Mimecast Secure Email Gateway - Attachment Protect

Back


Id	72264f4f-61fb-4f4f-96c4-635571a376c2
Rulename	Mimecast Secure Email Gateway - Attachment Protect
Description	Detect threat for mail attachment under the targeted threat protection
Severity	High
Tactics	Collection Exfiltration Discovery InitialAccess Execution
Techniques	T1114 T1566 T0865
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
Version	1.0.1
Arm template	72264f4f-61fb-4f4f-96c4-635571a376c2.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"

YAML

queryPeriod: 15m
triggerOperator: gt
queryFrequency: 5m
description: Detect threat for mail attachment under the targeted threat protection
requiredDataConnectors:
- dataTypes:
  - MimecastSIEM_CL
  connectorId: MimecastSIEMAPI
enabled: true
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
entityMappings:
- fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: Recipient_s
    identifier: Recipient
  - columnName: Subject_s
    identifier: Subject
  entityType: MailMessage
- fieldMappings:
  - columnName: IP_s
    identifier: Address
  entityType: IP
relevantTechniques:
- T1114
- T1566
- T0865
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Mimecast Secure Email Gateway - Attachment Protect
triggerThreshold: 0
suppressionDuration: 5h
id: 72264f4f-61fb-4f4f-96c4-635571a376c2
customDetails:
  fileName: fileName_s
  sha256: sha256_s
  MsgId_s: MsgId_s
suppressionEnabled: false
version: 1.0.1
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    matchingMethod: AllEntities
    enabled: true
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "properties": {
        "alertRuleTemplateName": "72264f4f-61fb-4f4f-96c4-635571a376c2",
        "customDetails": {
          "fileName": "fileName_s",
          "MsgId_s": "MsgId_s",
          "sha256": "sha256_s"
        },
        "description": "Detect threat for mail attachment under the targeted threat protection",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "Sender_s",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipient_s",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject_s",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml",
        "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_attachment\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}