4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend level 1 alert SOC120 - Phishing Mail Detected - Internal to Internal event-id 52

Details

EventID: 52
Event Time: Feb. 7, 2021, 4:24 a.m.
Rule: SOC120 - Phishing Mail Detected - Internal to Internal
Level: Security Analyst
SMTP Address 172.16.20.3
Source Address john@letsdefend.io
Destination Address susie@letsdefend.io
E-mail Subject Meeting
Device Action Allowed

playbook

Parse Email

  • When was it sent?
    Feb. 7, 2021, 4:24 a.m.
  • What is the email's SMTP address?
    172.16.20.3
  • What is the sender address?
    john@letsdefend.io
  • What is the recipient address?
    susie@letsdefend.io

メールの中身はこちら

Subject: Meeting

Source Address john@letsdefend.io
Destination Address susie@letsdefend.io

Hi Susie,

Can we arrange a meeting today if you are available?

Phishing Mail Detected???????????

Are there attachments or URLs in the email?

Answer: No

Add Artifacts

Value Type Comment
john@letsdefend.io E-mail Sender
172.16.20.3 IP Address Exchange Server


FP!

End

f:id:Zarat:20220207191531p:plain
close alert event-id 52

完全に想像だが、メールの内容の文字列がPhishing Mailのルールとして登録されているのでは。