Skip to main content
 
 
Splunk Lantern

Email data

 

Email is a significant component of day-to-day business activity and can be accessible not only on corporate desktop computers but also mobile devices, including personal devices, which introduces new vulnerabilities and has become a critical part of enterprise cybersecurity efforts. Email messages and activity logs across these endpoints can provide critical insights into communication activity that might warrant more in-depth investigation. For example, attackers might send emails with malicious code attached in a file or embedding a link to a website where the malicious code is hosted, targeting recipients, in order to obtain intellectual property or personally identifiable information/personal data, as well as command and control. In addition, internal threats leveraging email may include transmitting data to external email accounts.

Mail server transaction and error logs also are essential debugging tools for IT problem resolution and also may be used for usage-based billing. Mail server data can help identify malicious attachments, malicious domain links and redirects, emails from known malicious domains, and emails from unknown domains. It can also be used to identify emails with abnormal or excessive message sizes, and abnormal email activities times. In the Common Information Model, mail server data is typically mapped to the Email data model.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for the Splunk platform

Use cases for Splunk security products

Explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with mail server data.