Splunk SOAR Playbooks: Suspicious Email Domain Enrichment

Share:

By Philip Royer May 06, 2021

Despite the myriad pathways to initial access on our networks, phishing remains the single most popular technique for attackers. The open nature of email and our reliance on it for communication make it difficult for defenders to classify messages, so it is no surprise that suspicious email investigation is a top use case for automation. Today, we are releasing a new community playbook for Splunk SOAR (previously Splunk Phantom) to help enrich suspicious email events. This playbook focuses specifically on domain names contained in the ingested email, and it uses Cisco Umbrella Investigate to add the risk score, risk status and domain category to the event in Spunk SOAR. When an analyst is assigned an event, this will allow faster recognition of the purpose of the email, and the domain enrichment will also provide a connection point to take further action on the output.

Whether or not you're new to automation and orchestration, this simple, out-of-the-box playbook will help you detect and contain suspicious emails quickly.

The Playbook: Suspicious Email Domain Enrichment

The playbook starts off by fetching the whole text of the event and all of its artifacts, then running a regular expression against that text to extract any email addresses it contained within. From there, two separate domain reputation queries are run on the domains from the extracted email addresses, as well as any domains that were extracted upon email ingestion. Taken together, these should analyze any domains from the email headers and body. The next step is a query against Cisco Umbrella Investigate to determine the risk scores, risk status and categorizations of those domains. Umbrella provides a wealth of threat intelligence about domain names backed by Cisco's threat research and broad visibility into internet traffic, so this often produces valuable insights into the purpose of a domain and the potential for harm. The remainder of the playbook formats key fields from the domain reputation result and presents them in a note to the analyst.

See It In Action Deploying The Playbook

Here are the steps to get this playbook and use it:

1. If you don't already have Splunk SOAR, you can sign up and download the free community version
2. Configure the Cisco Umbrella Investigate app on Splunk SOAR:
   1. Navigate to Home>Apps>Unconfigured Apps>Search for 'Cisco Umbrella Investigate'>Configure New Asset
   2. Give the asset a name such as 'umbrella_investigate'
   3. On the 'Asset Settings' page, provide the API key from the Umbrella web application
3. Choose and configure an email ingestion app, such as IMAP, Microsoft Exchange or GSuite for GMail
4. Configure and activate the playbook:
   1. Navigate to Home > Playbooks and search for 'suspicious_email_domain_enrichment.' If it's not there, use the Update from Source Control button and select community to download new community playbooks
   2. Click on the playbook name to open it
   3. Resolve the playbook import wizard by selecting the newly created app
   4. Set the label to email (or whichever name was chosen above in the email configuration)
   5. Set the playbook to Active
   6. Save the playbook
      

Taking It Further

This playbook starts the enrichment process for a suspicious email, but there are many possibilities for additional response. For instance, domain names with risk scores higher than a certain threshold could be used to initiate a 'block domain' or 'delete email' action to prevent the user from following a link in a phishing email. Similarly, endpoint protection tools could be used to track activity on a potentially infected endpoint to monitor for users that may have followed a phishing link and been exposed to credential theft or client-ide malware.

This blog is part of a series called 'SOAR in Seconds,' where our distinguished Splunk SOAR experts guide you through how to use out-of-the-box playbooks and other features to automate repetitive tasks.