Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - High risk message not discarded

Back
Idc7cd6073-6d2c-4284-a5c8-da27605bdfde
RulenameProofpointPOD - High risk message not discarded
DescriptionDetects when email with high risk score was not rejected or discarded by filters.
SeverityLow
TacticsInitialAccess
TechniquesT1566
Required data connectorsProofpointPOD
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
Version1.0.1
Arm templatec7cd6073-6d2c-4284-a5c8-da27605bdfde.json
Deploy To Azure
let lbtime = 10m;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| where FilterModulesSpamScoresOverall == '100'
| project SrcUserUpn, DstUserUpn
| extend AccountCustomEntity = SrcUserUpn
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
queryFrequency: 10m
name: ProofpointPOD - High risk message not discarded
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
query: |
  let lbtime = 10m;
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'inbound'
  | where FilterDisposition !in ('reject', 'discard')
  | where FilterModulesSpamScoresOverall == '100'
  | project SrcUserUpn, DstUserUpn
  | extend AccountCustomEntity = SrcUserUpn  
relevantTechniques:
- T1566
triggerOperator: gt
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml
severity: Low
status: Available
id: c7cd6073-6d2c-4284-a5c8-da27605bdfde
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
version: 1.0.1
description: |
    'Detects when email with high risk score was not rejected or discarded by filters.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7cd6073-6d2c-4284-a5c8-da27605bdfde')]",
      "properties": {
        "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde",
        "customDetails": null,
        "description": "'Detects when email with high risk score was not rejected or discarded by filters.'\n",
        "displayName": "ProofpointPOD - High risk message not discarded",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODHighRiskNotDiscarded.yaml",
        "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}