splApache-2.0from splunk/security_content

Gsuite suspicious calendar invite

The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.