Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search email logs for potential SPAM IOC via character count or special characters in a field?

jwalzerpitt
Influencer
‎07-06-2016 06:57 AM

We are ingesting some of our email logs, and one of the fields is 'Subject'.

I was wondering if anyone has created a search that looks for potential SPAM IOC via the following methods:

1) Character count - I'd like to create a search that creates buckets that shows a count of Subject length of 1-10, 11-20, 21-30, etc)
2) Number of special characters in the Subject field - once again create a search for the count of buckets from 1-3, 4-6, etc., or even the number of special characters in a row, such as two or ,more (!!, !!!, etc.).

Not limited to those two ideas of course, but would appreciate any feedback.

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-06-2016 12:31 PM

1: Like this:

... | eval SubjectLen=length(Subject) | bucket SubjectLen span=10

2: Like this:

... | eval SubjectLen=length(Subject)
| eval SubjectCopy=Subject | rex field=SubjectCopy mode=sed "s/[ListOfSpecialCharactersHere]//g"
| eval specialCharCount = SubjectLen - length(SubjectCopy)
| field - SubjectCopy

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-06-2016 12:31 PM

1: Like this:

... | eval SubjectLen=length(Subject) | bucket SubjectLen span=10

2: Like this:

... | eval SubjectLen=length(Subject)
| eval SubjectCopy=Subject | rex field=SubjectCopy mode=sed "s/[ListOfSpecialCharactersHere]//g"
| eval specialCharCount = SubjectLen - length(SubjectCopy)
| field - SubjectCopy
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎07-06-2016 07:26 AM

As a further refinement to this, is it possible in Splunk to weight evals, such as if a user sends or receives an email with a Subject over 200 characters in length, a weight or rating of 5 is assigned, if the recipient list is greater than 10 people a weight or rating of 5 is assigned, and so on so users with a higher weight/rating bubble up to the top of the report.

Thx

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-06-2016 09:17 AM

Are you looking for how to implement your ideas or confirmation on your ideas as appropriate for helping find spam?

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎07-06-2016 09:36 AM

Looking for ideas on how to implement if possible (as I would think others have tackled this before)

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...