forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get_history_of_email_sources.yml
38 lines (38 loc) · 1.34 KB
/
get_history_of_email_sources.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: Get History Of Email Sources
id: ddc7af28-c34d-4392-af93-7f29a4e8806c
version: 1
date: '2019-02-21'
author: Rico Valdez, Splunk
type: Investigation
datamodel:
- Email
description: This search returns a list of all email sources seen in the 48 hours
prior to the notable event to 24 hours after, and the number of emails from each
source.
search: '|tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient)
as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email
by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | search src=$src$'
how_to_implement: To successfully implement this search you must ingest your email
logs or capture unencrypted email communications within network traffic, and populate
the Email data model.
known_false_positives: ''
references: []
tags:
analytic_story:
- 'Emotet Malware DHS Report TA18-201A '
- Hidden Cobra Malware
- Lateral Movement
- Malicious PowerShell
- Orangeworm Attack Group
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Ransomware
- SamSam Ransomware
product:
- Splunk Phantom
required_fields:
- _time
- All_Email.dest
- All_Email.recipient
- All_Email.src
security_domain: network