What Changed
New Red Sift solution provides comprehensive email security and authentication monitoring via the Codeless Connector Framework. The solution includes a push-based data connector ingesting into RedSiftAuth_CL and RedSiftEmailForensics_CL custom tables, plus five Analytic Rules targeting phishing and account compromise detection scenarios.
Data Source
Red Sift’s email security platform provides authentication and email forensics data through push-based ingestion. The connector populates two custom log tables:
- RedSiftAuth_CL: User authentication events including logins and MFA status changes
- RedSiftEmailForensics_CL: Email analysis data with URL extraction and sender intelligence
Detection Logic
Five detection rules provide coverage across initial access and defense evasion tactics:
Email Threat Detection (T1566):
- New URL-bearing sender detection: Identifies emails with URLs from previously unseen senders (14-day baseline)
- New source IP detection: Flags emails with URLs from previously unseen source IP addresses
- New domain detection: Detects emails containing URLs to previously unseen domains
Authentication Monitoring:
- New IP login detection (T1078): Alerts on successful logins from previously unseen IP addresses per user
- MFA disabled detection (T1556): High-severity alerts when MFA is disabled on any account
All rules use RedSiftPush connector ID and implement 14-day historical baselines for anomaly detection with 1-hour query frequencies.
MITRE Coverage
- T1078 (Valid Accounts): New IP login detection
- T1556 (Modify Authentication Process): MFA disabled monitoring
- T1566 (Phishing): Email URL and sender analysis across three detection angles
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/RedSiftAuth_CL.json
.script/tests/KqlvalidationsTests/CustomTables/RedSiftEmailForensics_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/redsift_logo.svg
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSender.yaml
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlFromNewSource.yaml
Solutions/Red Sift/Analytic Rules/RedSiftEmailUrlWithNewDomain.yaml
Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml
Solutions/Red Sift/Analytic Rules/RedSiftMFADisabled.yaml
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Connector.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_DCR.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_Definition.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_EmailForensics_table.json
Solutions/Red Sift/Data Connectors/RedSift_ccp/RedSift_table.json
Solutions/Red Sift/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_RedSift.json, createUiDefinition.json, mainTemplate.json)