Trend Micro CAS - Possible phishing mail

Back


Id	9e7b3811-d743-479c-a296-635410562429
Rulename	Trend Micro CAS - Possible phishing mail
Description	Detects possible phishing mail.
Severity	Medium
Tactics	InitialAccess
Techniques	T1566
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
Version	1.0.0
Arm template	9e7b3811-d743-479c-a296-635410562429.json

KQL

let threshold = 5;
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| where isnotempty(SecurityRiskName)
| summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
| where array_length(r_users) > threshold
| extend AccountCustomEntity = r_users

YAML

relevantTechniques:
- T1566
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
triggerThreshold: 0
description: |
    'Detects possible phishing mail.'
requiredDataConnectors:
- connectorId: TrendMicroCAS
  dataTypes:
  - TrendMicroCAS
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
id: 9e7b3811-d743-479c-a296-635410562429
queryFrequency: 1h
query: |
  let threshold = 5;
  TrendMicroCAS
  | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
  | where isnotempty(SrcFileName)
  | where isnotempty(SecurityRiskName)
  | summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
  | where array_length(r_users) > threshold
  | extend AccountCustomEntity = r_users  
severity: Medium
status: Available
queryPeriod: 1h
name: Trend Micro CAS - Possible phishing mail
tactics:
- InitialAccess
kind: Scheduled

ARM