Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection.
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSEGAPI
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version1.0.0
Arm template72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json
Deploy To Azure
MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']
name: Mimecast Secure Email Gateway - Attachment Protect
triggerOperator: gt
queryPeriod: 15m
version: 1.0.0
kind: Scheduled
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
requiredDataConnectors:
- dataTypes:
  - MimecastCG
  connectorId: MimecastSEGAPI
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
relevantTechniques:
- T1114
- T1566
- T0865
suppressionEnabled: false
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
- entityType: IP
  fieldMappings:
  - columnName: SenderIp
    identifier: Address
query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
status: Available
queryFrequency: 15m
enabled: true
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "properties": {
        "alertRuleTemplateName": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2",
        "customDetails": null,
        "description": "'Detect threat for mail attachment under the targeted threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml",
        "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}