All Apps and Add-ons

Can you process incoming email from an email security appliance in the UBA?

packet_hunter
Contributor

Phishing emails often attempt to masquerade as legit senders or common expected senders (typo-squatting).

Does anyone know if the UBA can process email headers and trigger a Whois Lookup to check creation date, Geo location, etc. for phishy uncommon emails/sender domains?

0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.

View solution in original post

0 Karma

David
Splunk Employee
Splunk Employee

UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.

0 Karma

packet_hunter
Contributor

David Thank you for the reply.

Please advise regarding how I can "chat offline" with you.

I agree that Core / ES could do this as well, but I was wondering if UBA had a better pattern / decision engine.

Can you provide a brief description of the requirements for ES and Core to do this? I imagine you need smtp headers and proxy logs?

Thank you

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...