Mimecast Data Leak Prevention - Hold

Back


Id	8e52bcf1-4f50-4c39-8678-d9efad64e379
Rulename	Mimecast Data Leak Prevention - Hold
Description	Detects threat for data leak when action is hold
Severity	Informational
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml
Version	1.0.0
Arm template	8e52bcf1-4f50-4c39-8678-d9efad64e379.json

KQL

MimecastDLP 
| where Action == "hold"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']

YAML

kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - MimecastDLP
  connectorId: MimecastSEGAPI
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: SenderAddress
    identifier: Sender
  - columnName: RecipientAddress
    identifier: Recipient
  - columnName: Action
    identifier: DeliveryAction
relevantTechniques:
- T1030
tactics:
- Exfiltration
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
name: Mimecast Data Leak Prevention - Hold
queryFrequency: 15m
query: |
  MimecastDLP 
  | where Action == "hold"
  | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']  
id: 8e52bcf1-4f50-4c39-8678-d9efad64e379
enabled: true
severity: Informational
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml
version: 1.0.0
description: Detects threat for data leak when action is hold
suppressionDuration: 5h
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
    reopenClosedIncident: false
  createIncident: true
triggerOperator: gt

ARM