Mimecast Targeted Threat Protection - URL Protect

Back


Id	9d5545bd-1450-4086-935c-62f15fc4a4c9
Rulename	Mimecast Targeted Threat Protection - URL Protect
Description	Detects malicious scan results and actions which are not allowed
Severity	High
Tactics	InitialAccess Discovery
Techniques	T0865
Required data connectors	MimecastTTPAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
Version	1.0.0
Arm template	9d5545bd-1450-4086-935c-62f15fc4a4c9.json

KQL

MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";

YAML

relevantTechniques:
- T0865
alertRuleTemplateName: 
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1d
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
name: Mimecast Targeted Threat Protection - URL Protect
requiredDataConnectors:
- dataTypes:
  - MimecastTTPUrl_CL
  connectorId: MimecastTTPAPI
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: sendingIp_s
  entityType: IP
- fieldMappings:
  - identifier: Sender
    columnName: fromUserEmailAddress_s
  - identifier: InternetMessageId
    columnName: messageId_s
  - identifier: Recipient
    columnName: userEmailAddress_s
  entityType: MailMessage
- fieldMappings:
  - identifier: Url
    columnName: url_s
  entityType: URL
triggerThreshold: 0
id: 9d5545bd-1450-4086-935c-62f15fc4a4c9
tactics:
- InitialAccess
- Discovery
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
queryPeriod: 15m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
suppressionDuration: 5h
queryFrequency: 5m
severity: High
suppressionEnabled: false
description: Detects malicious scan results and actions which are not allowed
query: MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "properties": {
        "alertRuleTemplateName": null,
        "customDetails": null,
        "description": "Detects malicious scan results and actions which are not allowed",
        "displayName": "Mimecast Targeted Threat Protection - URL Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sendingIp_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "fromUserEmailAddress_s",
                "identifier": "Sender"
              },
              {
                "columnName": "messageId_s",
                "identifier": "InternetMessageId"
              },
              {
                "columnName": "userEmailAddress_s",
                "identifier": "Recipient"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml",
        "query": "MimecastTTPUrl_CL| where scanResult_s == \"malicious\" and action_s != \"allow\";",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}