splunk so bear with me.
My current search:
'get_phished' | stats values(recipient) as recipient by subject, filename, sender | search NOT recipient >2
The get_phished is actually a macro containing the following fields:
index=email recipient=insert_user_here OR recipient=insert_user_here, etc
The search results produce a table consisting of subject, filename, sender, and which users received the phishing email if the count is greater than 2.
What I would like to do is append another search that looks for additional emails not included in my manually updated list and add them in another category called new_targets.
From what I've noticed over the past few months, these senders are consistently using a random combination of existing phishing targets from previous attempts in conjunction with their newly acquired list of targets.
For example,
Week 1 phishing targets:
a@email.com
b@email.com
c@email.com
Week 2 phishing targets:
a@email.com
b@email.com
d@email.com
In the example above, in week 2, 1 new email was targeted in combination with some of the users from week 1.
I think this can be accomplished by searching against the sender from the original search and looking for additional recipients from that sender not included in the current list of recipients, but I’m not entirely sure how to do that.
Thoughts?
V/r
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few options where you can do a sub-search (append, join etc), but sub-searches are very inefficient and have limitations. The most efficient way would be to include both sources in your search index=mail (source=list1 OR source=list2 ) and with the combination of dedupe and stats you should be able to get a distinct list of "phishers"
Hopefully this gives you some ideas to explore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appreciate the prompt response.
The sources are actually the same. Both sources I'm looking in areindex=email. I tried adding a subsearch that renames two fields in order to create the ability to compare them and then narrowing down the searches by searching for events that contain the same sender and where the recipient doesn't equal the new recipient. It isn't returning the results I'm looking for and instead just matching on the same sender and recipient fields and displaying them.
`GetPhished`
| stats values(recipient) as recipient by subject, filename, sender
| search NOT recipient >2
| join [| search index=email sourcetype=email_log filename=* | rename sender AS send | rename recipient AS new_recip | stats values(new_recip) as new_recip by send, subject, filename | search NOT new_recip >0]
| where sender = send AND recipient !=new_recip
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
