Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - Email sender in TI list

Back
Id35a0792a-1269-431e-ac93-7ae2980d4dde
RulenameProofpointPOD - Email sender in TI list
DescriptionEmail sender in TI list.
SeverityMedium
TacticsExfiltration
InitialAccess
TechniquesT1078
T1567
Required data connectorsProofpointPOD
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml
Version1.1.2
Arm template35a0792a-1269-431e-ac93-7ae2980d4dde.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
| where isnotempty(EmailSenderAddress)
| extend TI_emailEntity = EmailSenderAddress
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
       ProofpointPOD
       | where TimeGenerated >= ago(dt_lookBack)
       | where isnotempty(SrcUserUpn)
       | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn
)
on $left.TI_emailEntity == $right.ClientEmail
| where ProofpointPOD_TimeGenerated < ExpirationDateTime
| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail
| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail
| extend timestamp = ProofpointPOD_TimeGenerated
relevantTechniques:
- T1078
- T1567
name: ProofpointPOD - Email sender in TI list
requiredDataConnectors:
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ProofpointPOD_maillog_CL
  connectorId: ProofpointPOD
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: ClientEmail
  entityType: Account
triggerThreshold: 0
id: 35a0792a-1269-431e-ac93-7ae2980d4dde
tactics:
- Exfiltration
- InitialAccess
version: 1.1.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml
queryPeriod: 14d
kind: Scheduled
queryFrequency: 1d
severity: Medium
description: |
    'Email sender in TI list.'
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | where Active == true
  | where isnotempty(EmailSenderAddress)
  | extend TI_emailEntity = EmailSenderAddress
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
         ProofpointPOD
         | where TimeGenerated >= ago(dt_lookBack)
         | where isnotempty(SrcUserUpn)
         | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn
  )
  on $left.TI_emailEntity == $right.ClientEmail
  | where ProofpointPOD_TimeGenerated < ExpirationDateTime
  | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail
  | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail
  | extend timestamp = ProofpointPOD_TimeGenerated  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35a0792a-1269-431e-ac93-7ae2980d4dde')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35a0792a-1269-431e-ac93-7ae2980d4dde')]",
      "properties": {
        "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde",
        "customDetails": null,
        "description": "'Email sender in TI list.'\n",
        "displayName": "ProofpointPOD - Email sender in TI list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ClientEmail",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n       ProofpointPOD\n       | where TimeGenerated >= ago(dt_lookBack)\n       | where isnotempty(SrcUserUpn)\n       | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1567"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}