Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Back
Id50c61708-9824-46f3-87cf-22490796fae2
RulenameCorelight - SMTP Email containing NON Ascii Characters within the Subject
DescriptionDetects where an emails contain non ascii characters within the Subject.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
Version1.0.0
Arm template50c61708-9824-46f3-87cf-22490796fae2.json
Deploy To Azure
Corelight
| where EventType =~ 'smtp'
| where Subject hasprefix  @'\=?utf-16'
| summarize recipients = dcount(To)
| extend k = 1
| join (Corelight
        | where Subject hasprefix  @'\=?utf-16'
        | summarize by To
        | extend k = 1) on k
| where recipients > 1
| extend MailCustomEntity = To
severity: Low
queryFrequency: 1h
relevantTechniques:
- T1566
tactics:
- InitialAccess
kind: Scheduled
query: |
  Corelight
  | where EventType =~ 'smtp'
  | where Subject hasprefix  @'\=?utf-16'
  | summarize recipients = dcount(To)
  | extend k = 1
  | join (Corelight
          | where Subject hasprefix  @'\=?utf-16'
          | summarize by To
          | extend k = 1) on k
  | where recipients > 1
  | extend MailCustomEntity = To  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
queryPeriod: 1h
status: Available
version: 1.0.0
name: Corelight - SMTP Email containing NON Ascii Characters within the Subject
requiredDataConnectors:
- dataTypes:
  - Corelight
  connectorId: Corelight
triggerOperator: gt
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - identifier: Recipient
    columnName: MailCustomEntity
id: 50c61708-9824-46f3-87cf-22490796fae2
description: |
    'Detects where an emails contain non ascii characters within the Subject.'
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50c61708-9824-46f3-87cf-22490796fae2')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50c61708-9824-46f3-87cf-22490796fae2')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Corelight - SMTP Email containing NON Ascii Characters within the Subject",
        "description": "'Detects where an emails contain non ascii characters within the Subject.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "Corelight\n| where EventType =~ 'smtp'\n| where Subject hasprefix  @'\\=?utf-16'\n| summarize recipients = dcount(To)\n| extend k = 1\n| join (Corelight\n        | where Subject hasprefix  @'\\=?utf-16'\n        | summarize by To\n        | extend k = 1) on k\n| where recipients > 1\n| extend MailCustomEntity = To\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "50c61708-9824-46f3-87cf-22490796fae2",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "MailCustomEntity",
                "identifier": "Recipient"
              }
            ],
            "entityType": "MailMessage"
          }
        ],
        "templateVersion": "1.0.0",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml"
      }
    }
  ]
}