MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
suppressionEnabled: false
name: Mimecast Data Leak Prevention - Hold
relevantTechniques:
- T1030
id: 8e52bcf1-4f50-4c39-8678-d9efad64e379
enabled: true
requiredDataConnectors:
- dataTypes:
- MimecastDLP
connectorId: MimecastSEGAPI
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
severity: Informational
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml
queryPeriod: 15m
entityMappings:
- fieldMappings:
- identifier: Sender
columnName: SenderAddress
- identifier: Recipient
columnName: RecipientAddress
- identifier: DeliveryAction
columnName: Action
entityType: MailMessage
queryFrequency: 15m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: P7D
enabled: true
createIncident: true
suppressionDuration: 5h
query: |
MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
tactics:
- Exfiltration
kind: Scheduled
description: Detects threat for data leak when action is hold
triggerOperator: gt
