Techniques
Sample rules
Gsuite suspicious calendar invite
- source: splunk
- technicques:
- T1566
Description
This search can help the detection of compromised accounts or internal users sending suspcious calendar invites via GSuite calendar. These invites may contain malicious links or attachments.
Detection logic
`gsuite_calendar`
|bin span=5m _time
|rename parameters.* as *
|search target_calendar_id!=null email="*yourdomain.com"
| stats count values(target_calendar_id) values(event_title) values(event_guest) by email _time
| where count >100
| `gsuite_suspicious_calendar_invite_filter`