Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Secure Email Gateway - Attachment Protect

Back
Id72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
RulenameMimecast Secure Email Gateway - Attachment Protect
DescriptionDetect threat for mail attachment under the targeted threat protection.
SeverityHigh
TacticsCollection
Exfiltration
Discovery
InitialAccess
Execution
TechniquesT1114
T1566
T0865
Required data connectorsMimecastSEGAPI
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
Version1.0.0
Arm template72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2.json
Deploy To Azure
MimecastCG
| where Type == "email_ttp_ap"
| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']
version: 1.0.0
tactics:
- Collection
- Exfiltration
- Discovery
- InitialAccess
- Execution
name: Mimecast Secure Email Gateway - Attachment Protect
suppressionDuration: 5h
queryPeriod: 15m
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: Subject
    identifier: Subject
  entityType: MailMessage
- fieldMappings:
  - columnName: SenderIp
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml
suppressionEnabled: false
relevantTechniques:
- T1114
- T1566
- T0865
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
  createIncident: true
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastCG
id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2
query: |
  MimecastCG
  | where Type == "email_ttp_ap"
  | extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']  
triggerOperator: gt
severity: High
queryFrequency: 15m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    'Detect threat for mail attachment under the targeted threat protection.'
enabled: true
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]",
      "properties": {
        "alertRuleTemplateName": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2",
        "customDetails": null,
        "description": "'Detect threat for mail attachment under the targeted threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Attachment Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "Subject",
                "identifier": "Subject"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml",
        "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend  SenderEnvelope = ['Sender Envelope']  , SenderIp = ['Sender IP']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Execution",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1114",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}