This rule monitors unsuccessful login attempts and triggers alert on more than 3 failed login attempts under 5 minutes. Impact Many failed login attempt in a short time frame might indicate a brute force attack against the relevant account. Mitigation Implement rate limit at the unsuccessful login attempts. MITRE Tactic: TA0006 MITRE Technique: T1110

This rule monitors user login after one month of inactivity. This alert is triggered when a user logs in after 1 month of no logins. Impact An adversary may gain access with the archived credential of the dormant user. Mitigation Investigate the new login and validate the user and the action performed were authorized. MITRE Technique: T1098

This rule monitors if notify/create/delete action request results in returning 4XX error code. Impact Many forbidden attempt in a short time frame might indicate a brute force attack against the relevant account. Mitigation Investigate the unsuccessful notify/create/delete action request results in returning 4XX error code MITRE Tactic: TA0006 MITRE Technique: T1110

This rule monitors delete action and triggers an alert on more than 10 delete action by the same user under 5 minutes as this could be an indicator of malicious activity. Impact More than 10 delete action by the same user as this could be an indicator of malicious activity. Mitigation Validate that the action was approved and investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects if there are no logs in the last 24 hours for Proofpoint Meta in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562