Product: Sonicwall
Use-Case: Phishing
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 5 | 2 | 8 | 3 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| vpn-logout | T1566 - Phishing ↳ EM-FNum-in: Abnormal number of incoming emails ↳ EM-BSum-in: Abnormal size of incoming emails |
• EM-BSum-in: Sum of bytes in incoming emails • EM-FNum-in: Count of incoming emails |
| web-activity-allowed | T1534 - Internal Spearphishing ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1598 - T1598 ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1598.003 - T1598.003 ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain |
|
| web-activity-denied | T1534 - Internal Spearphishing ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1598 - T1598 ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1598.003 - T1598.003 ↳ WEB-UD-Phishing: User attempted to access a domain which is associated to Phishing ↳ A-WEB-Phishing: Asset has accessed a domain suspected to be a phishing domain. T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain |