All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you process incoming email from an email security appliance in the UBA?

packet_hunter
Contributor
‎08-18-2016 06:29 AM

Phishing emails often attempt to masquerade as legit senders or common expected senders (typo-squatting).

Does anyone know if the UBA can process email headers and trigger a Whois Lookup to check creation date, Geo location, etc. for phishy uncommon emails/sender domains?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎08-22-2016 08:39 PM

UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎08-22-2016 08:39 PM

UBA can ingest email data, and uses it for a variety of use cases. This one in particular, I'm not actually sure whether is done by UBA, but if we can chat offline about your use cases. That said, the descriptions that you're talking about can definitely be done with Core Splunk or ES very easily -- if you (or anyone you work with) has that data in Splunk already then you can happily leverage get that today.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎08-23-2016 06:22 AM

David Thank you for the reply.

Please advise regarding how I can "chat offline" with you.

I agree that Core / ES could do this as well, but I was wondering if UBA had a better pattern / decision engine.

Can you provide a brief description of the requirements for ES and Core to do this? I imagine you need smtp headers and proxy logs?

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...