Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Mimecast Targeted Threat Protection - Impersonation Protect

Mimecast Targeted Threat Protection - Impersonation Protect

Back
Idc048fa06-0d50-4626-ae82-a6cea812d9c4
RulenameMimecast Targeted Threat Protection - Impersonation Protect
DescriptionDetects a maliciously tagged impersonation.
SeverityHigh
TacticsExfiltration
Collection
Discovery
TechniquesT1114
Required data connectorsMimecastTTPAPI
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml
Version1.0.0
Arm templatec048fa06-0d50-4626-ae82-a6cea812d9c4.json
Deploy To Azure
MimecastTTPImpersonation
| where ['Tagged Malicious'] == true
| extend SenderAddress = ['Sender Address'],
  SenderIPAddress = ['Sender IP Address'],
  RecipientAddress = ['Recipient Address']

name: Mimecast Targeted Threat Protection - Impersonation Protect
relevantTechniques:
- T1114
id: c048fa06-0d50-4626-ae82-a6cea812d9c4
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - MimecastTTPImpersonation
  connectorId: MimecastTTPAPI
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml
queryPeriod: 30m
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: SenderAddress
  - identifier: SenderIP
    columnName: SenderIPAddress
  - identifier: Recipient
    columnName: RecipientAddress
  entityType: MailMessage
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
  createIncident: true
queryFrequency: 30m
suppressionDuration: 5h
status: Available
query: |
  MimecastTTPImpersonation
  | where ['Tagged Malicious'] == true
  | extend SenderAddress = ['Sender Address'],
    SenderIPAddress = ['Sender IP Address'],
    RecipientAddress = ['Recipient Address']  
tactics:
- Exfiltration
- Collection
- Discovery
kind: Scheduled
description: |
    'Detects a maliciously tagged impersonation.'
triggerOperator: gt