Mimecast Targeted Threat Protection - URL Protect

Back


Id	952faed4-c6a6-4873-aeb9-b348e9ce5aba
Rulename	Mimecast Targeted Threat Protection - URL Protect
Description	Detects malicious scan results and actions which are not allowed.
Severity	High
Tactics	InitialAccess Discovery
Techniques	T0865
Required data connectors	MimecastTTPAPI
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml
Version	1.0.0
Arm template	952faed4-c6a6-4873-aeb9-b348e9ce5aba.json

KQL

MimecastTTPUrl
| where ['Scan Result'] == "malicious" and Action != "allow"
| extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']

YAML

relevantTechniques:
- T0865
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P7D
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
name: Mimecast Targeted Threat Protection - URL Protect
requiredDataConnectors:
- dataTypes:
  - MimecastTTPUrl
  connectorId: MimecastTTPAPI
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SendingIP
  entityType: IP
- fieldMappings:
  - identifier: Sender
    columnName: From_User_EmailAddress
  - identifier: InternetMessageId
    columnName: MessageID
  - identifier: Recipient
    columnName: User_EmailAddress
  entityType: MailMessage
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
triggerThreshold: 0
id: 952faed4-c6a6-4873-aeb9-b348e9ce5aba
tactics:
- InitialAccess
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml
queryPeriod: 30m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
queryFrequency: 30m
severity: High
status: Available
suppressionEnabled: false
description: |
    'Detects malicious scan results and actions which are not allowed.'
query: |
  MimecastTTPUrl
  | where ['Scan Result'] == "malicious" and Action != "allow"
  | extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/952faed4-c6a6-4873-aeb9-b348e9ce5aba')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/952faed4-c6a6-4873-aeb9-b348e9ce5aba')]",
      "properties": {
        "alertRuleTemplateName": "952faed4-c6a6-4873-aeb9-b348e9ce5aba",
        "customDetails": null,
        "description": "'Detects malicious scan results and actions which are not allowed.'\n",
        "displayName": "Mimecast Targeted Threat Protection - URL Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SendingIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "From_User_EmailAddress",
                "identifier": "Sender"
              },
              {
                "columnName": "MessageID",
                "identifier": "InternetMessageId"
              },
              {
                "columnName": "User_EmailAddress",
                "identifier": "Recipient"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml",
        "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and Action != \"allow\"\n| extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}