Mimecast Data Leak Prevention - Notifications

Back


Id	1818aeaa-4cc8-426b-ba54-539de896d299
Rulename	Mimecast Data Leak Prevention - Notifications
Description	Detects threat for data leak when action is notification
Severity	High
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP.yaml
Version	1.0.0
Arm template	1818aeaa-4cc8-426b-ba54-539de896d299.json

KQL

MimecastDLP_CL| where action_s == "notification";

YAML

requiredDataConnectors:
- dataTypes:
  - MimecastDLP_CL
  connectorId: MimecastSIEMAPI
description: Detects threat for data leak when action is notification
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP.yaml
query: MimecastDLP_CL| where action_s == "notification";
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
name: Mimecast Data Leak Prevention - Notifications
relevantTechniques:
- T1030
suppressionDuration: 5h
enabled: true
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1d
  createIncident: true
alertRuleTemplateName: 
tactics:
- Exfiltration
queryPeriod: 15m
severity: High
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: senderAddress_s
    identifier: Sender
  - columnName: recipientAddress_s
    identifier: Recipient
  - columnName: action_s
    identifier: DeliveryAction
suppressionEnabled: false
queryFrequency: 5m
id: 1818aeaa-4cc8-426b-ba54-539de896d299
kind: Scheduled
version: 1.0.0
triggerOperator: gt

ARM