Expansion for Alert Generation for Alert Policy ‘A Potentially Malicious URL Click was Detected’
The current default alert policy named ‘A potentially malicious URL click was detected’ generates an alert on URL clicks for specific scenarios. One of the primary scenarios is called verdict change. The URL in the email was identified as “good” when it was delivered to the Inbox, however, when the user clicked the URL, Time of Click validation identified the URL as “bad” (as conditions / actions of the URL changed since email delivery). This verdict flip now describes the previous user clicks as clicks on malicious URLs, however, no alert is currently generated for the previous clicks.
We are expanding on this scenario to identify any user clicks on URLs going back 48 hours from the time of the verdict change. This reevaluation gives SecOps teams more insight into the historic clicks on malicious URLs and takes the appropriate actions.