Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Back
Id50c61708-9824-46f3-87cf-22490796fae2
RulenameCorelight - SMTP Email containing NON Ascii Characters within the Subject
DescriptionDetects where an emails contain non ascii characters within the Subject.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
Version1.0.0
Arm template50c61708-9824-46f3-87cf-22490796fae2.json
Deploy To Azure
Corelight
| where EventType =~ 'smtp'
| where Subject hasprefix  @'\=?utf-16'
| summarize recipients = dcount(To)
| extend k = 1
| join (Corelight
        | where Subject hasprefix  @'\=?utf-16'
        | summarize by To
        | extend k = 1) on k
| where recipients > 1
| extend MailCustomEntity = To
triggerOperator: gt
id: 50c61708-9824-46f3-87cf-22490796fae2
queryFrequency: 1h
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: MailCustomEntity
    identifier: Recipient
requiredDataConnectors:
- dataTypes:
  - Corelight
  connectorId: Corelight
severity: Low
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
query: |
  Corelight
  | where EventType =~ 'smtp'
  | where Subject hasprefix  @'\=?utf-16'
  | summarize recipients = dcount(To)
  | extend k = 1
  | join (Corelight
          | where Subject hasprefix  @'\=?utf-16'
          | summarize by To
          | extend k = 1) on k
  | where recipients > 1
  | extend MailCustomEntity = To  
description: |
    'Detects where an emails contain non ascii characters within the Subject.'
name: Corelight - SMTP Email containing NON Ascii Characters within the Subject
relevantTechniques:
- T1566
tactics:
- InitialAccess
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50c61708-9824-46f3-87cf-22490796fae2')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50c61708-9824-46f3-87cf-22490796fae2')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Corelight - SMTP Email containing NON Ascii Characters within the Subject",
        "description": "'Detects where an emails contain non ascii characters within the Subject.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "Corelight\n| where EventType =~ 'smtp'\n| where Subject hasprefix  @'\\=?utf-16'\n| summarize recipients = dcount(To)\n| extend k = 1\n| join (Corelight\n        | where Subject hasprefix  @'\\=?utf-16'\n        | summarize by To\n        | extend k = 1) on k\n| where recipients > 1\n| extend MailCustomEntity = To\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "50c61708-9824-46f3-87cf-22490796fae2",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Recipient",
                "columnName": "MailCustomEntity"
              }
            ],
            "entityType": "MailMessage"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}