MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 1d
matchingMethod: AllEntities
enabled: true
relevantTechniques:
- T1053
queryFrequency: 5m
triggerOperator: gt
description: Detect threat for virus from mail receipt virus event
customDetails:
Dir: Dir_s
TlsVer: TlsVer_s
Virus: Virus_s
headerFrom: headerFrom_s
Cphr: Cphr_s
MsgId_s: MsgId_s
IP: IP_s
RejCode: RejCode_s
RejInfo: RejInfo_s
Act: Act_s
RejType: RejType_s
Error: Error_s
triggerThreshold: 0
id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
name: Mimecast Secure Email Gateway - Virus
queryPeriod: 15m
alertDetailsOverride:
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
severity: Informational
eventGroupingSettings:
aggregationKind: SingleAlert
enabled: true
entityMappings:
- fieldMappings:
- columnName: Sender_s
identifier: Sender
- columnName: Rcpt_s
identifier: Recipient
- columnName: Subject_s
identifier: Subject
entityType: MailMessage
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
dataTypes:
- MimecastSIEM_CL
suppressionDuration: 5h
version: 1.0.1
tactics:
- Execution
suppressionEnabled: false
kind: Scheduled
