Suspicious Email Attachment Extensions-可疑电子邮件附件扩展名
查找包含带有可疑文件扩展名的附件的电子邮件。可疑的扩展名通过查找表来维护,查找邮件数据的附件的扩展名。
Splunk查询:检测最近一个小时内邮件附件的扩展名可疑
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments`
earliest=-70m@m latest=-10m@m
Splunk查询:检测最近一个小时内邮件附件的扩展名可疑
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments`
earliest=-70m@m latest=-10m@m
