Mimecast Targeted Threat Protection - URL Protect

Back


Id	9d5545bd-1450-4086-935c-62f15fc4a4c9
Rulename	Mimecast Targeted Threat Protection - URL Protect
Description	Detects malicious scan results and actions which are not allowed
Severity	High
Tactics	InitialAccess Discovery
Techniques	T0865
Required data connectors	MimecastTTPAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
Version	1.0.0
Arm template	9d5545bd-1450-4086-935c-62f15fc4a4c9.json

KQL

MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";

YAML

kind: Scheduled
alertRuleTemplateName: 
suppressionDuration: 5h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: sendingIp_s
    identifier: Address
- entityType: MailMessage
  fieldMappings:
  - columnName: fromUserEmailAddress_s
    identifier: Sender
  - columnName: messageId_s
    identifier: InternetMessageId
  - columnName: userEmailAddress_s
    identifier: Recipient
- entityType: URL
  fieldMappings:
  - columnName: url_s
    identifier: Url
description: Detects malicious scan results and actions which are not allowed
severity: High
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1d
    enabled: true
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T0865
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
tactics:
- InitialAccess
- Discovery
name: Mimecast Targeted Threat Protection - URL Protect
id: 9d5545bd-1450-4086-935c-62f15fc4a4c9
query: MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";
requiredDataConnectors:
- dataTypes:
  - MimecastTTPUrl_CL
  connectorId: MimecastTTPAPI
version: 1.0.0
enabled: true
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
queryPeriod: 15m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "properties": {
        "alertRuleTemplateName": null,
        "customDetails": null,
        "description": "Detects malicious scan results and actions which are not allowed",
        "displayName": "Mimecast Targeted Threat Protection - URL Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sendingIp_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "fromUserEmailAddress_s",
                "identifier": "Sender"
              },
              {
                "columnName": "messageId_s",
                "identifier": "InternetMessageId"
              },
              {
                "columnName": "userEmailAddress_s",
                "identifier": "Recipient"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml",
        "query": "MimecastTTPUrl_CL| where scanResult_s == \"malicious\" and action_s != \"allow\";",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}