Phishing emails often attempt to masquerade as legit senders or common expected senders (typo-squatting).
Does anyone know if the UBA can process email headers and trigger a Whois Lookup to check creation date, Geo location, etc. for phishy uncommon emails/sender domains?
UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.
UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.
David Thank you for the reply.
Please advise regarding how I can "chat offline" with you.
I agree that Core / ES could do this as well, but I was wondering if UBA had a better pattern / decision engine.
Can you provide a brief description of the requirements for ES and Core to do this? I imagine you need smtp headers and proxy logs?
Thank you