Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Microsoft
Product: Sysmon
Use-Case: Data Leak
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 4 | 0 | 3 | 2 | 21 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1114 - Email Collection ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords T1114.003 - Email Collection: Email Forwarding Rule ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords | |
| file-write | T1114 - Email Collection ↳ FA-Outlook-pst: A file ends with either pst or ost T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost |