Hi Mai9,

Here are some suggestions:

• Ensure you are ingesting your email logs
• Create rules that look for emails sent to external domains(they don't match your approved domains)
• Implement rules to identify emails containing potentially malicious URLs(examples: check against known malicious lists, utilize url reputation services, suspicious patterns, etc.)
• Implement rules to flag emails with potentially harmful attachments(file type filtering, file reputation scores, content analysis)
• Enrich Alerts with things like sender reputation, recipient info, url/file analysis data
• Fine tune your alert with thresholds to balance sensitivity and utilize allow/deny listing to reduce noise

Please find an example SIEM rule below:

ALERT WHEN email_sent TO external_domain AND ( url_in_email MATCHES threat_intel_url_list OR url_in_email HAS reputation_score > threshold OR attachment_in_email MATCHES threat_intel_file_hash_list OR attachment_in_email HAS reputation_score > threshold OR attachment_in_email MATCHES risky_file_type )

By carefully designing your SIEM alerts, you can create a proactive defense against suspicious emails and protect your organization from potential threats.