let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where array_length(todynamic(DstUserUpn)) == 1
| extend sender = extract(@'\A(.*?)@', 1, SrcUserUpn)
| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)
| extend recipient = extract(@'\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))
| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))
| where sender =~ recipient
| where sender_domain != recipient_domain
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
relevantTechniques:
- T1078
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
triggerThreshold: 0
description: |
'Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.'
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:
- ProofpointPOD_message_CL
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODDataExfiltrationToPrivateEmail.yaml
id: aedc5b33-2d7c-42cb-a692-f25ef637cbb1
queryFrequency: 10m
query: |
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where array_length(todynamic(DstUserUpn)) == 1
| extend sender = extract(@'\A(.*?)@', 1, SrcUserUpn)
| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)
| extend recipient = extract(@'\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))
| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))
| where sender =~ recipient
| where sender_domain != recipient_domain
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
severity: Medium
status: Available
queryPeriod: 10m
name: ProofpointPOD - Possible data exfiltration to private email
tactics:
- InitialAccess
kind: Scheduled
