Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72264f4f-61fb-4f4f-96c4-635571a376c2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSIEMAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
Version1.0.1
Arm template72264f4f-61fb-4f4f-96c4-635571a376c2.json
Deploy To Azure
MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 5m
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
enabled: true
kind: Scheduled
relevantTechniques:
- T1114
- T1566
- T0865
id: 72264f4f-61fb-4f4f-96c4-635571a376c2
customDetails:
  fileName: fileName_s
  MsgId_s: MsgId_s
  sha256: sha256_s
queryPeriod: 15m
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"
description: Detect threat for mail attachment under the targeted threat protection
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: Recipient_s
    identifier: Recipient
  - columnName: Subject_s
    identifier: Subject
- entityType: IP
  fieldMappings:
  - columnName: IP_s
    identifier: Address
triggerOperator: gt
severity: High
name: Mimecast Secure Email Gateway - Attachment Protect
requiredDataConnectors:
- dataTypes:
  - MimecastSIEM_CL
  connectorId: MimecastSIEMAPI
triggerThreshold: 0
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
suppressionEnabled: false
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: 1d
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "properties": {
        "alertRuleTemplateName": "72264f4f-61fb-4f4f-96c4-635571a376c2",
        "customDetails": {
          "fileName": "fileName_s",
          "MsgId_s": "MsgId_s",
          "sha256": "sha256_s"
        },
        "description": "Detect threat for mail attachment under the targeted threat protection",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "Sender_s",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipient_s",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject_s",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml",
        "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_attachment\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}