FilewallM365ExchangeEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'ThreatInfo' and EventResult == 'Blocked'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: MailMessage
fieldMappings:
- identifier: Recipient
columnName: EmailRecipientTo
- identifier: Subject
columnName: EmailSubject
- identifier: Sender
columnName: EmailSenderFrom
tactics:
- Exfiltration
requiredDataConnectors:
- dataTypes:
- FilewallExchange_CL
connectorId: FilewallM365
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT1H
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 9b784b65-2d16-4c9f-9f59-2a5d4c659f42
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
query: |
FilewallM365ExchangeEvent()
| where EventVendor == 'ODI-X' and EventProduct == 'Filewall for Microsoft 365'
| where EventType == 'ThreatInfo' and EventResult == 'Blocked'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall for Microsoft 365/Analytic Rules/BlockedEmails.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.0
name: Filewall - Blocked emails
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1048
description: Identifies emails blocked by Filewall for Microsoft 365 (Exchange).
triggerOperator: gt
