Splunk Tech Talks
Deep-dives for technical practitioners.

Suspicious Email Domain Enrichment

Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Suspicious Email Domain Enrichment 

Despite the myriad pathways to initial access on our networks, phishing remains the single most popular technique for attackers. The open nature of email and our reliance on it for communication make it difficult for defenders to classify messages, so it is no surprise that suspicious email investigation is a top use case for automation.

We are releasing a new community playbook for Splunk Phantom to help enrich suspicious email events. This playbook focuses specifically on domain names contained in the ingested email, and it uses Cisco Umbrella Investigate to add the risk score, risk status and domain category to the event in Phantom. When an analyst is assigned an event, this will allow faster recognition of the purpose of the email, and the domain enrichment will also provide a connection point to take further action on the output.


Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...