Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - High risk message not discarded

Back
Idc7cd6073-6d2c-4284-a5c8-da27605bdfde
RulenameProofpointPOD - High risk message not discarded
DescriptionDetects when email with high risk score was not rejected or discarded by filters.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsProofpointPOD
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
Version1.0.1
Arm templatec7cd6073-6d2c-4284-a5c8-da27605bdfde.json
Deploy To Azure
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| where FilterModulesSpamScoresOverall == '100'
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
tactics:
- InitialAccess
name: ProofpointPOD - High risk message not discarded
id: c7cd6073-6d2c-4284-a5c8-da27605bdfde
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
query: |
  let lbtime = 10m;
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'inbound'
  | where FilterDisposition !in ('reject', 'discard')
  | where FilterModulesSpamScoresOverall == '100'
  | project SrcUserUpn, DstUserUpn
  | extend AccountCustomEntity = SrcUserUpn  
relevantTechniques:
- T1566
description: |
    'Detects when email with high risk score was not rejected or discarded by filters.'
triggerOperator: gt
queryPeriod: 10m
severity: Low
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryFrequency: 10m
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "properties": {
        "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde",
        "customDetails": null,
        "description": "'Detects when email with high risk score was not rejected or discarded by filters.'\n",
        "displayName": "ProofpointPOD - High risk message not discarded",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml",
        "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}