Suspicious Email - UBA Anomaly

Suspicious Email - UBA Anomaly

Description

This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

Medium

Data Availability

Bad

Journey

Stage 3

Kill Chain Phases

Delivery

Data Sources

Email

   Help

Suspicious Email - UBA Anomaly Help

This detection monitors for emails that are suspicious because of their sender, domain rareness, or behavior differences, as determined by Splunk UBA. In this search, we query the "UEBA" data model to look for anomalies that are raised by the "SuspiciousEmailDetectionModel" and will output the count, description of the anomaly, signature, the type of event in UBA, the severity, and the user who received a potentially suspicious email from a newly seen domain. It will also output all the categories associated with that anomaly.