Hello,
I'm still learning a lot about Splunk so bear with me.
My current search:
'get_phished' | stats values(recipient) as recipient by subject, filename, sender | search NOT recipient >2
The get_phished
is actually a macro containing the following fields:
index=email recipient=insert_user_here OR recipient=insert_user_here, etc
The search results produce a table consisting of subject, filename, sender, and which users received the phishing email if the count is greater than 2.
What I would like to do is append another search that looks for additional emails not included in my manually updated list and add them in another category called new_targets.
From what I've noticed over the past few months, these senders are consistently using a random combination of existing phishing targets from previous attempts in conjunction with their newly acquired list of targets.
For example,
Week 1 phishing targets:
a@email.com
b@email.com
c@email.com
Week 2 phishing targets:
a@email.com
b@email.com
d@email.com
In the example above, in week 2, 1 new email was targeted in combination with some of the users from week 1.
I think this can be accomplished by searching against the sender from the original search and looking for additional recipients from that sender not included in the current list of recipients, but I’m not entirely sure how to do that.
Thoughts?
V/r
Andrew
There are a few options where you can do a sub-search (append, join etc), but sub-searches are very inefficient and have limitations. The most efficient way would be to include both sources in your search index=mail (source=list1 OR source=list2 )
and with the combination of dedupe
and stats
you should be able to get a distinct list of "phishers"
Hopefully this gives you some ideas to explore.
Appreciate the prompt response.
The sources are actually the same. Both sources I'm looking in areindex=email
. I tried adding a subsearch that renames two fields in order to create the ability to compare them and then narrowing down the searches by searching for events that contain the same sender and where the recipient doesn't equal the new recipient. It isn't returning the results I'm looking for and instead just matching on the same sender and recipient fields and displaying them.
`GetPhished`
| stats values(recipient) as recipient by subject, filename, sender
| search NOT recipient >2
| join [| search index=email sourcetype=email_log filename=* | rename sender AS send | rename recipient AS new_recip | stats values(new_recip) as new_recip by send, subject, filename | search NOT new_recip >0]
| where sender = send AND recipient !=new_recip