Mimecast Secure Email Gateway - Attachment Protect

Back


Id	72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
Rulename	Mimecast Secure Email Gateway - Attachment Protect
Description	Detect threat for mail attachment under the targeted threat protection.
Severity	High
Tactics	Collection Exfiltration Discovery InitialAccess Execution
Techniques	T1114 T1566 T0865
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version	1.0.0
Arm template	72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json

KQL

MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']

YAML

name: Mimecast Secure Email Gateway - Attachment Protect
severity: High
triggerOperator: gt
relevantTechniques:
- T1114
- T1566
- T0865
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
  entityType: MailMessage
- fieldMappings:
  - columnName: SenderIp
    identifier: Address
  entityType: IP
queryPeriod: 15m
enabled: true
suppressionDuration: 5h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - MimecastCG
  connectorId: MimecastSEGAPI
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
kind: Scheduled
status: Available
query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: true
  createIncident: true
queryFrequency: 15m
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Detect threat for mail attachment under the targeted threat protection.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "properties": {
        "alertRuleTemplateName": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2",
        "customDetails": null,
        "description": "'Detect threat for mail attachment under the targeted threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml",
        "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}