Splunk Search

Spear fishing detector

ivantn21
Explorer

Is there a way to detect if a host clicked on a link from and email that hey received? Assume sourcetypes for web and mail traffic... I know I can use transaction but the trasaction would start as the host being the dest from the email and the get request for the clicked link would make he host be d source, since the host would be on two separate fields how could we make this connection?

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

There are probably many ways to solve this but lets say you used the transaction command so you could set some time span limits.

You could just rename the fields for the transaction search so that they have the same name.

ie.

sourcetype=mail OR sourcetype=proxy | rename mail_ip as ip | rename dest_ip as ip | transaction ip 

Now in the real world this would be more complicated because you would need to extract out the link from the email and depending on the link and your proxy it may use ip or dns name so you would need to normalize that to be the same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...