Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I search for a URL that a user or users may have clicked on from a SPAM or phishing email?

doogan12
Engager
‎06-22-2017 08:57 AM

Often times users click the link or open a attachment in a SPAM or phishing email. I would like to be able to enter a URL in a search that will find if any recipients clicked the link in order to isolate their machines.

One part will list the URL to search on and another will list the host that connected to it.

Thank you!

Tags (1)
0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎06-22-2017 10:59 AM

Not a full answer, but without more information in your question, it will be hard for the community to help you. Here is a blog post that you might want to read: https://www.splunk.com/blog/2015/07/01/phishing-what-does-it-look-like-in-machine-data/

And the risk analysis in Splunk Enterprise Security might also be interesting for you, see https://www.splunk.com/blog/2014/08/12/risk-analysis-with-enterprise-security-3-1/.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-22-2017 10:09 AM

Are you indexing the logs from your web proxy server? Or do you have another source for the URLs? Once you have the data in Splunk we can help you search for it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

doogan12
Engager
‎06-22-2017 11:08 AM

Will probably have the search check all indexes either with index=* or by listing them with "OR" - maybe even make a dropdown box where there is a choice as to which index to check.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-22-2017 01:17 PM

index=* is inefficient for a regular query. Use it to find the data you need then put the exact index name in the final SPL.
My original point was it's hard to help without knowing more about your environment. Yes, Splunk can do what you want, but only if it has the data it needs. Once you've confirmed you have a source of URL clicks then we can help you craft a search for those who fell for phishing emails.

---
If this reply helps you, Karma would be appreciated.
Reply

doogan12
Engager
‎07-03-2017 01:58 PM

Sorry for the delay, was able to narrow a few things down.
My search looks like this and is part of a dashboard:

index=primary_index sourcetype=firewall ref="$ref$" | stats count by src, dst, ref, method, webhost, uri | sort ip, -url

I'll still have to do something with listing hostnames, but will tweak as I can.

Thank you for your previous responses - shift work interferes with my replies.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...