This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
Query improvements - Exfiltration to Competitor #298
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
{{ message }}
Hi,
I believe the query "Detect Exfiltration to Competitor Organization" could be improved. Instead of filtering on the string "competitor", cant we just put the domain of the competitors:
EmailEvents
| where RecipientEmailAddress contains "competitor.com" // domain of the competitor.
The text was updated successfully, but these errors were encountered: