Mimecast Secure Email Gateway - Internal Email Protect

Back


Id	d3bd7640-3600-49f9-8d10-6fe312e68b4f
Rulename	Mimecast Secure Email Gateway - Internal Email Protect
Description	Detects threats from internal email threat protection.
Severity	High
Tactics	LateralMovement Persistence Exfiltration
Techniques	T1534 T1546
Required data connectors	MimecastSEGAPI
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
Version	1.0.0
Arm template	d3bd7640-3600-49f9-8d10-6fe312e68b4f.json

KQL

MimecastCG
| where Type == "email_iep"
| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']

YAML

query: |
  MimecastCG
  | where Type == "email_iep"
  | extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']  
id: d3bd7640-3600-49f9-8d10-6fe312e68b4f
name: Mimecast Secure Email Gateway - Internal Email Protect
severity: High
triggerThreshold: 0
suppressionDuration: 5h
description: |
    'Detects threats from internal email threat protection.'
status: Available
relevantTechniques:
- T1534
- T1546
triggerOperator: gt
tactics:
- LateralMovement
- Persistence
- Exfiltration
entityMappings:
- fieldMappings:
  - columnName: SenderEnvelope
    identifier: Sender
  - columnName: Recipients
    identifier: Recipient
  - columnName: MessageId
    identifier: InternetMessageId
  entityType: MailMessage
requiredDataConnectors:
- connectorId: MimecastSEGAPI
  dataTypes:
  - MimecastCG
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml
suppressionEnabled: false
queryPeriod: 15m
queryFrequency: 15m
version: 1.0.0
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d3bd7640-3600-49f9-8d10-6fe312e68b4f')]",
      "properties": {
        "alertRuleTemplateName": "d3bd7640-3600-49f9-8d10-6fe312e68b4f",
        "customDetails": null,
        "description": "'Detects threats from internal email threat protection.'\n",
        "displayName": "Mimecast Secure Email Gateway - Internal Email Protect",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "MailMessage",
            "fieldMappings": [
              {
                "columnName": "SenderEnvelope",
                "identifier": "Sender"
              },
              {
                "columnName": "Recipients",
                "identifier": "Recipient"
              },
              {
                "columnName": "MessageId",
                "identifier": "InternetMessageId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml",
        "query": "MimecastCG\n| where Type == \"email_iep\"\n| extend  SenderEnvelope = ['Sender Envelope']  , MessageId = ['Message ID']\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": [
          "T1534",
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}