let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
triggerThreshold: 0
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
id: 201fd2d1-9131-4b29-bace-ce5d19f3e4ee
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
queryPeriod: 1h
severity: Medium
queryFrequency: 1h
triggerOperator: gt
name: Trend Micro CAS - Unexpected file via mail
relevantTechniques:
- T1566
tactics:
- InitialAccess
description: |
'Detects when unexpected file recieved via mail.'
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml
version: 1.0.0
