Trend Micro CAS - Possible phishing mail

Back


Id	9e7b3811-d743-479c-a296-635410562429
Rulename	Trend Micro CAS - Possible phishing mail
Description	Detects possible phishing mail.
Severity	Medium
Tactics	InitialAccess
Techniques	T1566
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
Version	1.0.0
Arm template	9e7b3811-d743-479c-a296-635410562429.json

KQL

let threshold = 5;
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| where isnotempty(SecurityRiskName)
| summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
| where array_length(r_users) > threshold
| extend AccountCustomEntity = r_users

YAML

description: |
    'Detects possible phishing mail.'
kind: Scheduled
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: TrendMicroCAS
  dataTypes:
  - TrendMicroCAS
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
severity: Medium
name: Trend Micro CAS - Possible phishing mail
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 5;
  TrendMicroCAS
  | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
  | where isnotempty(SrcFileName)
  | where isnotempty(SecurityRiskName)
  | summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
  | where array_length(r_users) > threshold
  | extend AccountCustomEntity = r_users  
relevantTechniques:
- T1566
id: 9e7b3811-d743-479c-a296-635410562429
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name

ARM