Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - High risk message not discarded

Back
Idc7cd6073-6d2c-4284-a5c8-da27605bdfde
RulenameProofpointPOD - High risk message not discarded
DescriptionDetects when email with high risk score was not rejected or discarded by filters.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsProofpointPOD
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
Version1.0.1
Arm templatec7cd6073-6d2c-4284-a5c8-da27605bdfde.json
Deploy To Azure
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| where FilterModulesSpamScoresOverall == '100'
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
id: c7cd6073-6d2c-4284-a5c8-da27605bdfde
name: ProofpointPOD - High risk message not discarded
query: |
  let lbtime = 10m;
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'inbound'
  | where FilterDisposition !in ('reject', 'discard')
  | where FilterModulesSpamScoresOverall == '100'
  | project SrcUserUpn, DstUserUpn
  | extend AccountCustomEntity = SrcUserUpn  
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
queryPeriod: 10m
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1566
queryFrequency: 10m
status: Available
requiredDataConnectors:
- dataTypes:
  - ProofpointPOD_message_CL
  connectorId: ProofpointPOD
description: |
    'Detects when email with high risk score was not rejected or discarded by filters.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "properties": {
        "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde",
        "customDetails": null,
        "description": "'Detects when email with high risk score was not rejected or discarded by filters.'\n",
        "displayName": "ProofpointPOD - High risk message not discarded",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml",
        "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}