Mimecast Data Leak Prevention - Notifications

Back


Id	cfd67598-ad0d-430a-a793-027eb4dbe967
Rulename	Mimecast Data Leak Prevention - Notifications
Description	Detects threat for data leak when action is notification
Severity	High
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml
Version	1.0.0
Arm template	cfd67598-ad0d-430a-a793-027eb4dbe967.json

KQL

MimecastDLP 
| where Action == "notification"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']

YAML

entityMappings:
- fieldMappings:
  - columnName: SenderAddress
    identifier: Sender
  - columnName: RecipientAddress
    identifier: Recipient
  - columnName: Action
    identifier: DeliveryAction
  entityType: MailMessage
triggerOperator: gt
tactics:
- Exfiltration
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml
version: 1.0.0
triggerThreshold: 0
relevantTechniques:
- T1030
queryPeriod: 15m
alertRuleTemplateName: 
query: |
  MimecastDLP 
  | where Action == "notification"
  | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']  
severity: High
kind: Scheduled
enabled: true
name: Mimecast Data Leak Prevention - Notifications
queryFrequency: 15m
id: cfd67598-ad0d-430a-a793-027eb4dbe967
description: Detects threat for data leak when action is notification
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - MimecastDLP
  connectorId: MimecastSEGAPI

ARM