# Graylog Phishing Detection (Screenshot-Backed Portfolio Project)
This repository documents a **phishing simulation lab** and **Graylog detection workflow** using screenshots plus safe, educational example files.
> **Note:** The real lab used Postfix, Filebeat, Graylog, and PhishTool. This repo includes screenshots and illustrative files so reviewers can understand the approach without any sensitive data.
---
## π Project Structure
- [`scripts/`](scripts/) β Example script to generate a sample `.eml` (no actual sending)
- [`configs/`](configs/) β Example Filebeat and Postfix configs (educational)
- [`detections/`](detections/) β Example Graylog pipeline rule
- [`dashboards/`](dashboards/) β Placeholder JSON describing dashboard intent
- [`samples/`](samples/) β Redacted sample email and log lines
- [`docs/screenshots/`](docs/screenshots/) β All screenshots from the lab
---
## π§ Walkthrough (Screenshots)
---
## π Detection Logic (Summary)
- **URL shorteners:** match on `bit.ly`, `t.co`, `tinyurl`, `goo.gl` in message content
- **Phishing phrases:** "account locked", "verify account", "unusual activity"
- **Context fields:** add `phishing_indicator=true` and `indicator_reason` when matched
See: [`detections/graylog_pipeline_rule.txt`](detections/graylog_pipeline_rule.txt)
---
## βοΈ Example Ingest (Filebeat β Graylog)
Filebeat tails mail logs and ships them to a GELF UDP input in Graylog. See:
- [`configs/filebeat_config.yml`](configs/filebeat_config.yml)
---
## π§ͺ Sample Artifacts
- [`samples/phishing_email.eml`](samples/phishing_email.eml) β educational example email
- [`samples/sample_log.txt`](samples/sample_log.txt) β truncated mail log lines
---
## π¨ Disclaimer
This is a **lab simulation** for educational and portfolio purposes only. Do **not** use these techniques outside controlled environments without explicit permission.