Archive

Email from Malicious sender

New Member

Hi Guys,

I am trying to create search for: "Email received from malicious sender"

Can somebody help to create such a search?

Many thanks!!!!

0 Karma

If we assume that you want to search based on email subject from mail exchange.

index=*  sourcetype="MSExchange*"  message_subject="Email received from malicious sender"
| table _time, sender,recipient,message_subject 
0 Karma

Ultra Champion

You'll need to provide a lot more info to receive any meaningful help with this.

What logs do you intend to use for this and what do those look like? Do you have some email security product that scans the emails and actually logs alerts when detecting malicious emails? Or do you need to work with plain email (SMTP) trace logs?

If you are working with plain logs, the key challenge will be to recognize the sender being malicious. Do you have any source of information you intend to use to make that decision?

0 Karma

New Member

as a index I will have o365.

0 Karma

Ultra Champion

Ok, so that will just provide information like sender, recipient, subject, maybe something about the attachment? No information in the events that labels it as malicious, right?

That means there is no simple answer to your question.

The first thing you need to do is figure out how you are going to determine something is malicious. Do you have a security background yourself? If not, you might want to collaborate with people in your organisation that do and can help you come up with a definition for what is malicious.

You'll likely need some threat intelligence data for that, find out if your organisation already has access to that, or research the available free and commercial suppliers of that.

Another thing you could for instance look at is emails that come in from the outside (not entirely sure how you can see that from O365 logs, but I expect that should be possible), but have an internal email address as sender. That should normally not occur and would indicate someone has spoofed the sender address to pretend to be a trusted sender. It might be that O365 will not even allow such emails through though, but that is probably something your O365 admin can help you understand.

0 Karma

New Member

Yes, I have some security background. At the moment there is no Threat intelligence source for email addresses in my organization. However, there is DetectionMethod: Office 365 URL reputation , I though it will be good method for detection. I have heard the Splunk ES have som built in TI feeds.

0 Karma

Ultra Champion

I don't know the O365 email log details, so perhaps there is indeed some info in there that provides a clue as to whether an email is malicious or not. Maybe someone else will come by this question that has a better knowledge on O365 logs and can provide you some more suggestions.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!