Email Rule Change
Detects creation of suspicious or risky email forwarding and filtering rules, often used in Business Email Compromise (BEC) attacks. This workflow monitors email rule modifications and alerts on potentially malicious configurations.
Fluency's AI monitors email system configurations for suspicious rule changes that could indicate account compromise. The system analyzes rule patterns, forwarding destinations, and timing to identify potential BEC attacks or data exfiltration attempts.
AI Analysis vs Splunk SPL-Based Detection
See how advanced AI-driven security analysis compares to traditional SPL-based detection in key areas of context, logic, and output quality.
| Feature / Capability | AI Analysis | Splunk SPL-Based Detection |
|---|---|---|
| IP to location logic | Accurate with human-readable locations (Barcelona → Opfikon) and real-world travel distance | Based on iplocation, sometimes inaccurate or outdated; no city-to-city distance context |
| Device context awareness | The AI recognize the second IP is from a known AVD endpoint, and distinguish cloud-hosted vs. personal device | SPL treats IPs as flat values; doesn’t infer context from device names unless explicitly encoded in a lookup |
| User role logic | Knows the user is a subcontractor marked ONLY REMOTE, making virtual desktop infrastructure login expected. | SPL cannot infer or evaluate user roles without joining external HR or identity data. |
| Session analysis | The AI considered whether logins belong to the same session or different contexts (VDI vs. local) | SPL can’t link session context unless it’s engineered manually (e.g., through token IDs, session IDs) |
| False positive suppression logic | Advises suppression based on trusted IP/device combinations, remote work patterns, and device type | Requires custom correlation searches, lookups, or external context ingestion |
| ML signal interpretation | Distinguishes why the alert triggered (ML_NEW_USER, ML_NEW_GEO_ISP) and de-risks based on identity validation | SPL will just flag those risks; human/AI interpretation must be layered on top |
| Analyst judgment | Emulates how a human SOC analyst would reason through intent, identity, and environment | SPL doesn’t support nuanced intent modeling without external logic or ML/UEBA tooling |
| Output quality | Clear, contextual, explainable narrative with defensive recommendations | SPL produces tabular alerts and risk scores; lacks explanation without additional dashboards or notes |