Mimecast Secure Email Gateway - Virus

Back


Id	30f73baa-602c-4373-8f02-04ff5e51fc7f
Rulename	Mimecast Secure Email Gateway - Virus
Description	Detect threat for virus from mail receipt virus event
Severity	Informational
Tactics	Execution
Techniques	T1053
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
Version	1.0.1
Arm template	30f73baa-602c-4373-8f02-04ff5e51fc7f.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"

YAML

name: Mimecast Secure Email Gateway - Virus
alertDetailsOverride: 
entityMappings:
- fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: Rcpt_s
    identifier: Recipient
  - columnName: Subject_s
    identifier: Subject
  entityType: MailMessage
id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
enabled: true
suppressionEnabled: false
version: 1.0.1
triggerOperator: gt
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
description: Detect threat for virus from mail receipt virus event
suppressionDuration: 5h
kind: Scheduled
queryFrequency: 5m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
severity: Informational
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
queryPeriod: 15m
requiredDataConnectors:
- dataTypes:
  - MimecastSIEM_CL
  connectorId: MimecastSIEMAPI
customDetails:
  Cphr: Cphr_s
  RejInfo: RejInfo_s
  IP: IP_s
  TlsVer: TlsVer_s
  RejCode: RejCode_s
  Dir: Dir_s
  headerFrom: headerFrom_s
  Error: Error_s
  Virus: Virus_s
  MsgId_s: MsgId_s
  Act: Act_s
  RejType: RejType_s
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1053
tactics:
- Execution

ARM