Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - Email sender in TI list

Back
Id35a0792a-1269-431e-ac93-7ae2980d4dde
RulenameProofpointPOD - Email sender in TI list
DescriptionEmail sender in TI list.
SeverityMedium
TacticsExfiltration
InitialAccess
TechniquesT1078
T1567
Required data connectorsProofpointPOD
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml
Version1.1.2
Arm template35a0792a-1269-431e-ac93-7ae2980d4dde.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
| where isnotempty(EmailSenderAddress)
| extend TI_emailEntity = EmailSenderAddress
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
       ProofpointPOD
       | where TimeGenerated >= ago(dt_lookBack)
       | where isnotempty(SrcUserUpn)
       | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn
)
on $left.TI_emailEntity == $right.ClientEmail
| where ProofpointPOD_TimeGenerated < ExpirationDateTime
| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail
| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail
| extend timestamp = ProofpointPOD_TimeGenerated
id: 35a0792a-1269-431e-ac93-7ae2980d4dde
name: ProofpointPOD - Email sender in TI list
requiredDataConnectors:
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_maillog_CL
triggerOperator: gt
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml
kind: Scheduled
description: |
    'Email sender in TI list.'
relevantTechniques:
- T1078
- T1567
queryPeriod: 14d
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | where Active == true
  | where isnotempty(EmailSenderAddress)
  | extend TI_emailEntity = EmailSenderAddress
  // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
  | join kind=innerunique (
         ProofpointPOD
         | where TimeGenerated >= ago(dt_lookBack)
         | where isnotempty(SrcUserUpn)
         | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn
  )
  on $left.TI_emailEntity == $right.ClientEmail
  | where ProofpointPOD_TimeGenerated < ExpirationDateTime
  | summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail
  | project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail
  | extend timestamp = ProofpointPOD_TimeGenerated  
queryFrequency: 1d
version: 1.1.2
tactics:
- Exfiltration
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: ClientEmail
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35a0792a-1269-431e-ac93-7ae2980d4dde')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35a0792a-1269-431e-ac93-7ae2980d4dde')]",
      "properties": {
        "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde",
        "customDetails": null,
        "description": "'Email sender in TI list.'\n",
        "displayName": "ProofpointPOD - Email sender in TI list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ClientEmail",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODEmailSenderInTIList.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n       ProofpointPOD\n       | where TimeGenerated >= ago(dt_lookBack)\n       | where isnotempty(SrcUserUpn)\n       | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1567"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}