Mimecast Targeted Threat Protection - URL Protect

Back


Id	952faed4-c6a6-4873-aeb9-b348e9ce5aba
Rulename	Mimecast Targeted Threat Protection - URL Protect
Description	Detects malicious scan results and actions which are not allowed.
Severity	High
Tactics	InitialAccess Discovery
Techniques	T0865
Required data connectors	MimecastTTPAPI
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml
Version	1.0.0
Arm template	952faed4-c6a6-4873-aeb9-b348e9ce5aba.json

KQL

MimecastTTPUrl
| where ['Scan Result'] == "malicious" and Action != "allow"
| extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']

YAML

query: |
  MimecastTTPUrl
  | where ['Scan Result'] == "malicious" and Action != "allow"
  | extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']  
relevantTechniques:
- T0865
name: Mimecast Targeted Threat Protection - URL Protect
severity: High
triggerThreshold: 0
suppressionDuration: 5h
description: |
    'Detects malicious scan results and actions which are not allowed.'
status: Available
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
triggerOperator: gt
tactics:
- InitialAccess
- Discovery
entityMappings:
- fieldMappings:
  - columnName: SendingIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: From_User_EmailAddress
    identifier: Sender
  - columnName: MessageID
    identifier: InternetMessageId
  - columnName: User_EmailAddress
    identifier: Recipient
  entityType: MailMessage
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
requiredDataConnectors:
- connectorId: MimecastTTPAPI
  dataTypes:
  - MimecastTTPUrl
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 952faed4-c6a6-4873-aeb9-b348e9ce5aba
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml
suppressionEnabled: false
queryPeriod: 30m
queryFrequency: 30m
version: 1.0.0
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/952faed4-c6a6-4873-aeb9-b348e9ce5aba')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/952faed4-c6a6-4873-aeb9-b348e9ce5aba')]",
      "properties": {
        "alertRuleTemplateName": "952faed4-c6a6-4873-aeb9-b348e9ce5aba",
        "customDetails": null,
        "description": "'Detects malicious scan results and actions which are not allowed.'\n",
        "displayName": "Mimecast Targeted Threat Protection - URL Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SendingIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "From_User_EmailAddress",
                "identifier": "Sender"
              },
              {
                "columnName": "MessageID",
                "identifier": "InternetMessageId"
              },
              {
                "columnName": "User_EmailAddress",
                "identifier": "Recipient"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml",
        "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and Action != \"allow\"\n| extend  From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}