3 Replies Latest reply on Mar 6, 2016 6:23 PM by tduckworth

    correlation rule on phishing related sites

    kinoboi

      can you please help me how to create a correlation rule related to phishing? please provide specific step.

        • 1. Re: correlation rule on phishing related sites
          tduckworth

          Can you be more specific?  What do you want the trigger for the event to be?

          • 2. Re: correlation rule on phishing related sites
            kinoboi

            for example a user receive an email and theres a link wherein it request him to click it. How would the SIEM rules would definitely know that the link sent to Him is a valid link? spam or etc. thanks.

            I'm just a newbie in SIEM nitro, and have been using it for almost 2 months.

            • 3. Re: correlation rule on phishing related sites
              tduckworth

              Ok, the SIEM is a powerful tool but it doesn't have the intelligence built in to detect such things.  It takes a good Analyst to be creative and create correlation rules that work for your specific situation.  You also need to make sure that you purchased the options to parse Email server logs.  I don't know what you would need to do that, though.

               

              However, if you get updated lists of known malware domains and/urls, you could just create a rule that checks Internal to External flow data over port 80 and 443.  Create a watch list for the known malware sites and have it alert you when any of that traffic is bound for any sites in that watch list.

               

              I know you wanted some specifics, but you should be able to find another post from someone on how to accomplish this.  It's not the greatest example, but it might give you enough of a start to get you going.

               

              Good luck!