Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Corelight - SMTP Email containing NON Ascii Characters within the Subject

Back
Id50c61708-9824-46f3-87cf-22490796fae2
RulenameCorelight - SMTP Email containing NON Ascii Characters within the Subject
DescriptionDetects where an emails contain non ascii characters within the Subject.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsCorelight
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
Version2.1.0
Arm template50c61708-9824-46f3-87cf-22490796fae2.json
Deploy To Azure
corelight_smtp
| where subject hasprefix  @'\=?utf-16'
| summarize recipients = dcount(_to)
| extend k = 1
| join (corelight_smtp
        | where subject hasprefix  @'\=?utf-16'
        | summarize by _to
        | extend k = 1) on k
| where recipients > 1
id: 50c61708-9824-46f3-87cf-22490796fae2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml
requiredDataConnectors:
- dataTypes:
  - Corelight_v2_smtp
  - corelight_smtp
  connectorId: Corelight
description: |
    'Detects where an emails contain non ascii characters within the Subject.'
severity: Low
queryPeriod: 1h
kind: Scheduled
tactics:
- InitialAccess
queryFrequency: 1h
query: |
  corelight_smtp
  | where subject hasprefix  @'\=?utf-16'
  | summarize recipients = dcount(_to)
  | extend k = 1
  | join (corelight_smtp
          | where subject hasprefix  @'\=?utf-16'
          | summarize by _to
          | extend k = 1) on k
  | where recipients > 1  
version: 2.1.0
triggerThreshold: 0
name: Corelight - SMTP Email containing NON Ascii Characters within the Subject
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: _to
    identifier: Recipient
status: Available
relevantTechniques:
- T1566
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50c61708-9824-46f3-87cf-22490796fae2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50c61708-9824-46f3-87cf-22490796fae2')]",
      "properties": {
        "alertRuleTemplateName": "50c61708-9824-46f3-87cf-22490796fae2",
        "customDetails": null,
        "description": "'Detects where an emails contain non ascii characters within the Subject.'\n",
        "displayName": "Corelight - SMTP Email containing NON Ascii Characters within the Subject",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "_to",
                "identifier": "Recipient"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Analytic Rules/CorelightSMTPEmailSubjectNonAsciiCharacters.yaml",
        "query": "corelight_smtp\n| where subject hasprefix  @'\\=?utf-16'\n| summarize recipients = dcount(_to)\n| extend k = 1\n| join (corelight_smtp\n        | where subject hasprefix  @'\\=?utf-16'\n        | summarize by _to\n        | extend k = 1) on k\n| where recipients > 1\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "2.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}