Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Data Leak Prevention - Hold

Mimecast Data Leak Prevention - Hold

Back
Id3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
RulenameMimecast Data Leak Prevention - Hold
DescriptionDetects threat for data leak when action is hold
SeverityInformational
TacticsExfiltration
TechniquesT1030
Required data connectorsMimecastSIEMAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
Version1.0.0
Arm template3e12b7b1-75e5-497c-ba01-b6cb30b60d7f.json
Deploy To Azure
MimecastDLP_CL| where action_s == "hold";

suppressionEnabled: false
description: Detects threat for data leak when action is hold
kind: Scheduled
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastDLP_CL
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
severity: Informational
name: Mimecast Data Leak Prevention - Hold
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 15m
query: MimecastDLP_CL| where action_s == "hold";
relevantTechniques:
- T1030
id: 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
queryFrequency: 5m
enabled: true
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: senderAddress_s
    identifier: Sender
  - columnName: recipientAddress_s
    identifier: Recipient
  - columnName: action_s
    identifier: DeliveryAction
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert