MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
queryPeriod: 15m
id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
severity: Informational
relevantTechniques:
- T1053
queryFrequency: 5m
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
suppressionDuration: 5h
customDetails:
Act: Act_s
TlsVer: TlsVer_s
IP: IP_s
RejType: RejType_s
RejInfo: RejInfo_s
Dir: Dir_s
Error: Error_s
RejCode: RejCode_s
Cphr: Cphr_s
headerFrom: headerFrom_s
Virus: Virus_s
MsgId_s: MsgId_s
suppressionEnabled: false
version: 1.0.1
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: 1d
enabled: true
reopenClosedIncident: false
createIncident: true
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- MimecastSIEM_CL
connectorId: MimecastSIEMAPI
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
name: Mimecast Secure Email Gateway - Virus
entityMappings:
- fieldMappings:
- identifier: Sender
columnName: Sender_s
- identifier: Recipient
columnName: Rcpt_s
- identifier: Subject
columnName: Subject_s
entityType: MailMessage
triggerThreshold: 0
tactics:
- Execution
eventGroupingSettings:
aggregationKind: SingleAlert
enabled: true
alertDetailsOverride:
description: Detect threat for virus from mail receipt virus event
