Email Watchlist๐
The Email Watchlist detector collects and normalizes email events from third-party data sources. The events are converted into a detection and assigned a severity and confidence based on the activity observed.
Examples of threat actor techniques using email as an attack vector include:
- Phishing
- Malware attachments
- Malicious URL
Requirements๐
This detector requires the following data sources, integrations, or schemas:
Input(s)๐
Detections are from the following normalized sources:
Input Field(s)๐
| Field |
|---|
sensor_type |
status |
threats.classification |
Outputs๐
Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.
Configuration Options๐
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category๐
- MITRE Enterprise ATT&CK - Lateral Movement - Internal Spearphishing. For more information, see MITRE Technique T1534.
- MITRE Enterprise ATT&CK - Initial Access - Phishing. For more information, see MITRE Technique T1566.
- MITRE Enterprise ATT&CK - Reconnaissance - Phishing for Information. For more information, see MITRE Technique T1598.
Detector Testing๐
This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References๐
- Schemas