Mimecast Secure Email Gateway - Internal Email Protect

Back


Id	d3bd7640-3600-49f9-8d10-6fe312e68b4f
Rulename	Mimecast Secure Email Gateway - Internal Email Protect
Description	Detects threats from internal email threat protection.
Severity	High
Tactics	LateralMovement Persistence Exfiltration
Techniques	T1534 T1546
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
Version	1.0.0
Arm template	d3bd7640-3600-49f9-8d10-6fe312e68b4f.json

KQL

MimecastCG
| where Type == "email_iep"
| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']

YAML

relevantTechniques:
- T1534
- T1546
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P7D
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
name: Mimecast Secure Email Gateway - Internal Email Protect
requiredDataConnectors:
- dataTypes:
  - MimecastCG
  connectorId: MimecastSEGAPI
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: SenderEnvelope
  - identifier: Recipient
    columnName: Recipients
  - identifier: InternetMessageId
    columnName: MessageId
  entityType: MailMessage
triggerThreshold: 0
id: d3bd7640-3600-49f9-8d10-6fe312e68b4f
tactics:
- LateralMovement
- Persistence
- Exfiltration
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
queryPeriod: 15m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
suppressionDuration: 5h
queryFrequency: 15m
severity: High
status: Available
suppressionEnabled: false
description: |
    'Detects threats from internal email threat protection.'
query: |
  MimecastCG
  | where Type == "email_iep"
  | extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "properties": {
        "alertRuleTemplateName": "d3bd7640-3600-49f9-8d10-6fe312e68b4f",
        "customDetails": null,
        "description": "'Detects threats from internal email threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Internal Email Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "MessageId",
                "identifier": "InternetMessageId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml",
        "query": "MimecastCG\n| where Type == \"email_iep\"\n| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": [
          "T1534",
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}