Transform Your Use Cases Into High-fidelity Alerts
- Phishing Email + Endpoint Execution Correlation
Objective: Detect when a phishing email results in malicious execution on an endpoint.
Data Sources Involved
- Email security gateway logs (O365, Proofpoint, Mimecast)
- EDR logs (CrowdStrike, SentinelOne, Defender)
- Host process logs (Sysmon, EDR telemetry)
Detection Logic
- Identify an email containing:
- Suspicious attachment (macro-enabled docs, HTML smuggling, ISO/VHD)
- Or a URL flagged by threat intelligence
- Extract sender, subject, and attachment hash.
- Correlate with:
- File execution events on the recipient’s workstation
- New binary spawned within 15–20 minutes of receiving the message
- Trigger alert when execution path matches known phishing → malware patterns.
Why It’s High-Fidelity:
It only fires when a phishing email leads to an actual action on the endpoint — not just when a suspicious email is received.
- Business Email Compromise (BEC) + Impossible Travel + MFA Abuse
Objective: Detect compromised email accounts used in fraudulent activity.
Data Sources
- Email logs (O365 Unified Audit, Gmail)
- Identity logs (Azure AD / Okta)
- MFA provider logs
- External threat intel
Detection Logic
- Email forwarding rules added (to external domains).
- Combined with impossible travel or new login location.
- Followed by MFA fatigue attempts or new MFA enrollment.
- Optional: suspicious mailbox searches (invoice terms, banking keywords).
Why It’s High-Fidelity
This is the exact chain used in modern BEC attacks. Very few false positives.
- Phishing Click → DNS Request → C2 Beacon Correlation
Objective: Identify when a user clicks a phishing link AND the endpoint reaches out to malicious infrastructure.
Data Sources
- Email click logs (Proofpoint TAP, O365 SafeLinks)
- DNS logs (Infoblox, Windows DNS, network sensors)
- Firewall logs
- Network proxy logs
Detection Logic
- User clicks a suspicious or TI-flagged URL.
- Within 5 minutes, workstation issues DNS query for the same or related domain.
- DNS lookup followed by outbound connection to high-risk IP or ASN.
- Additional weight if the domain was newly registered (NRD).
Why It’s High-Fidelity
You’re detecting action + intent + external communication, not just a click.
- Credential Harvesting Email + Unusual Authentication Behavior
Objective: Detect when a phishing page successfully steals credentials.
Data Sources
- Email logs (phishing URL indicators)
- Cloud auth logs (Azure AD, Okta)
- Conditional Access logs
- VPN logs
Detection Logic
- User receives or clicks an email with a login-themed phishing link.
- Within 1 hour:
- New login from unknown IP/ASN
- User-Agent mismatch (login from Firefox while user always uses Chrome)
- Login from Tor/VPN/anonymizer
- Optional: mailbox rule creation or MFA reset attempts.
Why It’s High-Fidelity
Correlating suspicious email → suspicious login is extremely effective at catching credential theft early.
- Internal Phishing (Lateral Movement) Detection
Objective: Detect when an attacker uses a compromised account to send internal phishing emails.
Data Sources
- Internal email logs
- Identity logs (Azure AD / Okta)
- Endpoint logs
- Threat intel
Detection Logic
- Sudden spike in internal messages from a single user.
- Emails containing unusual links or attachment types.
- Sent to many recipients outside normal behavior patterns.
- Correlate with suspicious login from prior use case (#4).
Why It’s High-Fidelity
Internal phishing is a strong indicator of active lateral movement.
- Malicious Attachment → File Write → Child Process Explosion
Objective: Detect attachment-based malware droppers and loaders.
Data Sources
- Email logs (attachment info)
- Sysmon/EDR process creation
- File write operations
- Registry modification logs
Detection Logic
- User receives email with suspicious file extension.
- File is saved to disk.
- Execution leads to abnormal child processes — e.g.:
- Word → PowerShell
- PDF → cmd
- Excel → rundll32
- Registry values or scheduled tasks created afterward.
Why It’s High-Fidelity
This maps directly to the MITRE ATT&CK kill chain (Initial Access → Execution → Persistence).
- VIP/Executive Targeting Detection
Objective: Detect targeted phishing against executives or finance staff.
Data Sources
- Email logs
- VIP user list / CMDB data
- Threat intelligence
- Identity logs
Detection Logic
- Email flagged by TI containing:
- Finance-themed lures
- BEC-style keywords
- Malicious attachments or links
- Sent to VIP or finance department user.
- Correlate with authentication anomalies or mailbox rule creation.
Why It’s High-Fidelity
Executives are prime targets for BEC and ransomware initial access.
- Email Delivery Failure → Spam Campaign → Compromised Host
Objective: Detect compromised internal mail servers or endpoints distributing spam.
Data Sources
- Email server logs
- Firewall logs
- Endpoint logs
Detection Logic
- Outbound emails from host → high volume of SMTP failures.
- Host simultaneously connecting to suspicious external SMTP servers.
- Endpoint shows signs of malware or unauthorized processes.
Why It’s High-Fidelity
Internal spam bursts are a reliable indicator of worm-like malware or compromised accounts.