MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
kind: Scheduled
triggerThreshold: 0
customDetails:
RejCode: RejCode_s
IP: IP_s
MsgId_s: MsgId_s
Act: Act_s
Cphr: Cphr_s
RejInfo: RejInfo_s
Virus: Virus_s
headerFrom: headerFrom_s
RejType: RejType_s
Error: Error_s
Dir: Dir_s
TlsVer: TlsVer_s
tactics:
- Execution
alertDetailsOverride:
description: Detect threat for virus from mail receipt virus event
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- MimecastSIEM_CL
connectorId: MimecastSIEMAPI
queryPeriod: 15m
version: 1.0.1
severity: Informational
enabled: true
entityMappings:
- fieldMappings:
- columnName: Sender_s
identifier: Sender
- columnName: Rcpt_s
identifier: Recipient
- columnName: Subject_s
identifier: Subject
entityType: MailMessage
queryFrequency: 5m
id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
eventGroupingSettings:
aggregationKind: SingleAlert
name: Mimecast Secure Email Gateway - Virus
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
enabled: true
lookbackDuration: 1d
createIncident: true
relevantTechniques:
- T1053
suppressionDuration: 5h
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
