Name:Suspicious Email - UBA Anomaly id:56e877a6-1455-4479-ad16-0550dc1e33f8 version:5 date:2024-10-17 author:Bhavin Patel, Splunk status:deprecated type:Anomaly Description:This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA). Data_source:
search:|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`
how_to_implement:You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance. known_false_positives:This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender. References: drilldown_searches:
: tags: analytic_story: - 'Suspicious Emails' asset_type:Endpoint confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1566' observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:threat
