Vendor: SkySea
July 25, 2023 · View on GitHub
Product: ClientView
Use-Case: Phishing
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 15 | 7 | 4 | 13 | 13 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-email-alert-out | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-country-F: First email to country for the organization ↳ EM-country-A: Abnormal email to country for the organization ↳ EM-Gcountry-F: First email to country for the peer group ↳ EM-Gcountry-A: Abnormal email to country ↳ EM-Ucountry-F: First email to country for the user ↳ EM-Ucountry-A: Abnormal email to country for the user ↳ EM-UD-F: First email domain for user ↳ EM-UD-A: Abnormal email domain for user ↳ EM-GD-F: First email domain for group ↳ EM-GD-A: Abnormal email domain for group ↳ EM-OD-F: First email domain for organization ↳ EM-OD-A: Abnormal email domain for organization T1048 - Exfiltration Over Alternative Protocol ↳ EM-EdC-F: First country for email domain ↳ EM-EdC-A: Abnormal country for email domain | • EM-OD: Domains per organization • EM-GD: Domains per group • EM-UD: Domains per user • EM-EdC: Countries per Email Domain • EM-Ucountry: Email Countries from/to user • EM-Gcountry: Email Countries from/to peer group • EM-country: Email Countries |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web ProtocolsT1566.002 - Phishing: Spearphishing Link ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. | |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web ProtocolsT1566.002 - Phishing: Spearphishing Link ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. |