Sophos_Attempted_Information_Leak
ID: 100212
Description:
Sophos has detected an attempted information leak
Repository: Group: Sophos Type: event
Default Status:
Enabled
| Tags: |
|---|
| Sophos |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @tags | sophos |
| @sophos.classification | Attempted Information Leak |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @sophos.src_ip | ip | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_HIGH_CONFIDENCE | 2000 | alert |
| Timeline | 0 | - |
Attributes:
| Alias | Key |
|---|---|
| Message | @sophos.message |
| SrcIP | @sophos.src_ip |
| DestIP | @sophos.dst_ip |
| SrcPort | @sophos.src_port |
| DestPort | @sophos.dst_port |
| Country | @sophos.src_country |
| Victim | @sophos.victim |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewCountry | 10 days | @sophos.src_country |
| Risks: | ML_NEW_GEO_COUNTRY |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Mar 19 16:09:15 EDT |
| em*n@fluencysecurity.com | 2021 Mar 19 20:17:43 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)