Mimecast Data Leak Prevention - Hold

Back


Id	3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
Rulename	Mimecast Data Leak Prevention - Hold
Description	Detects threat for data leak when action is hold
Severity	Informational
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
Version	1.0.0
Arm template	3e12b7b1-75e5-497c-ba01-b6cb30b60d7f.json

KQL

MimecastDLP_CL| where action_s == "hold";

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastDLP_Hold.yaml
queryPeriod: 15m
description: Detects threat for data leak when action is hold
triggerThreshold: 0
name: Mimecast Data Leak Prevention - Hold
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1d
kind: Scheduled
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastDLP_CL
enabled: true
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
queryFrequency: 5m
suppressionEnabled: false
tactics:
- Exfiltration
id: 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f
version: 1.0.0
query: MimecastDLP_CL| where action_s == "hold";
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - identifier: Sender
    columnName: senderAddress_s
  - identifier: Recipient
    columnName: recipientAddress_s
  - identifier: DeliveryAction
    columnName: action_s
severity: Informational
relevantTechniques:
- T1030

ARM