-
Notifications
You must be signed in to change notification settings - Fork 381
/
Copy pathget_history_of_email_sources.yml
32 lines (32 loc) · 1.25 KB
/
get_history_of_email_sources.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
name: Get History Of Email Sources
id: ddc7af28-c34d-4392-af93-7f29a4e8806c
version: 1
date: '2019-02-21'
author: Rico Valdez, Splunk
type: Investigation
status: deprecated
description: This search returns a list of all email sources seen in the 48 hours
prior to the notable event to 24 hours after, and the number of emails from each
source.
search: '|tstats `security_content_summariesonly` values(All_Email.dest) as dest values(All_Email.recipient)
as recepient min(_time) as firstTime max(_time) as lastTime count from datamodel=Email.All_Email
by All_Email.src |`drop_dm_object_name(All_Email)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | search src=$src$'
how_to_implement: To successfully implement this search you must ingest your email
logs or capture unencrypted email communications within network traffic, and populate
the Email data model.
known_false_positives: ''
references: []
tags:
analytic_story:
- Emotet Malware DHS Report TA18-201A
- Hidden Cobra Malware
- Lateral Movement
- Malicious PowerShell
- Orangeworm Attack Group
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Ransomware
- SamSam Ransomware
product:
- Splunk Phantom
security_domain: network