My QRadar deployment needs a sharper eye on phishing. I want a set of custom Alert and Correlation rules that reliably pick up everything from the first suspicious e-mail event to follow-up user activity that hints the attack is moving forward. Scope • Build correlation logic that ties together indicators such as mail-gateway detections, odd mailbox rules, risky web clicks, and any subsequent authentication anomalies. • Create alert rules that trigger actionable offenses the moment a phishing pattern emerges. The rules must fit neatly into existing QRadar best practices: use building blocks where appropriate, keep AQL searches efficient, and document each rule so another analyst can tune or extend it later. Acceptance A rule set that fires during lab replay of known phishing scenarios, generates clear offense descriptions, and shows no excessive false-positives during a 24-hour baseline test. If you have hands-on QRadar experience designing similar logic, especially around phishing, that’s the background I’m after.