can be used Metadata of all downloaded files hash, size, name, MIME Type, Source URL, Referrer, used for downloading user-agent. Checking hashes against TI feeds Bro Suricata Proxy/NGFW logs Metadata of email headers / SMTP metadata To, From, Subject, received headers, size, used MTA, reception time, presence of an attachment Email server logs Bro Metadata of email attachments MD5 hash, size, name, MIME Type, link to the corresponding email metadata Bro Homemade scripts URL from email bodies Checking against threat intelligence feeds. Tracking emails with links to the file hostings. Checking against TI feeds Bro Homemade scripts Netflow Can be used to detect data exfiltration, worm malware activity, lateral movement, port scanning, checking remote IP-addresses against TI feeds nfcapd, nfdump … Outgoing HTTP/HTTPS Detection of communications with C2, data exfiltration, checking visited accessed URLs against TI feeds Proxy/NGFW logs Bro Outgoing DNS requests metadata Detection of DNS exfiltration, DNS tunneling. Checking requested hostnames against TI feeds Bro DNS server logs Metadata of SMB / RPC Detection of lateral movement, credentials dumping (DCSync, remote reg save), internal recon… Bro