What Changed

New Red Sift solution provides comprehensive email security and authentication monitoring via the Codeless Connector Framework. The solution includes a push-based data connector ingesting into RedSiftAuth_CL and RedSiftEmailForensics_CL custom tables, plus five Analytic Rules targeting phishing and account compromise detection scenarios.

Data Source

Red Sift’s email security platform provides authentication and email forensics data through push-based ingestion. The connector populates two custom log tables:

  • RedSiftAuth_CL: User authentication events including logins and MFA status changes
  • RedSiftEmailForensics_CL: Email analysis data with URL extraction and sender intelligence

Detection Logic

Five detection rules provide coverage across initial access and defense evasion tactics:

Email Threat Detection (T1566):

  • New URL-bearing sender detection: Identifies emails with URLs from previously unseen senders (14-day baseline)
  • New source IP detection: Flags emails with URLs from previously unseen source IP addresses
  • New domain detection: Detects emails containing URLs to previously unseen domains

Authentication Monitoring:

  • New IP login detection (T1078): Alerts on successful logins from previously unseen IP addresses per user
  • MFA disabled detection (T1556): High-severity alerts when MFA is disabled on any account

All rules use RedSiftPush connector ID and implement 14-day historical baselines for anomaly detection with 1-hour query frequencies.

MITRE Coverage

  • T1078 (Valid Accounts): New IP login detection
  • T1556 (Modify Authentication Process): MFA disabled monitoring
  • T1566 (Phishing): Email URL and sender analysis across three detection angles

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/RedSiftAuth_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RedSiftEmailForensics_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/redsift_logo.svg
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlWithNewDomain.yaml
Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml
Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Connector.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_DCR.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Definition.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_EmailForensics_table.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_table.json
Solutions/Red Sift/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RedSift.json, createUiDefinition.json, mainTemplate.json)