Mimecast Targeted Threat Protection - URL Protect

Back


Id	9d5545bd-1450-4086-935c-62f15fc4a4c9
Rulename	Mimecast Targeted Threat Protection - URL Protect
Description	Detects malicious scan results and actions which are not allowed
Severity	High
Tactics	InitialAccess Discovery
Techniques	T0865
Required data connectors	MimecastTTPAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
Version	1.0.0
Arm template	9d5545bd-1450-4086-935c-62f15fc4a4c9.json

KQL

MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";

YAML

queryPeriod: 15m
suppressionEnabled: false
entityMappings:
- fieldMappings:
  - columnName: sendingIp_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: fromUserEmailAddress_s
    identifier: Sender
  - columnName: messageId_s
    identifier: InternetMessageId
  - columnName: userEmailAddress_s
    identifier: Recipient
  entityType: MailMessage
- fieldMappings:
  - columnName: url_s
    identifier: Url
  entityType: URL
id: 9d5545bd-1450-4086-935c-62f15fc4a4c9
enabled: true
name: Mimecast Targeted Threat Protection - URL Protect
kind: Scheduled
description: Detects malicious scan results and actions which are not allowed
tactics:
- InitialAccess
- Discovery
version: 1.0.0
triggerOperator: gt
query: MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow";
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1d
  createIncident: true
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertRuleTemplateName: 
requiredDataConnectors:
- dataTypes:
  - MimecastTTPUrl_CL
  connectorId: MimecastTTPAPI
suppressionDuration: 5h
relevantTechniques:
- T0865
severity: High

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d5545bd-1450-4086-935c-62f15fc4a4c9')]",
      "properties": {
        "alertRuleTemplateName": "9d5545bd-1450-4086-935c-62f15fc4a4c9",
        "customDetails": null,
        "description": "Detects malicious scan results and actions which are not allowed",
        "displayName": "Mimecast Targeted Threat Protection - URL Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sendingIp_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "fromUserEmailAddress_s",
                "identifier": "Sender"
              },
              {
                "columnName": "messageId_s",
                "identifier": "InternetMessageId"
              },
              {
                "columnName": "userEmailAddress_s",
                "identifier": "Recipient"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml",
        "query": "MimecastTTPUrl_CL| where scanResult_s == \"malicious\" and action_s != \"allow\";",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}