We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud


The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-07-21
  • Author: Bhavin Patel, Splunk
  • ID: ee18ed37-0802-4268-9435-b3b91aaa18xx


ID Technique Tactic
T1114 Email Collection Collection
T1114.001 Local Email Collection Collection

| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*"  Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest 
| `drop_dm_object_name("Filesystem")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `email_files_written_outside_of_the_outlook_directory_filter` 

Associated Analytic Story

How To Implement

To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

  • _time
  • Filesystem.file_path
  • Filesystem.file_name
  • Filesystem.action
  • Filesystem.process_id
  • Filesystem.dest

Kill Chain Phase

  • Actions on Objectives

Known False Positives

Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.


Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3