Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Secure Email Gateway - Attachment Protect

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection.
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSEGAPI
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version1.0.0
Arm template72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json
Deploy To Azure
MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']

query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
- entityType: IP
  fieldMappings:
  - columnName: SenderIp
    identifier: Address
triggerThreshold: 0
name: Mimecast Secure Email Gateway - Attachment Protect
severity: High
enabled: true
relevantTechniques:
- T1114
- T1566
- T0865
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P7D
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
queryPeriod: 15m
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastCG
queryFrequency: 15m
version: 1.0.0
suppressionEnabled: false
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
kind: Scheduled
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
suppressionDuration: 5h
status: Available
triggerOperator: gt