forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnstwist_domain_names.yml
48 lines (48 loc) · 1.38 KB
/
dnstwist_domain_names.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: DNSTwist Domain Names
id: 19f7d2ec-6028-4d01-bcdb-bda9a034c17f
version: 2
date: '2018-10-08'
author: David Dorsey, Splunk
type: Baseline
datamodel: []
description: This search creates permutations of your existing domains, removes the
valid domain names and stores them in a specified lookup file so they can be checked
for in the associated detection searches.
search: '| dnstwist domainlist=domains.csv | `remove_valid_domains` | eval domain_abuse="true"
| table domain, domain_abuse | outputlookup brandMonitoring_lookup | stats count'
how_to_implement: To successfully implement this search you need to update the file
called domains.csv in the DA-ESS-SOC/lookup directory. Or `cim_corporate_email_domains.csv`
and `cim_corporate_web_domains.csv` from **Splunk\_SA\_CIM**.
known_false_positives: none
references: []
tags:
analytic_story:
- Brand Monitoring
- Suspicious Emails
asset_type: Endpoint
deployments:
- Daily Cache Updates
detections:
- Monitor Email For Brand Abuse
- Monitor DNS For Brand Abuse
- Monitor Web Traffic For Brand Abuse
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
kill_chain_phases:
- Exploitation
required_fields:
- _time
security_domain: network
confidence: 50
impact: 50
risk_score: 25
context:
- Unknown
message: tbd
observable:
- name: dest
type: Other
role:
- Other