Egress Defend - Dangerous Attachment Detected

Back


Id	a0e55dd4-8454-4396-91e6-f28fec3d2cab
Rulename	Egress Defend - Dangerous Attachment Detected
Description	Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.
Severity	Medium
Tactics	Execution InitialAccess Persistence PrivilegeEscalation
Techniques	T1204 T0853 T0863 T1566 T1546 T1546
Required data connectors	EgressDefend
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml
Version	1.0.0
Arm template	a0e55dd4-8454-4396-91e6-f28fec3d2cab.json

KQL

DefendAuditData
| where ThreatLevel == "suspicious" or ThreatLevel == "dangerous"
| mv-expand todynamic(Attachments)
| where Attachments.name matches regex @"(?i)^.*\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)"
| summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@"[^@.\w]+",Recipients), timesClicked = LinksClicked, SenderIP

YAML

id: a0e55dd4-8454-4396-91e6-f28fec3d2cab
requiredDataConnectors:
- dataTypes:
  - EgressDefend_CL
  connectorId: EgressDefend
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml
relevantTechniques:
- T1204
- T0853
- T0863
- T1566
- T1546
- T1546
alertDetailsOverride:
  alertDisplayNameFormat: Alert - {{Account_0_FullName}} has suspicious attachment.
name: Egress Defend - Dangerous Attachment Detected
queryFrequency: 30m
query: |
  DefendAuditData
  | where ThreatLevel == "suspicious" or ThreatLevel == "dangerous"
  | mv-expand todynamic(Attachments)
  | where Attachments.name matches regex @"(?i)^.*\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)"
  | summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@"[^@.\w]+",Recipients), timesClicked = LinksClicked, SenderIP  
kind: Scheduled
severity: Medium
tags:
- Defend
triggerThreshold: 0
tactics:
- Execution
- InitialAccess
- Persistence
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - columnName: Account_0_FullName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Attachments_name
    identifier: Name
  entityType: File
- fieldMappings:
  - columnName: Account_0_FullName
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: SenderIP
    identifier: Address
  entityType: IP
version: 1.0.0
queryPeriod: 30m
description: |
    'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.'
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0e55dd4-8454-4396-91e6-f28fec3d2cab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0e55dd4-8454-4396-91e6-f28fec3d2cab')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Alert - {{Account_0_FullName}} has suspicious attachment."
        },
        "alertRuleTemplateName": "a0e55dd4-8454-4396-91e6-f28fec3d2cab",
        "customDetails": null,
        "description": "'Defend has detected a user has a suspicious file type from a suspicious sender in their mailbox.'\n",
        "displayName": "Egress Defend - Dangerous Attachment Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account_0_FullName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "Attachments_name",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "Account_0_FullName",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SenderIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Egress Defend/Analytic Rules/DangerousAttachmentReceived.yaml",
        "query": "DefendAuditData\n| where ThreatLevel == \"suspicious\" or ThreatLevel == \"dangerous\"\n| mv-expand todynamic(Attachments)\n| where Attachments.name matches regex @\"(?i)^.*\\.(doc|docx|docm|pdf|xls|xlsx|xlsm|html|zip)$(?-i)\"\n| summarize attachmentCount=count() by TimeGenerated, tostring(Attachments.name), Subject, From, Account_0_FullName = trim(@\"[^@.\\w]+\",Recipients), timesClicked = LinksClicked, SenderIP\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          "Defend"
        ],
        "techniques": [
          "T1204",
          "T1546",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}