Mimecast Secure Email Gateway - Impersonation Protect

Back


Id	7034abc9-6b66-4533-9bf3-056672fd9d9e
Rulename	Mimecast Secure Email Gateway - Impersonation Protect
Description	Detects threats from impersonation mail under targeted threat protection
Severity	High
Tactics	Discovery LateralMovement Collection
Techniques	T1114
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Impersonation.yaml
Version	1.0.0
Arm template	7034abc9-6b66-4533-9bf3-056672fd9d9e.json

KQL

MimecastSIEM_CL| where mimecastEventId_s == "mail_ttp_impersonation"

YAML

id: 7034abc9-6b66-4533-9bf3-056672fd9d9e
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
severity: High
customDetails:
  SimilarMCExtDomain: SimilarMimecastExternalDomain_s
  Definition: Definition_s
  MsgId: MsgId_s
  TaggedMalicious: TaggedMalicious_s
  SimilarIntDomain: SimilarInternalDomain_s
  CustomName: CustomName_s
  ThreatDictionary: ThreatDictionary_s
  TaggedExternal: TaggedExternal_s
  Action: Action_s
  ReplyMismatch: ReplyMismatch_s
  SimilarCustExtDomain: SimilarCustomExternalDomain_s
  Route: Route_s
  Hits: Hits_s
  NewDomain: NewDomain_s
  CustomThreatDict: CustomThreatDictionary_s
  InternalName: InternalName_s
  Subject: Subject_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Impersonation.yaml
relevantTechniques:
- T1114
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastSIEM_CL
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: Sender_s
  - identifier: SenderIP
    columnName: IP_s
  - identifier: Recipient
    columnName: Recipient_s
  entityType: MailMessage
version: 1.0.0
query: MimecastSIEM_CL| where mimecastEventId_s == "mail_ttp_impersonation"
queryPeriod: 15m
triggerOperator: gt
tactics:
- Discovery
- LateralMovement
- Collection
enabled: true
suppressionDuration: 5h
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1d
    reopenClosedIncident: false
  createIncident: true
description: Detects threats from impersonation mail under targeted threat protection
name: Mimecast Secure Email Gateway - Impersonation Protect
kind: Scheduled
queryFrequency: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7034abc9-6b66-4533-9bf3-056672fd9d9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7034abc9-6b66-4533-9bf3-056672fd9d9e')]",
      "properties": {
        "alertRuleTemplateName": "7034abc9-6b66-4533-9bf3-056672fd9d9e",
        "customDetails": {
          "Action": "Action_s",
          "CustomName": "CustomName_s",
          "CustomThreatDict": "CustomThreatDictionary_s",
          "Definition": "Definition_s",
          "Hits": "Hits_s",
          "InternalName": "InternalName_s",
          "MsgId": "MsgId_s",
          "NewDomain": "NewDomain_s",
          "ReplyMismatch": "ReplyMismatch_s",
          "Route": "Route_s",
          "SimilarCustExtDomain": "SimilarCustomExternalDomain_s",
          "SimilarIntDomain": "SimilarInternalDomain_s",
          "SimilarMCExtDomain": "SimilarMimecastExternalDomain_s",
          "Subject": "Subject_s",
          "TaggedExternal": "TaggedExternal_s",
          "TaggedMalicious": "TaggedMalicious_s",
          "ThreatDictionary": "ThreatDictionary_s"
        },
        "description": "Detects threats from impersonation mail under targeted threat protection",
        "displayName": "Mimecast Secure Email Gateway - Impersonation Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "Sender_s",
                "identifier": "Sender"
              },
              {
                "columnName": "IP_s",
                "identifier": "SenderIP"
              },
              {
                "columnName": "Recipient_s",
                "identifier": "Recipient"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Impersonation.yaml",
        "query": "MimecastSIEM_CL| where mimecastEventId_s == \"mail_ttp_impersonation\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "LateralMovement"
        ],
        "techniques": [
          "T1114"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}