MimecastSIEM_CL| where mimecastEventId_s=="mail_av"
suppressionDuration: 5h
queryFrequency: 5m
suppressionEnabled: false
queryPeriod: 15m
eventGroupingSettings:
aggregationKind: SingleAlert
triggerOperator: gt
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_av"
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_AV.yaml
tactics:
- Execution
triggerThreshold: 0
entityMappings:
- entityType: MailMessage
fieldMappings:
- identifier: Sender
columnName: Sender_s
- identifier: Recipient
columnName: Recipient_s
- identifier: Subject
columnName: Subject_s
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
dataTypes:
- MimecastSIEM_CL
kind: Scheduled
relevantTechniques:
- T1053
customDetails:
SenderDomain: SenderDomain_s
Route: Route_s
IP: IP_s
md5: md5_g
Virus: Virus_s
sha256: sha256_s
CustomerIP: CustomerIP_s
Size: Size_s
fileName: fileName_s
SenderDomainInternal: SenderDomainInternal_s
sha1: sha1_s
fileExt: fileExt_s
MimecastIP: MimecastIP_s
fileMime: fileMime_s
MsgId_s: MsgId_s
description: Detects threats from email anti virus scan
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 1d
enabled: true
createIncident: true
name: Mimecast Secure Email Gateway - AV
version: 1.0.1
id: 0f0dc725-29dc-48c3-bf10-bd2f34fd1cbb
severity: Informational
