Mimecast Secure Email Gateway - URL Protect
| Id | 80f244cd-b0d6-404e-9aed-37f7a66eda9f |
| Rulename | Mimecast Secure Email Gateway - URL Protect |
| Description | Detect threat when potentially malicious url found. |
| Severity | High |
| Tactics | InitialAccess Discovery Execution |
| Techniques | T1566 |
| Required data connectors | MimecastSEGAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml |
| Version | 1.0.0 |
| Arm template | 80f244cd-b0d6-404e-9aed-37f7a66eda9f.json |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: MailMessage
fieldMappings:
- identifier: Sender
columnName: SenderEnvelope
- identifier: Recipient
columnName: Recipients
- identifier: Subject
columnName: Subject
requiredDataConnectors:
- dataTypes:
- MimecastCG
connectorId: MimecastSEGAPI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml
enabled: true
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: P7D
version: 1.0.0
name: Mimecast Secure Email Gateway - URL Protect
relevantTechniques:
- T1566
status: Available
suppressionEnabled: false
queryPeriod: 15m
kind: Scheduled
id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f
query: |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
description: |
'Detect threat when potentially malicious url found.'
queryFrequency: 15m
severity: High
triggerOperator: gt
tactics:
- InitialAccess
- Discovery
- Execution
suppressionDuration: 5h