Mimecast Secure Email Gateway - URL Protect
| Id | 80f244cd-b0d6-404e-9aed-37f7a66eda9f |
| Rulename | Mimecast Secure Email Gateway - URL Protect |
| Description | Detect threat when potentially malicious url found. |
| Severity | High |
| Tactics | InitialAccess Discovery Execution |
| Techniques | T1566 |
| Required data connectors | MimecastSEGAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml |
| Version | 1.0.0 |
| Arm template | 80f244cd-b0d6-404e-9aed-37f7a66eda9f.json |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
name: Mimecast Secure Email Gateway - URL Protect
entityMappings:
- fieldMappings:
- columnName: SenderEnvelope
identifier: Sender
- columnName: Recipients
identifier: Recipient
- columnName: Subject
identifier: Subject
entityType: MailMessage
id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f
description: |
'Detect threat when potentially malicious url found.'
enabled: true
suppressionEnabled: false
version: 1.0.0
triggerOperator: gt
query: |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
tactics:
- InitialAccess
- Discovery
- Execution
suppressionDuration: 5h
kind: Scheduled
queryFrequency: 15m
triggerThreshold: 0
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: P7D
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: true
queryPeriod: 15m
requiredDataConnectors:
- dataTypes:
- MimecastCG
connectorId: MimecastSEGAPI
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1566