Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Data Leak Prevention - Hold

Mimecast Data Leak Prevention - Hold

Back
Id3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
RulenameMimecast Data Leak Prevention - Hold
DescriptionDetects threat for data leak when action is hold
SeverityInformational
TacticsExfiltration
TechniquesT1030
Required data connectorsMimecastSIEMAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
Version1.0.0
Arm template3e12b7b1-75e5-497c-ba01-b6cb30b60d7f.json
Deploy To Azure
MimecastDLP_CL| where action_s == "hold";

name: Mimecast Data Leak Prevention - Hold
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1d
    matchingMethod: AllEntities
  createIncident: true
query: MimecastDLP_CL| where action_s == "hold";
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: senderAddress_s
    identifier: Sender
  - columnName: recipientAddress_s
    identifier: Recipient
  - columnName: action_s
    identifier: DeliveryAction
queryPeriod: 15m
suppressionEnabled: false
tactics:
- Exfiltration
suppressionDuration: 5h
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
enabled: true
relevantTechniques:
- T1030
id: 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
severity: Informational
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastDLP_CL
version: 1.0.0
description: Detects threat for data leak when action is hold
queryFrequency: 5m