Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Acronis - Multiple Inboxes with Malicious Content Detected

Back
Id5090ad7b-4b47-4cab-9015-bffb43aecde8
RulenameAcronis - Multiple Inboxes with Malicious Content Detected
DescriptionMany inboxes containing malicious content could indicate a potential ongoing phishing attack.
SeverityMedium
TacticsInitialAccess
TechniquesT1566.002
T1566.001
KindScheduled
Query frequency1h
Query period1d
Trigger threshold2
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleInboxesWithMaliciousContentDetected.yaml
Version1.0.0
Arm template5090ad7b-4b47-4cab-9015-bffb43aecde8.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Acronis"
| where DeviceEventClassID in
("MaliciousURLDetectedInM365MailboxBackup",
"MalwareDetectedInM365MailboxBackup",
"MaliciousEmailDetectedPerceptionPointWarning")
| summarize MaliciousContent = count() by DeviceName
description: Many inboxes containing malicious content could indicate a potential ongoing phishing attack.
tactics:
- InitialAccess
requiredDataConnectors: []
id: 5090ad7b-4b47-4cab-9015-bffb43aecde8
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
customDetails:
  DeviceName: DeviceName
query: |
  CommonSecurityLog
  | where DeviceVendor == "Acronis"
  | where DeviceEventClassID in
  ("MaliciousURLDetectedInM365MailboxBackup",
  "MalwareDetectedInM365MailboxBackup",
  "MaliciousEmailDetectedPerceptionPointWarning")
  | summarize MaliciousContent = count() by DeviceName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleInboxesWithMaliciousContentDetected.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.0
name: Acronis - Multiple Inboxes with Malicious Content Detected
queryFrequency: 1h
triggerThreshold: 2
relevantTechniques:
- T1566.002
- T1566.001
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: P1D
    reopenClosedIncident: true
    matchingMethod: AnyAlert
  createIncident: true
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
triggerOperator: gt