Threat Intel Email Indicator Match

Last updated 22 days ago on 2025-04-22

Created a month ago on 2025-04-11

About

This rule is triggered when an email indicator from the Threat Intel Filebeat module or integrations matches an event containing email-related data, such as logs from email security gateways or email service providers.

Tags: Rule Type: Threat MatchLanguage: kuery
Severity: high
Risk Score: 73
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Threat Match Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-*
Related Integrations: (opens in a new tab or window)
Query

email.from.address:* or email.sender.address:* or email.reply_to.address:* or email.to.address:*

Install detection rules in Elastic Security

Detect Threat Intel Email Indicator Match in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).