Vendor: Microsoft
July 25, 2023 · View on GitHub
Product: Exchange
Use-Case: Phishing
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 14 | 7 | 2 | 8 | 8 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-email-alert-out | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-country-F: First email to country for the organization ↳ EM-country-A: Abnormal email to country for the organization ↳ EM-Gcountry-F: First email to country for the peer group ↳ EM-Gcountry-A: Abnormal email to country ↳ EM-Ucountry-F: First email to country for the user ↳ EM-Ucountry-A: Abnormal email to country for the user ↳ EM-UD-F: First email domain for user ↳ EM-UD-A: Abnormal email domain for user ↳ EM-GD-F: First email domain for group ↳ EM-GD-A: Abnormal email domain for group ↳ EM-OD-F: First email domain for organization ↳ EM-OD-A: Abnormal email domain for organization T1048 - Exfiltration Over Alternative Protocol ↳ EM-EdC-F: First country for email domain ↳ EM-EdC-A: Abnormal country for email domain | • EM-OD: Domains per organization • EM-GD: Domains per group • EM-UD: Domains per user • EM-EdC: Countries per Email Domain • EM-Ucountry: Email Countries from/to user • EM-Gcountry: Email Countries from/to peer group • EM-country: Email Countries |