Link Search Menu Expand Document

ProofPoint_Malware_Threat

ID: 100189

Description:

A malware threat has been detected by ProofPoint

Repository: Group: Proofpoint Type: event

Default Status:

Enabled

Tags:
Proofpoint
 

Selector:

Query:

Filters:

Field MUST hit
@source proofpoint
@proofpoint.data.threatsInfoMap.classification malware
Field MUST NOT hit
@proofpoint.type MessagesBlocked

Behavior Rule:

Key Type Behavior Category
@proofpoint.data.recipient username security alert

Risks:

Risks Base Score Dimension
ALERT_MALWARE 800 alert
ALERT_HIGH_CONFIDENCE 2000 alert

Attributes:

Alias Key
QuarantineFolder @proofpoint.data.quarantineFolder
Cluster @proofpoint.data.cluster
ThreatType @proofpoint.data.threatsInfoMap.threatType
ThreatURL @proofpoint.data.threatsInfoMap.threatUrl
Username @proofpoint.data.recipient
Type @proofpoint.type
Subject @proofpoint.data.subject

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @proofpoint.data.recipient
  Risks: ML_NEW_USER

History:

User Date
em*n@fluencysecurity.com 2021 Mar 2 03:01:00 EST
em*n@fluencysecurity.com 2021 Mar 2 09:44:41 EST
ho*d@fluencysecurity.com 2021 Mar 2 18:50:07 EST
em*n@fluencysecurity.com 2021 Mar 3 09:06:23 EST
em*n@fluencysecurity.com 2021 Mar 3 09:44:02 EST
em*n@fluencysecurity.com 2021 Mar 10 03:13:29 EST

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)