Votiro - File Blocked in Email
Id | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9 |
Rulename | Votiro - File Blocked in Email |
Description | The analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident. |
Severity | Low |
Tactics | CommandAndControl DefenseEvasion Impact InitialAccess |
Techniques | T0885 T1036 T1027 T1486 T1566 |
Required data connectors | CefAma Votiro |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml |
Version | 1.0.1 |
Arm template | 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9.json |
let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: Votiro
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
name: Votiro - File Blocked in Email
queryFrequency: 10m
tactics:
- CommandAndControl
- DefenseEvasion
- Impact
- InitialAccess
relevantTechniques:
- T0885
- T1036
- T1027
- T1486
- T1566
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertTacticsColumnName: sanitizationResult
alertDescriptionFormat: Attachment {{FileWithEmailDetails}} by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}
alertDisplayNameFormat: File with hash {{SrcFileSHA256}} was blocked
alertSeverityColumnName: LogSeverity
id: 0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9
queryPeriod: 10m
entityMappings:
- fieldMappings:
- identifier: Algorithm
columnName: FileHashAlgo
- identifier: Value
columnName: FileHashValue
entityType: FileHash
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml
query: let Votiro_view = view () { VotiroEvents | where sanitizationResult has "Blocked" and passwordProtected == "false" and from =~ "null" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = "SHA256", FileHashValue = SrcFileSHA256};Votiro_view
triggerOperator: gt
severity: Low
description: |
'The analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident.'
triggerThreshold: 0
version: 1.0.1
incidentConfiguration:
createIncident: true
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Attachment {{FileWithEmailDetails}} by Votiro due to Policy rules, see more detail in the following link {{incidentURL}}",
"alertDisplayNameFormat": "File with hash {{SrcFileSHA256}} was blocked",
"alertSeverityColumnName": "LogSeverity",
"alertTacticsColumnName": "sanitizationResult"
},
"alertRuleTemplateName": "0b8b91de-c63e-4bc2-b5f4-b15d3b379ec9",
"customDetails": null,
"description": "'The analytic rule is designed to identify when an email is blocked by Votiro Sanitization Engine policy. The rule generates an alert when an email is blocked after Sanitization process which is not password protected and has a from field meaning its a valid email. More information in terms of details about the blocked attachment, such as the file name and hash, and information about the email, such as the sender and recipient(s). The alert also includes information about the Votiro policy that blocked the attachment and provides a link to additional details about the incident.'\n",
"displayName": "Votiro - File Blocked in Email",
"enabled": true,
"entityMappings": [
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "FileHashAlgo",
"identifier": "Algorithm"
},
{
"columnName": "FileHashValue",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Votiro/Analytic Rules/VotiroFileBlockedInEmail.yaml",
"query": "let Votiro_view = view () { VotiroEvents | where sanitizationResult has \"Blocked\" and passwordProtected == \"false\" and from =~ \"null\" | extend FileWithEmailDetails = strcat_delim(' ', fileName, 'with the hash', SrcFileSHA256, 'was blocked in an email that was sent from user', from, 'to the following recipients', recipients) | summarize count() by fileName, SrcFileSHA256, FileWithEmailDetails, policyName, tostring(incidentURL), sanitizationResult, LogSeverity | extend FileHashAlgo = \"SHA256\", FileHashValue = SrcFileSHA256};Votiro_view",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Impact",
"InitialAccess"
],
"techniques": [
"T1027",
"T1036",
"T1486",
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}