Mimecast Secure Email Gateway - URL Protect
| Id | 80f244cd-b0d6-404e-9aed-37f7a66eda9f |
| Rulename | Mimecast Secure Email Gateway - URL Protect |
| Description | Detect threat when potentially malicious url found. |
| Severity | High |
| Tactics | InitialAccess Discovery Execution |
| Techniques | T1566 |
| Required data connectors | MimecastSEGAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml |
| Version | 1.0.0 |
| Arm template | 80f244cd-b0d6-404e-9aed-37f7a66eda9f.json |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f
name: Mimecast Secure Email Gateway - URL Protect
entityMappings:
- entityType: MailMessage
fieldMappings:
- columnName: SenderEnvelope
identifier: Sender
- columnName: Recipients
identifier: Recipient
- columnName: Subject
identifier: Subject
version: 1.0.0
relevantTechniques:
- T1566
queryFrequency: 15m
suppressionEnabled: false
status: Available
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
lookbackDuration: P7D
reopenClosedIncident: false
createIncident: true
triggerThreshold: 0
kind: Scheduled
tactics:
- InitialAccess
- Discovery
- Execution
triggerOperator: gt
queryPeriod: 15m
severity: High
suppressionDuration: 5h
enabled: true
description: |
'Detect threat when potentially malicious url found.'
query: |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml
requiredDataConnectors:
- connectorId: MimecastSEGAPI
dataTypes:
- MimecastCG