MimecastDLP_CL| where action_s == "notification";
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP.yaml
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
dataTypes:
- MimecastDLP_CL
triggerThreshold: 0
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
enabled: true
lookbackDuration: 1d
createIncident: true
kind: Scheduled
suppressionEnabled: false
version: 1.0.0
entityMappings:
- entityType: MailMessage
fieldMappings:
- identifier: Sender
columnName: senderAddress_s
- identifier: Recipient
columnName: recipientAddress_s
- identifier: DeliveryAction
columnName: action_s
alertRuleTemplateName:
relevantTechniques:
- T1030
name: Mimecast Data Leak Prevention - Notifications
suppressionDuration: 5h
triggerOperator: gt
description: Detects threat for data leak when action is notification
queryPeriod: 15m
enabled: true
query: MimecastDLP_CL| where action_s == "notification";
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: SingleAlert
severity: High
id: 1818aeaa-4cc8-426b-ba54-539de896d299
