Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection.
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSEGAPI
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version1.0.0
Arm template72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json
Deploy To Azure
MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']
relevantTechniques:
- T1114
- T1566
- T0865
severity: High
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: SenderEnvelope
  - identifier: Recipient
    columnName: Recipients
  - identifier: Subject
    columnName: Subject
  entityType: MailMessage
- fieldMappings:
  - identifier: Address
    columnName: SenderIp
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - MimecastCG
  connectorId: MimecastSEGAPI
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
kind: Scheduled
status: Available
triggerOperator: gt
triggerThreshold: 0
suppressionDuration: 5h
enabled: true
query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
version: 1.0.0
name: Mimecast Secure Email Gateway - Attachment Protect
queryPeriod: 15m
queryFrequency: 15m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "properties": {
        "alertRuleTemplateName": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2",
        "customDetails": null,
        "description": "'Detect threat for mail attachment under the targeted threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml",
        "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}