Threat Intel Email Indicator Match

  1[metadata]
  2creation_date = "2025/04/11"
  3maturity = "production"
  4updated_date = "2025/04/22"
  5
  6[rule]
  7author = ["Elastic"]
  8description = """
  9This rule is triggered when an email indicator from the Threat Intel Filebeat module or integrations matches an event
 10containing email-related data, such as logs from email security gateways or email service providers.
 11"""
 12from = "now-65m"
 13index = ["filebeat-*", "logs-*"]
 14interval = "1h"
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Threat Intel Email Indicator Match"
 18note = """## Triage and analysis
 19
 20### Investigating Threat Intel Email Indicator Match Match
 21
 22Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash, with an entry of a file hash stored within the Threat Intel integrations index.
 23
 24Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.
 25
 26This rule is triggered when an email indicator from the Threat Intel Filebeat module or integrations matches an event containing email-related data, such as logs from email security gateways or email service providers.
 27
 28#### Possible investigation steps
 29
 30- Investigate the email indicator, which can be found in the threat.indicator.matched.atomic field:
 31  - Determine the nature of the email-based threat (phishing, spam, BEC, malware attachment, etc.).
 32  - Check the reputation of the email address, domain, and IP in threat intel platforms such as VirusTotal, AbuseIPDB, Cisco Talos, and others.
 33  - Perform a WHOIS lookup on the sending domain to gather registration info and potential abuse contacts.
 34  - Review historical context: Has this email indicator been observed in other events or associated with known campaigns?
 35- If the event is potentially phishing or BEC-related:
 36  - Contact the recipient to gather additional context (did they interact with the email, click links, open attachments, reply, etc.).
 37  - Review the email headers and content to identify spoofing tactics, display name impersonation, or suspicious links/domains.
 38  - Analyze the email body and any attachments for signs of malicious intent or social engineering techniques.
 39  - Extract and investigate any embedded links, attachments, or payloads for further IOCs.
 40- Check logs from email security gateways and mail servers for:
 41  - Additional recipients or similar messages sent in the same timeframe.
 42  - Delivery status and any filtering or quarantine actions taken.
 43
 44### False Positive Analysis
 45
 46- False positives may occur when email indicators match legitimate communications.
 47- Some threat intelligence feeds may mistakenly include benign or internal email addresses, domains, or sender infrastructure (e.g., noreply@yourdomain.com, legitimate SaaS providers, or shared mail services). Always validate indicators before taking enforcement actions.
 48- Review the context of the match: Consider whether the sender domain or address is part of a known legitimate service, commonly used internally, or associated with a partner/vendor.
 49- Blocking or alerting based on common email domains or infrastructure (e.g., mail gateways, newsletters, cloud-based platforms) without proper validation can lead to disruptions in communication.
 50
 51### Response and Remediation
 52
 53- Initiate the incident response process based on the outcome of the triage.
 54- If a user interacted with the malicious email (clicked a link, opened an attachment, replied, etc.), isolate the involved host to prevent further post-compromise behavior.
 55- If the triage identified malware, search the environment for additional compromised hosts.
 56  - Implement temporary email filters and segmentation to prevent further delivery or spread.
 57  - Stop suspicious processes associated with any attachments or payloads.
 58  - Immediately block the identified indicators of compromise (IoCs), including sender addresses, domains, URLs, and file hashes.
 59  - Inspect affected systems for additional backdoors, such as reverse shells, droppers, or tunneling tools that could enable reinfection or remote access.
 60- Consider reporting the sender address or domain for abuse using WHOIS or relevant abuse reporting services.
 61- Remove and block malicious artifacts identified during triage, including phishing emails, attachments, and URLs.
 62- Run a full antimalware scan. This may reveal additional artifacts, persistence mechanisms, or malware components on the system.
 63- Determine the initial vector abused by the attacker—e.g., bypassed email filters, spoofed domain, etc.—and take action to prevent reinfection through the same vector.
 64- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 65"""
 66references = [
 67    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
 68    "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
 69    "https://www.elastic.co/security/tip",
 70]
 71risk_score = 73
 72rule_id = "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af"
 73setup = """## Setup
 74
 75This rule needs threat intelligence indicators to work.
 76Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),
 77the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),
 78or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).
 79
 80More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 81"""
 82severity = "high"
 83tags = ["Rule Type: Threat Match", "Resources: Investigation Guide"]
 84threat_index = ["filebeat-*", "logs-ti_*"]
 85threat_indicator_path = "threat.indicator"
 86threat_language = "kuery"
 87threat_query = """
 88@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.email.address:* and not
 89labels.is_ioc_transform_source:"true"
 90"""
 91timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 92timeline_title = "Generic Threat Match Timeline"
 93timestamp_override = "event.ingested"
 94type = "threat_match"
 95
 96query = '''
 97email.from.address:* or email.sender.address:* or email.reply_to.address:* or email.to.address:*
 98'''
 99
100
101[[rule.threat_filters]]
102
103[rule.threat_filters."$state"]
104store = "appState"
105[rule.threat_filters.meta]
106disabled = false
107key = "event.category"
108negate = false
109type = "phrase"
110[rule.threat_filters.meta.params]
111query = "threat"
112[rule.threat_filters.query.match_phrase]
113"event.category" = "threat"
114[[rule.threat_filters]]
115
116[rule.threat_filters."$state"]
117store = "appState"
118[rule.threat_filters.meta]
119disabled = false
120key = "event.kind"
121negate = false
122type = "phrase"
123[rule.threat_filters.meta.params]
124query = "enrichment"
125[rule.threat_filters.query.match_phrase]
126"event.kind" = "enrichment"
127[[rule.threat_filters]]
128
129[rule.threat_filters."$state"]
130store = "appState"
131[rule.threat_filters.meta]
132disabled = false
133key = "event.type"
134negate = false
135type = "phrase"
136[rule.threat_filters.meta.params]
137query = "indicator"
138[rule.threat_filters.query.match_phrase]
139"event.type" = "indicator"
140[[rule.threat_mapping]]
141
142[[rule.threat_mapping.entries]]
143type = "mapping"
144field = "email.from.address"
145value = "threat.indicator.email.address"
146
147[[rule.threat_mapping]]
148
149[[rule.threat_mapping.entries]]
150type = "mapping"
151field = "email.to.address"
152value = "threat.indicator.email.address"
153
154
155[[rule.threat_mapping]]
156
157[[rule.threat_mapping.entries]]
158type = "mapping"
159field = "email.sender.address"
160value = "threat.indicator.email.address"
161
162[[rule.threat_mapping]]
163
164[[rule.threat_mapping.entries]]
165type = "mapping"
166field = "email.reply_to.address"
167value = "threat.indicator.email.address"