Hello,
have this sort of situation:
Use case:
For example the most recent malspam campaign ended up with >100 emails with the same attachment "my_resume.zip" to be sent to >200 users. All the emails where sent within 2 hour period.
Thanks a lot,
Kestutis
Your use case does not seem to match your description so I had to choose one; I chose the use case.
Run a search like the following (it assumes you have fields named attachmentName
and user
) every half-hour for the last 2 hours (earliest=-2h@h
and latest=now
😞
... | rex field=attachmentName "(?<attachmentBaseName>[^\.]*).(?:zip|7z|pdf|src|rar)" | stats count AS numEmails dc(user) AS numUsers BY attachmentBaseName | where numEmails > 100 OR numUsers > 200
Your use case does not seem to match your description so I had to choose one; I chose the use case.
Run a search like the following (it assumes you have fields named attachmentName
and user
) every half-hour for the last 2 hours (earliest=-2h@h
and latest=now
😞
... | rex field=attachmentName "(?<attachmentBaseName>[^\.]*).(?:zip|7z|pdf|src|rar)" | stats count AS numEmails dc(user) AS numUsers BY attachmentBaseName | where numEmails > 100 OR numUsers > 200
Thanks for the answer - sorry yah agree I wasn't clear enough. What I do want is be able to set up a "real time" alert to trigger on the cases where malicious emails are sent to users containing the same attachment (e.g. "resume.zip"). As usual this campaigns last for an hour or two, when a burst of 50-100 emails are sent to different users containing an attachment in (zip|7z|pdf|src|rar) format.
Running provided query I do see that separate email attachment names a grouped together, which isn't exactly what I need.
So probably a better use case would be - during the 1 pm and 3 pm there is a burst of emails containing attachment "open.zip" sent to internal users. There are in total more than 200 emails sent to internal mailboxes. So what I am looking is to set up an alert to trigger if we get at least 50 emails per hour containing the same attachment sent to various internal user mailboxes. This could be a potential indication of ongoing spam, malspam or phishing campaign.
If you run this over 2 hours (exactly) this will do it (change the last 2
to the number of hours over which the search/alert is run):
... | regex attachmentName=".*(?:zip|7z|pdf|src|rar)$" | bucket _time span=1h | stats count BY attachmentName,_time | where count > 50 | stats count BY attachmentName | where count = 2
Thanks again, somehow for this one I get the regex incorrect message... Any ideas what might be wrong here?
I am guessing that you have a field called attachmentName
but probably it is called something else so you need to fix/change the first string after regex
. Also I had a typo (first 2 characters swapped) but I fixed it so try it again.
oh I do change the filed name, the issue was indeed the typo, sorry didn't spot on it as well, now it works as expected! Appreciate a lot for the suggestion!