Mimecast Data Leak Prevention - Notifications

Back


Id	1818aeaa-4cc8-426b-ba54-539de896d299
Rulename	Mimecast Data Leak Prevention - Notifications
Description	Detects threat for data leak when action is notification
Severity	High
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP.yaml
Version	1.0.0
Arm template	1818aeaa-4cc8-426b-ba54-539de896d299.json

KQL

MimecastDLP_CL| where action_s == "notification";

YAML

entityMappings:
- entityType: MailMessage
  fieldMappings:
  - identifier: Sender
    columnName: senderAddress_s
  - identifier: Recipient
    columnName: recipientAddress_s
  - identifier: DeliveryAction
    columnName: action_s
tactics:
- Exfiltration
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - MimecastDLP_CL
  connectorId: MimecastSIEMAPI
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 1818aeaa-4cc8-426b-ba54-539de896d299
severity: High
alertRuleTemplateName: 
query: MimecastDLP_CL| where action_s == "notification";
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP.yaml
kind: Scheduled
queryPeriod: 15m
enabled: true
version: 1.0.0
name: Mimecast Data Leak Prevention - Notifications
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1030
description: Detects threat for data leak when action is notification
triggerOperator: gt

ARM