Techniques
Sample rules
Gsuite Email With Known Abuse Web Service Link
- source: splunk
- technicques:
- T1566.001
- T1566
Description
This analytics is to detect a gmail containing a link that are known to be abused by malware or attacker like pastebin, telegram and discord to deliver malicious payload. This event can encounter some normal email traffic within organization and external email that normally using this application and services.
Detection logic
`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me")
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
|stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count by is_spam source.address source.from_header_address subject destination{}.address phase severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_with_known_abuse_web_service_link_filter`