let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where array_length(todynamic(DstUserUpn)) == 1
| extend sender = extract(@'\A(.*?)@', 1, SrcUserUpn)
| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)
| extend recipient = extract(@'\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))
| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))
| where sender =~ recipient
| where sender_domain != recipient_domain
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
description: |
'Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.'
version: 1.0.1
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODDataExfiltrationToPrivateEmail.yaml
triggerOperator: gt
status: Available
id: aedc5b33-2d7c-42cb-a692-f25ef637cbb1
name: ProofpointPOD - Possible data exfiltration to private email
queryFrequency: 10m
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
relevantTechniques:
- T1078
query: |
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where array_length(todynamic(DstUserUpn)) == 1
| extend sender = extract(@'\A(.*?)@', 1, SrcUserUpn)
| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)
| extend recipient = extract(@'\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))
| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))
| where sender =~ recipient
| where sender_domain != recipient_domain
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
requiredDataConnectors:
- dataTypes:
- ProofpointPOD_message_CL
connectorId: ProofpointPOD
