Hi
How can I detects suspicious links and files that been sending outside of my domain?
Detecting links and files in the rule
+4Hi Mai9,
Here are some suggestions:
- Ensure you are ingesting your email logs
- Create rules that look for emails sent to external domains(they don't match your approved domains)
- Implement rules to identify emails containing potentially malicious URLs(examples: check against known malicious lists, utilize url reputation services, suspicious patterns, etc.)
- Implement rules to flag emails with potentially harmful attachments(file type filtering, file reputation scores, content analysis)
- Enrich Alerts with things like sender reputation, recipient info, url/file analysis data
- Fine tune your alert with thresholds to balance sensitivity and utilize allow/deny listing to reduce noise
Please find an example SIEM rule below:
ALERT WHEN email_sent TO external_domain AND ( url_in_email MATCHES threat_intel_url_list OR url_in_email HAS reputation_score > threshold OR attachment_in_email MATCHES threat_intel_file_hash_list OR attachment_in_email HAS reputation_score > threshold OR attachment_in_email MATCHES risky_file_type )
By carefully designing your SIEM alerts, you can create a proactive defense against suspicious emails and protect your organization from potential threats.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.