Flow_InboundSMTP
ID: 100444
Description:
Inbound SMTP - This behavior alerts on successful (more than 0 bytes each direction) inbound SMTP, which is insecure - KLK
Repository: Group: Compliance Type: metaflow
Default Status:
Enabled
| Tags: |
|---|
| SMTP |
Selector:
Query:
dp:25 AND txB>0 AND rxB>0
Filters:
| Field | MUST hit |
|---|---|
| dip | entity: [ HOME_NET ] |
| Field | MUST NOT hit |
|---|---|
| sip | entity: [ HOME_NET ] |
| entity: [ SMTP_SourceAllowList ] | |
| dip | entity: [ SMTP_DestinationAllowList ] |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| dip | ip | network access |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| destIP | dip |
| recvBytes | rxB |
| transBytes | txB |
| sourceIP | sip |
| srcCity | s_city |
| srcCountry | s_country |
Correlation Rules:
First Occurrence:
| Name | Window | Fields | |
|---|---|---|---|
| NewInboundSMTPDestination | 10 days | dip | |
| Risks: | ALERT_END_POINT | ML_NEW_SERVICE |
History:
| User | Date |
|---|---|
| ke*y@fluencysecurity.com | 2021 Sep 22 11:31:32 EDT |
| ke*y@fluencysecurity.com | 2021 Sep 24 08:46:17 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)