Trend Micro CAS - Possible phishing mail

Back


Id	9e7b3811-d743-479c-a296-635410562429
Rulename	Trend Micro CAS - Possible phishing mail
Description	Detects possible phishing mail.
Severity	Medium
Tactics	InitialAccess
Techniques	T1566
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
Version	1.0.0
Arm template	9e7b3811-d743-479c-a296-635410562429.json

KQL

let threshold = 5;
TrendMicroCAS
| where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
| where isnotempty(SrcFileName)
| where isnotempty(SecurityRiskName)
| summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
| where array_length(r_users) > threshold
| extend AccountCustomEntity = r_users

YAML

name: Trend Micro CAS - Possible phishing mail
relevantTechniques:
- T1566
id: 9e7b3811-d743-479c-a296-635410562429
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASPossiblePhishingMail.yaml
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
queryFrequency: 1h
status: Available
query: |
  let threshold = 5;
  TrendMicroCAS
  | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver')
  | where isnotempty(SrcFileName)
  | where isnotempty(SecurityRiskName)
  | summarize r_users = makeset(DstUserName) by SrcFileName, bin(TimeGenerated, 30m)
  | where array_length(r_users) > threshold
  | extend AccountCustomEntity = r_users  
tactics:
- InitialAccess
kind: Scheduled
description: |
    'Detects possible phishing mail.'
triggerOperator: gt

ARM