Mimecast Secure Email Gateway - Attachment Protect

Back


Id	72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
Rulename	Mimecast Secure Email Gateway - Attachment Protect
Description	Detect threat for mail attachment under the targeted threat protection.
Severity	High
Tactics	Collection Exfiltration Discovery InitialAccess Execution
Techniques	T1114 T1566 T0865
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version	1.0.0
Arm template	72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json

KQL

MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']

YAML

query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
name: Mimecast Secure Email Gateway - Attachment Protect
severity: High
triggerThreshold: 0
suppressionDuration: 5h
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
status: Available
relevantTechniques:
- T1114
- T1566
- T0865
triggerOperator: gt
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
entityMappings:
- fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
  entityType: MailMessage
- fieldMappings:
  - columnName: SenderIp
    identifier: Address
  entityType: IP
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastCG
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
suppressionEnabled: false
queryPeriod: 15m
queryFrequency: 15m
version: 1.0.0
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "properties": {
        "alertRuleTemplateName": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2",
        "customDetails": null,
        "description": "'Detect threat for mail attachment under the targeted threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml",
        "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}