Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ProofpointPOD - Multiple archived attachments to the same recipient

ProofpointPOD - Multiple archived attachments to the same recipient

Back
Idbda5a2bd-979b-4828-a91f-27c2a5048f7f
RulenameProofpointPOD - Multiple archived attachments to the same recipient
DescriptionDetects when multiple emails where sent to the same recipient with large archived attachments.
SeverityMedium
TacticsExfiltration
TechniquesT1567
Required data connectorsProofpointPOD
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml
Version1.0.2
Arm templatebda5a2bd-979b-4828-a91f-27c2a5048f7f.json
Deploy To Azure
let lbtime = 30m;
let msgthreshold = 3;
let compressedTypes = dynamic(['zip', 'rar', 'tar', 'x-7z-compressed']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']
| where attachedMimeType has_any (compressedTypes)
| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn
| where count_ > msgthreshold
| extend AccountCustomEntity = SrcUserUpn

triggerThreshold: 0
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
severity: Medium
queryFrequency: 30m
id: bda5a2bd-979b-4828-a91f-27c2a5048f7f
relevantTechniques:
- T1567
queryPeriod: 30m
name: ProofpointPOD - Multiple archived attachments to the same recipient
status: Available
kind: Scheduled
tactics:
- Exfiltration
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
description: |
    'Detects when multiple emails where sent to the same recipient with large archived attachments.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml
query: |
  let lbtime = 30m;
  let msgthreshold = 3;
  let compressedTypes = dynamic(['zip', 'rar', 'tar', 'x-7z-compressed']);
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']
  | where attachedMimeType has_any (compressedTypes)
  | summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn
  | where count_ > msgthreshold
  | extend AccountCustomEntity = SrcUserUpn  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bda5a2bd-979b-4828-a91f-27c2a5048f7f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bda5a2bd-979b-4828-a91f-27c2a5048f7f')]",
      "properties": {
        "alertRuleTemplateName": "bda5a2bd-979b-4828-a91f-27c2a5048f7f",
        "customDetails": null,
        "description": "'Detects when multiple emails where sent to the same recipient with large archived attachments.'\n",
        "displayName": "ProofpointPOD - Multiple archived attachments to the same recipient",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleArchivedAttachmentsToSameRecipient.yaml",
        "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet compressedTypes = dynamic(['zip', 'rar', 'tar', 'x-7z-compressed']);\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType has_any (compressedTypes)\n| summarize count(), make_set(attachedMimeType) by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1567"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}