Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - High risk message not discarded

Back
Idc7cd6073-6d2c-4284-a5c8-da27605bdfde
RulenameProofpointPOD - High risk message not discarded
DescriptionDetects when email with high risk score was not rejected or discarded by filters.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsProofpointPOD
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
Version1.0.1
Arm templatec7cd6073-6d2c-4284-a5c8-da27605bdfde.json
Deploy To Azure
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| where FilterModulesSpamScoresOverall == '100'
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
name: ProofpointPOD - High risk message not discarded
query: |
  let lbtime = 10m;
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'inbound'
  | where FilterDisposition !in ('reject', 'discard')
  | where FilterModulesSpamScoresOverall == '100'
  | project SrcUserUpn, DstUserUpn
  | extend AccountCustomEntity = SrcUserUpn  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
queryFrequency: 10m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - ProofpointPOD_message_CL
  connectorId: ProofpointPOD
version: 1.0.1
status: Available
queryPeriod: 10m
id: c7cd6073-6d2c-4284-a5c8-da27605bdfde
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1566
severity: Low
description: |
    'Detects when email with high risk score was not rejected or discarded by filters.'
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "ProofpointPOD - High risk message not discarded",
        "description": "'Detects when email with high risk score was not rejected or discarded by filters.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml"
      }
    }
  ]
}