let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
status: Available
relevantTechniques:
- T1566
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileInMail.yaml
queryPeriod: 1h
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types)
| extend AccountCustomEntity = DstUserName
id: 201fd2d1-9131-4b29-bace-ce5d19f3e4ee
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
name: Trend Micro CAS - Unexpected file via mail
kind: Scheduled
description: |
'Detects when unexpected file recieved via mail.'
tactics:
- InitialAccess
version: 1.0.0
triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
