Splunk Search

Email from Malicious sender

dzejsonborn
New Member

Hi Guys,

I am trying to create search for: "Email received from malicious sender"

Can somebody help to create such a search?

Many thanks!!!!

0 Karma

zayedaljaberi
Engager

If we assume that you want to search based on email subject from mail exchange.

index=*  sourcetype="MSExchange*"  message_subject="Email received from malicious sender"
| table _time, sender,recipient,message_subject 
0 Karma

FrankVl
Ultra Champion

You'll need to provide a lot more info to receive any meaningful help with this.

What logs do you intend to use for this and what do those look like? Do you have some email security product that scans the emails and actually logs alerts when detecting malicious emails? Or do you need to work with plain email (SMTP) trace logs?

If you are working with plain logs, the key challenge will be to recognize the sender being malicious. Do you have any source of information you intend to use to make that decision?

0 Karma

dzejsonborn
New Member

as a index I will have o365.

0 Karma

FrankVl
Ultra Champion

Ok, so that will just provide information like sender, recipient, subject, maybe something about the attachment? No information in the events that labels it as malicious, right?

That means there is no simple answer to your question.

The first thing you need to do is figure out how you are going to determine something is malicious. Do you have a security background yourself? If not, you might want to collaborate with people in your organisation that do and can help you come up with a definition for what is malicious.

You'll likely need some threat intelligence data for that, find out if your organisation already has access to that, or research the available free and commercial suppliers of that.

Another thing you could for instance look at is emails that come in from the outside (not entirely sure how you can see that from O365 logs, but I expect that should be possible), but have an internal email address as sender. That should normally not occur and would indicate someone has spoofed the sender address to pretend to be a trusted sender. It might be that O365 will not even allow such emails through though, but that is probably something your O365 admin can help you understand.

0 Karma

dzejsonborn
New Member

Yes, I have some security background. At the moment there is no Threat intelligence source for email addresses in my organization. However, there is DetectionMethod: Office 365 URL reputation , I though it will be good method for detection. I have heard the Splunk ES have som built in TI feeds.

0 Karma

FrankVl
Ultra Champion

I don't know the O365 email log details, so perhaps there is indeed some info in there that provides a clue as to whether an email is malicious or not. Maybe someone else will come by this question that has a better knowledge on O365 logs and can provide you some more suggestions.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...