FilewallM365ExchangeEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'ThreatInfo' and EventResult == 'Blocked'
status: Available
query: |
FilewallM365ExchangeEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'ThreatInfo' and EventResult == 'Blocked'
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedEmails.yaml
tactics:
- Exfiltration
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: MailMessage
fieldMappings:
- identifier: Recipient
columnName: EmailRecipientTo
- identifier: Subject
columnName: EmailSubject
- identifier: Sender
columnName: EmailSenderFrom
requiredDataConnectors:
- connectorId: FilewallM365
dataTypes:
- FilewallExchange_CL
kind: Scheduled
relevantTechniques:
- T1048
description: Identifies emails blocked by Filewall for Microsoft 365 (Exchange).
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT1H
enabled: false
createIncident: true
name: Filewall - Blocked emails
version: 1.0.0
id: 9b784b65-2d16-4c9f-9f59-2a5d4c659f42
severity: High
