Mimecast Secure Email Gateway - URL Protect
| Id | 80f244cd-b0d6-404e-9aed-37f7a66eda9f |
| Rulename | Mimecast Secure Email Gateway - URL Protect |
| Description | Detect threat when potentially malicious url found. |
| Severity | High |
| Tactics | InitialAccess Discovery Execution |
| Techniques | T1566 |
| Required data connectors | MimecastSEGAPI |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml |
| Version | 1.0.0 |
| Arm template | 80f244cd-b0d6-404e-9aed-37f7a66eda9f.json |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
lookbackDuration: P7D
createIncident: true
requiredDataConnectors:
- connectorId: MimecastSEGAPI
dataTypes:
- MimecastCG
relevantTechniques:
- T1566
entityMappings:
- entityType: MailMessage
fieldMappings:
- identifier: Sender
columnName: SenderEnvelope
- identifier: Recipient
columnName: Recipients
- identifier: Subject
columnName: Subject
query: |
MimecastCG
| where Type == "email_ttp_url"
| extend SenderEnvelope = ['Sender Envelope']
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml
suppressionEnabled: false
queryPeriod: 15m
tactics:
- InitialAccess
- Discovery
- Execution
name: Mimecast Secure Email Gateway - URL Protect
description: |
'Detect threat when potentially malicious url found.'
kind: Scheduled
enabled: true
id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 15m
severity: High
status: Available
suppressionDuration: 5h