Mimecast Secure Email Gateway - Attachment Protect

Back


Id	72264f4f-61fb-4f4f-96c4-635571a376c2
Rulename	Mimecast Secure Email Gateway - Attachment Protect
Description	Detect threat for mail attachment under the targeted threat protection
Severity	High
Tactics	Collection Exfiltration Discovery InitialAccess Execution
Techniques	T1114 T1566 T0865
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
Version	1.0.0
Arm template	72264f4f-61fb-4f4f-96c4-635571a376c2.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"

YAML

relevantTechniques:
- T1114
- T1566
- T0865
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1d
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
name: Mimecast Secure Email Gateway - Attachment Protect
requiredDataConnectors:
- dataTypes:
  - MimecastSIEM_CL
  connectorId: MimecastSIEMAPI
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: Sender_s
  - identifier: Recipient
    columnName: Recipient_s
  - identifier: Subject
    columnName: Subject_s
  entityType: MailMessage
- fieldMappings:
  - identifier: Address
    columnName: IP_s
  entityType: IP
triggerThreshold: 0
id: 72264f4f-61fb-4f4f-96c4-635571a376c2
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
version: 1.0.0
customDetails:
  sha256: sha256_s
  MsgId: MsgId_s
  fileName: fileName_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml
queryPeriod: 15m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
enabled: true
suppressionDuration: 5h
queryFrequency: 5m
severity: High
suppressionEnabled: false
description: Detect threat for mail attachment under the targeted threat protection
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_attachment"
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72264f4f-61fb-4f4f-96c4-635571a376c2')]",
      "properties": {
        "alertRuleTemplateName": "72264f4f-61fb-4f4f-96c4-635571a376c2",
        "customDetails": {
          "fileName": "fileName_s",
          "MsgId": "MsgId_s",
          "sha256": "sha256_s"
        },
        "description": "Detect threat for mail attachment under the targeted threat protection",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "Sender_s",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipient_s",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject_s",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Attachment.yaml",
        "query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_ttp_attachment\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}