security-content/detections/brand_abuse_email.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
asset_type: Endpoint
baselines:
  - id: 19f7d2ec-6028-4d01-bcdb-bda9a034c17f
    name: DNSTwist Domain Names
    type: splunk
confidence: high
creation_date: '2017-06-01'
data_metadata:
  data_models:
    - Email
  data_source:
    - Email
  providing_technologies:
    - Microsoft Exchange
    - Bro
    - Splunk Stream
description: This search looks for emails claiming to be sent from a domain similar
  to one that you want to have monitored for abuse.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: src_user, message_id
        rule_description: The sender $src_user$ has sent an email from a similar domain
          to that which you are monitoring for brand abuse.
        rule_title: Possible Brand Abuse from $src_user$
      risk:
        risk_object: src_user
        risk_object_type:
          - user
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients,
        min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user,
        All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)`
        | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp,
        1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT
        domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain,
        recipients, firstTime, lastTime'
      suppress:
        suppress_fields: message_id, src_user
        suppress_period: 86400s
eli5: This search looks at the sender address in email headers, and identifies those
  with a sender address using a domain name that matches the list of permutations
  generated for the domain you want to monitor.
entities:
  - src_user
how_to_implement: You need to ingest email header data. Specifically the sender's
  address (src_user) must be populated.  You also need to have run the search "ESCU
  - DNSTwist Domain Names", which creates the permutations of the domain that will
  be checked for.
id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd75
    name: Get Email Info
    type: splunk
  - id: 5df39b3f-447d-4869-b673-8f45ad4616fe
    name: Get Emails From Specific Sender
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: None at this time
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 7
  kill_chain_phases:
    - Delivery
  nist:
    - PR.IP
modification_date: '2018-01-05'
name: Monitor Email For Brand Abuse
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: network
spec_version: 2
type: splunk
version: '2.0'