⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Email
- Last Updated: 2018-01-05
- Author: David Dorsey, Splunk
- ID: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`
Associated Analytic Story
How To Implement
You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.
Kill Chain Phase
Known False Positives
None at this time
source | version: 2