Mimecast Data Leak Prevention - Notifications

Back


Id	cfd67598-ad0d-430a-a793-027eb4dbe967
Rulename	Mimecast Data Leak Prevention - Notifications
Description	Detects threat for data leak when action is notification
Severity	High
Tactics	Exfiltration
Techniques	T1030
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml
Version	1.0.0
Arm template	cfd67598-ad0d-430a-a793-027eb4dbe967.json

KQL

MimecastDLP 
| where Action == "notification"
| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml
queryPeriod: 15m
description: Detects threat for data leak when action is notification
alertRuleTemplateName: 
triggerThreshold: 0
name: Mimecast Data Leak Prevention - Notifications
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P7D
kind: Scheduled
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastDLP
enabled: true
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
queryFrequency: 15m
suppressionEnabled: false
tactics:
- Exfiltration
id: cfd67598-ad0d-430a-a793-027eb4dbe967
version: 1.0.0
query: |
  MimecastDLP 
  | where Action == "notification"
  | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']  
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - identifier: Sender
    columnName: SenderAddress
  - identifier: Recipient
    columnName: RecipientAddress
  - identifier: DeliveryAction
    columnName: Action
severity: High
relevantTechniques:
- T1030

ARM