Mimecast Targeted Threat Protection - Attachment Protect
| Id | 617a55be-a8d8-49c1-8687-d19a0231056f |
| Rulename | Mimecast Targeted Threat Protection - Attachment Protect |
| Description | Detects a threat for an unsafe attachment in an email. |
| Severity | High |
| Tactics | InitialAccess Discovery |
| Techniques | T0865 |
| Required data connectors | MimecastTTPAPI |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml |
| Version | 1.0.0 |
| Arm template | 617a55be-a8d8-49c1-8687-d19a0231056f.json |
MimecastTTPAttachment
| where Result != "safe"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
suppressionEnabled: false
relevantTechniques:
- T0865
entityMappings:
- fieldMappings:
- columnName: SenderAddress
identifier: Sender
- columnName: RecipientAddress
identifier: Recipient
- columnName: Subject
identifier: Subject
entityType: MailMessage
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: true
lookbackDuration: P7D
createIncident: true
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml
suppressionDuration: 5h
description: |
'Detects a threat for an unsafe attachment in an email.'
requiredDataConnectors:
- connectorId: MimecastTTPAPI
dataTypes:
- MimecastTTPAttachment
triggerOperator: gt
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 617a55be-a8d8-49c1-8687-d19a0231056f
queryFrequency: 30m
query: |
MimecastTTPAttachment
| where Result != "safe"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
severity: High
status: Available
queryPeriod: 30m
name: Mimecast Targeted Threat Protection - Attachment Protect
tactics:
- InitialAccess
- Discovery
kind: Scheduled