Mimecast Secure Email Gateway - URL Protect
| Id | 80f244cd-b0d6-404e-9aed-37f7a66eda9f |
| Rulename | Mimecast Secure Email Gateway - URL Protect |
| Description | Detect threat when potentially malicious url found. |
| Severity | High |
| Tactics | InitialAccess Discovery Execution |
| Techniques | T1566 |
| Required data connectors | MimecastSEGAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml |
| Version | 1.0.0 |
| Arm template | 80f244cd-b0d6-404e-9aed-37f7a66eda9f.json |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
queryPeriod: 15m
query: |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
enabled: true
name: Mimecast Secure Email Gateway - URL Protect
entityMappings:
- fieldMappings:
- columnName: SenderEnvelope
identifier: Sender
- columnName: Recipients
identifier: Recipient
- columnName: Subject
identifier: Subject
entityType: MailMessage
suppressionDuration: 5h
queryFrequency: 15m
suppressionEnabled: false
description: |
'Detect threat when potentially malicious url found.'
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
lookbackDuration: P7D
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: true
createIncident: true
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml
status: Available
severity: High
requiredDataConnectors:
- connectorId: MimecastSEGAPI
dataTypes:
- MimecastCG
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Discovery
- Execution
id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f
relevantTechniques:
- T1566