Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Secure Email Gateway - Impersonation Protect

Mimecast Secure Email Gateway - Impersonation Protect

Back
Id7034abc9-6b66-4533-9bf3-056672fd9d9e
RulenameMimecast Secure Email Gateway - Impersonation Protect
DescriptionDetects threats from impersonation mail under targeted threat protection
SeverityHigh
TacticsDiscovery
LateralMovement
Collection
TechniquesT1114
Required data connectorsMimecastSIEMAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Impersonation.yaml
Version1.0.1
Arm template7034abc9-6b66-4533-9bf3-056672fd9d9e.json
Deploy To Azure
MimecastSIEM_CL| where mimecastEventId_s == "mail_ttp_impersonation"

queryPeriod: 15m
description: Detects threats from impersonation mail under targeted threat protection
relevantTechniques:
- T1114
triggerThreshold: 0
customDetails:
  TaggedExternal: TaggedExternal_s
  CustomThreatDict: CustomThreatDictionary_s
  Subject: Subject_s
  ThreatDictionary: ThreatDictionary_s
  Definition: Definition_s
  CustomName: CustomName_s
  SimilarIntDomain: SimilarInternalDomain_s
  Route: Route_s
  NewDomain: NewDomain_s
  MsgId_s: MsgId_s
  SimilarMCExtDomain: SimilarMimecastExternalDomain_s
  InternalName: InternalName_s
  TaggedMalicious: TaggedMalicious_s
  Action: Action_s
  SimilarCustExtDomain: SimilarCustomExternalDomain_s
  Hits: Hits_s
  ReplyMismatch: ReplyMismatch_s
id: 7034abc9-6b66-4533-9bf3-056672fd9d9e
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Impersonation.yaml
kind: Scheduled
query: MimecastSIEM_CL| where mimecastEventId_s == "mail_ttp_impersonation"
entityMappings:
- fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: IP_s
    identifier: SenderIP
  - columnName: Recipient_s
    identifier: Recipient
  entityType: MailMessage
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
suppressionEnabled: false
tactics:
- Discovery
- LateralMovement
- Collection
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 1d
name: Mimecast Secure Email Gateway - Impersonation Protect
version: 1.0.1
severity: High
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastSIEM_CL
suppressionDuration: 5h
enabled: true