Mimecast Data Leak Prevention - Hold

Back


Id	3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
Rulename	Mimecast Data Leak Prevention - Hold
Description	Detects threat for data leak when action is hold
Severity	Informational
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
Version	1.0.0
Arm template	3e12b7b1-75e5-497c-ba01-b6cb30b60d7f.json

KQL

MimecastDLP_CL| where action_s == "hold";

YAML

entityMappings:
- fieldMappings:
  - columnName: senderAddress_s
    identifier: Sender
  - columnName: recipientAddress_s
    identifier: Recipient
  - columnName: action_s
    identifier: DeliveryAction
  entityType: MailMessage
triggerOperator: gt
tactics:
- Exfiltration
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1d
    enabled: true
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
version: 1.0.0
triggerThreshold: 0
relevantTechniques:
- T1030
queryPeriod: 15m
query: MimecastDLP_CL| where action_s == "hold";
severity: Informational
kind: Scheduled
enabled: true
name: Mimecast Data Leak Prevention - Hold
queryFrequency: 5m
id: 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
description: Detects threat for data leak when action is hold
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - MimecastDLP_CL
  connectorId: MimecastSIEMAPI

ARM