forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsuspicious_emails.yml
More file actions
52 lines (48 loc) · 1.99 KB
/
suspicious_emails.yml
File metadata and controls
52 lines (48 loc) · 1.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
category:
- Adversary Tactics
channel: ESCU
creation_date: '2017-03-24'
description: Email remains one of the primary means for attackers to gain an initial
foothold within the modern enterprise. Detect and investigate suspicious emails
in your environment with the help of the searches in this Analytic Story.
detections:
- detection_id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
name: Monitor Email For Brand Abuse
type: splunk
- detection_id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
name: Suspicious Email Attachment Extensions
type: splunk
- detection_id: 56e877a6-1455-4479-ada6-0550dc1e22f8
name: Email Attachments With Lots Of Spaces
type: splunk
- detection_id: 56e877a6-1455-4479-ad16-0550dc1e33f8
name: Suspicious Email - UBA Anomaly
type: uba
id: 2b1800dd-92f9-47ec-a981-fdf1351e5d55
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2017-09-19'
name: Suspicious Emails
narrative: 'It is a common practice for attackers of all types to leverage targeted
spearphishing campaigns and mass mailers to deliver weaponized email messages and
attachments. Fortunately, there are a number of ways to monitor email data in Splunk
to detect suspicious content.\
Once a phishing message has been detected, the next steps are to answer the following
questions: \
1. Which users have received this or a similar message in the past?\
1. When did the targeted campaign begin?\
1. Have any users interacted with the content of the messages (by downloading an
attachment or clicking on a malicious URL)?This Analytic Story provides detection
searches to identify suspicious emails, as well as contextual and investigative
searches to help answer some of these questions.'
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'