Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Secure Email Gateway - Attachment Protect

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection.
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSEGAPI
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version1.0.0
Arm template72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json
Deploy To Azure
MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']

suppressionEnabled: false
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
kind: Scheduled
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastCG
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: P7D
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
severity: High
name: Mimecast Secure Email Gateway - Attachment Protect
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 15m
query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
relevantTechniques:
- T1114
- T1566
- T0865
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
queryFrequency: 15m
enabled: true
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
- entityType: IP
  fieldMappings:
  - columnName: SenderIp
    identifier: Address