MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
requiredDataConnectors:
- connectorId: MimecastSEGAPI
dataTypes:
- MimecastDLP
relevantTechniques:
- T1030
name: Mimecast Data Leak Prevention - Hold
queryFrequency: 15m
tactics:
- Exfiltration
triggerThreshold: 0
severity: Informational
query: |
MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: SenderAddress
identifier: Sender
- columnName: RecipientAddress
identifier: Recipient
- columnName: Action
identifier: DeliveryAction
entityType: MailMessage
queryPeriod: 15m
triggerOperator: gt
suppressionEnabled: false
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
lookbackDuration: P7D
matchingMethod: AllEntities
createIncident: true
id: 8e52bcf1-4f50-4c39-8678-d9efad64e379
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml
enabled: true
description: Detects threat for data leak when action is hold
