Suspicious Email Attachment Extensions
This search looks for emails that have attachments with suspicious file extensions.
Suspicious Email Attachment Extensions Help
You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \
Splunk Phantom Playbook Integration\
If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk
Open in Search