Mimecast Secure Email Gateway - Internal Email Protect

Back


Id	d3bd7640-3600-49f9-8d10-6fe312e68b4f
Rulename	Mimecast Secure Email Gateway - Internal Email Protect
Description	Detects threats from internal email threat protection.
Severity	High
Tactics	LateralMovement Persistence Exfiltration
Techniques	T1534 T1546
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
Version	1.0.0
Arm template	d3bd7640-3600-49f9-8d10-6fe312e68b4f.json

KQL

MimecastCG
| where Type == "email_iep"
| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']

YAML

description: |
    'Detects threats from internal email threat protection.'
kind: Scheduled
suppressionDuration: 5h
id: d3bd7640-3600-49f9-8d10-6fe312e68b4f
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  MimecastCG
  | where Type == "email_iep"
  | extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']  
relevantTechniques:
- T1534
- T1546
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
suppressionEnabled: false
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: P7D
tactics:
- LateralMovement
- Persistence
- Exfiltration
triggerOperator: gt
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: SenderEnvelope
  - identifier: Recipient
    columnName: Recipients
  - identifier: InternetMessageId
    columnName: MessageId
  entityType: MailMessage
queryFrequency: 15m
status: Available
enabled: true
requiredDataConnectors:
- dataTypes:
  - MimecastCG
  connectorId: MimecastSEGAPI
version: 1.0.0
queryPeriod: 15m
name: Mimecast Secure Email Gateway - Internal Email Protect

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "properties": {
        "alertRuleTemplateName": "d3bd7640-3600-49f9-8d10-6fe312e68b4f",
        "customDetails": null,
        "description": "'Detects threats from internal email threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Internal Email Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "MessageId",
                "identifier": "InternetMessageId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml",
        "query": "MimecastCG\n| where Type == \"email_iep\"\n| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": [
          "T1534",
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}