MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
entityMappings:
- entityType: MailMessage
fieldMappings:
- identifier: Sender
columnName: SenderAddress
- identifier: Recipient
columnName: RecipientAddress
- identifier: DeliveryAction
columnName: Action
tactics:
- Exfiltration
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- MimecastDLP
connectorId: MimecastSEGAPI
incidentConfiguration:
groupingConfiguration:
enabled: true
lookbackDuration: P7D
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 8e52bcf1-4f50-4c39-8678-d9efad64e379
severity: Informational
eventGroupingSettings:
aggregationKind: SingleAlert
query: |
MimecastDLP
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml
kind: Scheduled
queryPeriod: 15m
enabled: true
version: 1.0.0
name: Mimecast Data Leak Prevention - Hold
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1030
description: Detects threat for data leak when action is hold
triggerOperator: gt
