PH_Rule_Flow_11
Enabled
Detects a scenario where a host, that is itself not an authorized mail gateway, is unsuccessfully trying to send excessive emails to unauthorized mail gateways. Authorized mail gateways are represented by the "Mail Gateway" group. Such requests would be typically denied because, either the firewall would block SMTP from end hosts and/or mail gateways only receive mail from other authorized mail gateways. This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).
8
Security
Exfiltration
Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
https://attack.mitre.org/tactics/TA0010T1020.001
Automated Exfiltration: Traffic Duplication
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture or Man-in-the-Middle to achieve their objective.
https://attack.mitre.org/techniques/T1020/001Application
FortiGate via Syslog or Netflow, Checkpoint via Syslog or Netflow, Palo Alto via Syslog or Netflow
Correlation
No remediation guidance specified
If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.
300 secondsIf the following defined pattern/s occur within a 300 second time window.
EndUserMailToUnauthMailGw AND ExcessDeniedMail OR ExcessPermitMailThis defines how two or more distinct events are related in a time-series based action. e.g. An event occurs followed by another event if the source IP, user, and messageId are the same
EndUserMailToUnauthMailGw.srcIpAddr = ExcessDeniedMail.srcIpAddr OR EndUserMailToUnauthMailGw.srcIpAddr = ExcessPermitMail.srcIpAddrThis is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
ipProto = 6 AND destIpPort = 25 AND destIpAddr NOT IN (Group@PH_SYS_DEVICE_SEC_GW, Group@PH_SYS_APP_MAIL_SERVER) AND srcIpAddr NOT IN (Group@PH_SYS_DEVICE_SEC_GW,Group@PH_SYS_APP_MAIL_SERVER) AND srcIpAddr IN (Group@PH_SYS_NETWORK_ENTERPRISE_INTERNAL_NET) AND eventType IN (Group@PH_SYS_EVENT_PermitNetTraffic, Group@PH_SYS_EVENT_NetflowTraffic, Group@PH_SYS_EVENT_BiNetflowTraffic,Group@PH_SYS_EVENT_DenyNetTraffic)This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
srcIpAddrThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT (DISTINCT destIpAddr) >= 5Operator Rank: 1 Operator Type: ANDThis operator defines the logic condition relating to the prior event subpattern clause and the following event subpattern clause
This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
ipProto = 6 AND destIpPort = 25 AND eventType IN (Group@PH_SYS_EVENT_DenyNetTraffic) AND srcIpAddr NOT IN (Group@PH_SYS_DEVICE_SEC_GW,Group@PH_SYS_APP_MAIL_SERVER) AND srcIpAddr IN (Group@PH_SYS_NETWORK_ENTERPRISE_INTERNAL_NET)This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
srcIpAddrThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT (*) >= 30Operator Rank: 0 Operator Type: ORThis operator defines the logic condition relating to the prior event subpattern clause and the following event subpattern clause
This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
srcDestTCPFlags = 2 AND ipProto = 6 AND destIpPort = 25 AND eventType IN (Group@PH_SYS_EVENT_BiNetflowTraffic) AND srcIpAddr NOT IN (Group@PH_SYS_DEVICE_SEC_GW,Group@PH_SYS_APP_MAIL_SERVER) AND srcIpAddr IN (Group@PH_SYS_NETWORK_ENTERPRISE_INTERNAL_NET)This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
srcIpAddrThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT (*) >= 30This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.
The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern
srcIpAddr = EndUserMailToUnauthMailGw.srcIpAddr