Suspicious Email - UBA Anomaly

Original Source: [splunk source]
Name:Suspicious Email - UBA Anomaly
id:56e877a6-1455-4479-ad16-0550dc1e33f8
version:6
date:2024-11-14
author:Bhavin Patel, Splunk
status:deprecated
type:Anomaly
Description:This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).
Data_source:
search:|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model
| `drop_dm_object_name(All_UEBA_Events)`
| `drop_dm_object_name(UEBA_Anomalies)`| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
| `suspicious_email___uba_anomaly_filter`


how_to_implement:You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance.
known_false_positives:This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Suspicious Emails'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1566'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:threat

tests:
  :
manual_test:None

Related Analytic Stories


Suspicious Emails