O365 Email Reported By User Found Malicious
Description
The following analytic detects when an email submitted to Microsoft using the built-in report button in Outlook is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Email
- Last Updated: 2024-04-01
- Author: Steven Dick
- ID: 7698b945-238e-4bb9-b172-81f5ca1685a1
Annotations
ATT&CK
Kill Chain Phase
- Delivery
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
13
`o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name="Email reported by user as*"
| fromjson Data
| rename _raw AS temp etps AS _raw
| extract pairdelim=";" kvdelim=":"
| rename _raw AS etps temp AS _raw
| search RescanVerdict IN (Phish,Malware)
| rex field=tsd "\<(?<src_user>.+)\>"
| eval src_user = case(isnull(src_user),tsd,true(),src_user)
| stats count min(_time) as firstTime max(_time) as lastTime values(ms) as subject values(RescanVerdict) as result values(tsd) as sender values(src_user) as src_user by AlertId,AlertEntityId,Operation,Name
| rename Name as signature, AlertId as signature_id, AlertEntityId as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_reported_by_user_found_malicious_filter`
Macros
The SPL above uses the following Macros:
o365_email_reported_by_user_found_malicious_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Workload
- Operation
- Name
- Data
- AlertId
- AlertEntityId
- tsd
- etps
How To Implement
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy/allow the usage of the Microsoft Office Report A Message function.
Known False Positives
unknown
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
75.0 | 75 | 100 | The user $user$ reported an email classified as $result$ from $src_user$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1