⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • Last Updated: 2018-01-05
  • Author: David Dorsey, Splunk
  • ID: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8

| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id 
| `drop_dm_object_name("All_Email")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval temp=split(src_user, "@") 
| eval email_domain=mvindex(temp, 1) 
| lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse 
| search domain_abuse=true 
| table message_id, src_user, email_domain, recipients, firstTime, lastTime 
| `monitor_email_for_brand_abuse_filter`

Associated Analytic Story

How To Implement

You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.

Required field

  • _time
  • All_Email.recipient
  • All_Email.src_user
  • All_Email.message_id

Kill Chain Phase

  • Delivery

Known False Positives

None at this time

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2