Hosts Receiving High Volume Of Network Traffic From Email Server

Description

This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Adversary Tactics

Alert Volume

This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Collection

MITRE ATT&CK Techniques

Email Collection

Remote Email Collection

MITRE Threat Groups

APT1
APT28
Dragonfly 2.0
FIN4
Ke3chang
Leafminer

Kill Chain Phases

Actions On Objectives

Data Sources

Email

   Help

Hosts Receiving High Volume Of Network Traffic From Email Server Help

This search requires you to be ingesting your network traffic and populating the NetworkTraffic data model. Your email servers must be categorized as "emailserver" for the search to work, as well. You may need to adjust the deviationthreshold and minimumdatasamples values based on the network traffic in your environment. The "deviationthreshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimumdatasamples" field is the minimum number of connections of data samples required for the statistic to be valid.

   Search

Open in Search