Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - Multiple large emails to the same recipient

Back
Idd1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32
RulenameProofpointPOD - Multiple large emails to the same recipient
DescriptionDetects when multiple emails with large size where sent to the same recipient.
SeverityMedium
TacticsExfiltration
TechniquesT1567
Required data connectorsProofpointPOD
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml
Version1.0.1
Arm templated1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32.json
Deploy To Azure
let lbtime = 30m;
let msgthreshold = 3;
let msgszthreshold = 3000000;
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where NetworkBytes > msgszthreshold
| summarize count() by SrcUserUpn, DstUserUpn
| where count_ > msgthreshold
| extend AccountCustomEntity = SrcUserUpn
id: d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32
name: ProofpointPOD - Multiple large emails to the same recipient
triggerOperator: gt
status: Available
query: |
  let lbtime = 30m;
  let msgthreshold = 3;
  let msgszthreshold = 3000000;
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | where NetworkBytes > msgszthreshold
  | summarize count() by SrcUserUpn, DstUserUpn
  | where count_ > msgthreshold
  | extend AccountCustomEntity = SrcUserUpn  
queryPeriod: 30m
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
severity: Medium
queryFrequency: 30m
relevantTechniques:
- T1567
version: 1.0.1
kind: Scheduled
tactics:
- Exfiltration
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
description: |
    'Detects when multiple emails with large size where sent to the same recipient.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32')]",
      "properties": {
        "alertRuleTemplateName": "d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32",
        "customDetails": null,
        "description": "'Detects when multiple emails with large size where sent to the same recipient.'\n",
        "displayName": "ProofpointPOD - Multiple large emails to the same recipient",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleLargeEmailsToSameRecipient.yaml",
        "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet msgszthreshold = 3000000;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where NetworkBytes > msgszthreshold\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1567"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}