Link Search Menu Expand Document

Sophos_Attempted_Information_Leak

ID: 100212

Description:

Sophos has detected an attempted information leak

Repository: Group: Sophos Type: event

Default Status:

Enabled

Tags:
Sophos
 

Selector:

Query:

Filters:

Field MUST hit
@tags sophos
@sophos.classification Attempted Information Leak
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sophos.src_ip ip security alert

Risks:

Risks Base Score Dimension
ALERT_HIGH_CONFIDENCE 2000 alert
Timeline 0 -

Attributes:

Alias Key
Message @sophos.message
SrcIP @sophos.src_ip
DestIP @sophos.dst_ip
SrcPort @sophos.src_port
DestPort @sophos.dst_port
Country @sophos.src_country
Victim @sophos.victim

Correlation Rules:

First Occurrence:

Name Window Fields
NewCountry 10 days @sophos.src_country
  Risks: ML_NEW_GEO_COUNTRY

History:

User Date
em*n@fluencysecurity.com 2021 Mar 19 16:09:15 EDT
em*n@fluencysecurity.com 2021 Mar 19 20:17:43 EDT

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)