let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
queryPeriod: 1h
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
name: Trend Micro CAS - Unexpected file via mail
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
description: |
'Detects when unexpected file recieved via mail.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
relevantTechniques:
- T1566
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: 201fd2d1-9131-4b29-bace-ce5d19f3e4ee
