Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Data Leak Prevention - Hold

Mimecast Data Leak Prevention - Hold

Back
Id3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
RulenameMimecast Data Leak Prevention - Hold
DescriptionDetects threat for data leak when action is hold
SeverityInformational
TacticsExfiltration
TechniquesT1030
Required data connectorsMimecastSIEMAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
Version1.0.0
Arm template3e12b7b1-75e5-497c-ba01-b6cb30b60d7f.json
Deploy To Azure
MimecastDLP_CL| where action_s == "hold";

severity: Informational
eventGroupingSettings:
  aggregationKind: SingleAlert
queryPeriod: 15m
suppressionDuration: 5h
name: Mimecast Data Leak Prevention - Hold
entityMappings:
- fieldMappings:
  - columnName: senderAddress_s
    identifier: Sender
  - columnName: recipientAddress_s
    identifier: Recipient
  - columnName: action_s
    identifier: DeliveryAction
  entityType: MailMessage
version: 1.0.0
relevantTechniques:
- T1030
suppressionEnabled: false
id: 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
queryFrequency: 5m
triggerThreshold: 0
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1d
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
query: MimecastDLP_CL| where action_s == "hold";
description: Detects threat for data leak when action is hold
enabled: true
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastDLP_CL
tactics:
- Exfiltration
kind: Scheduled