MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 1d
matchingMethod: AllEntities
reopenClosedIncident: false
enabled: true
description: Detect threat for virus from mail receipt virus event
tactics:
- Execution
version: 1.0.1
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- MimecastSIEM_CL
connectorId: MimecastSIEMAPI
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Virus.yaml
queryPeriod: 15m
id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
triggerOperator: gt
suppressionDuration: 5h
triggerThreshold: 0
name: Mimecast Secure Email Gateway - Virus
customDetails:
RejCode: RejCode_s
TlsVer: TlsVer_s
Virus: Virus_s
Cphr: Cphr_s
MsgId_s: MsgId_s
Dir: Dir_s
IP: IP_s
RejInfo: RejInfo_s
headerFrom: headerFrom_s
RejType: RejType_s
Act: Act_s
Error: Error_s
alertDetailsOverride:
enabled: true
relevantTechniques:
- T1053
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionEnabled: false
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
entityMappings:
- fieldMappings:
- columnName: Sender_s
identifier: Sender
- columnName: Rcpt_s
identifier: Recipient
- columnName: Subject_s
identifier: Subject
entityType: MailMessage
queryFrequency: 5m
