Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Votiro - File Blocked in Email

Votiro - File Blocked in Email

Back
Id0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9
RulenameVotiro - File Blocked in Email
DescriptionThe analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident.
SeverityLow
TacticsCommandAndControl
DefenseEvasion
Impact
InitialAccess
TechniquesT0885
T1036
T1027
T1486
T1566
Required data connectorsVotiro
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml
Version1.0.0
Arm template0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9.json
Deploy To Azure
let Votiro_view  = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view

id: 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Low
triggerOperator: gt
requiredDataConnectors:
- connectorId: Votiro
  dataTypes:
  - CommonSecurityLog
entityMappings:
- fieldMappings:
  - identifier: Algorithm
    columnName: FileHashAlgo
  - identifier: Value
    columnName: FileHashValue
  entityType: FileHash
version: 1.0.0
query: let Votiro_view  = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
queryPeriod: 10m
relevantTechniques:
- T0885
- T1036
- T1027
- T1486
- T1566
tactics:
- CommandAndControl
- DefenseEvasion
- Impact
- InitialAccess
incidentConfiguration:
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml
alertDetailsOverride:
  alertSeverityColumnName: LogSeverity
  alertDescriptionFormat: Attachment {{FileWithEmailDetails}} by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}
  alertDisplayNameFormat: File with hash {{SrcFileSHA256}} was blocked
  alertTacticsColumnName: sanitizationResult
description: |
    'The analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident.'
name: Votiro - File Blocked in Email
kind: Scheduled
queryFrequency: 10m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Attachment {{FileWithEmailDetails}} by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}",
          "alertDisplayNameFormat": "File with hash {{SrcFileSHA256}} was blocked",
          "alertSeverityColumnName": "LogSeverity",
          "alertTacticsColumnName": "sanitizationResult"
        },
        "alertRuleTemplateName": "0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9",
        "customDetails": null,
        "description": "'The analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident.'\n",
        "displayName": "Votiro - File Blocked in Email",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "FileHashAlgo",
                "identifier": "Algorithm"
              },
              {
                "columnName": "FileHashValue",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml",
        "query": "let Votiro_view  = view () { VotiroEvents | where sanitizationResult has \"Blocked\" and passwordProtected == \"false\" and from =~ \"null\" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = \"SHA256\", FileHashValue = SrcFileSHA256};Votiro_view",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Low",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Impact",
          "InitialAccess"
        ],
        "techniques": [
          "T1027",
          "T1036",
          "T1486",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}