MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
queryFrequency: 5m
suppressionEnabled: false
name: Mimecast Secure Email Gateway - Spam Event Thread
entityMappings:
- fieldMappings:
- columnName: Sender_s
identifier: Sender
- columnName: Recipient_s
identifier: Recipient
- columnName: Subject_s
identifier: Subject
entityType: MailMessage
kind: Scheduled
tactics:
- Discovery
enabled: true
id: df1b9377-5c29-4928-872f-9934a6b4f611
queryPeriod: 15m
relevantTechniques:
- T1083
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
triggerOperator: gt
customDetails:
SenderDomain: SenderDomain_s
headerFrom: headerFrom_s
MsgId_s: MsgId_s
Route: Route_s
SourceIP: SourceIP
triggerThreshold: 0
version: 1.0.1
requiredDataConnectors:
- dataTypes:
- MimecastSIEM_CL
connectorId: MimecastSIEMAPI
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
eventGroupingSettings:
aggregationKind: SingleAlert
severity: Low
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
lookbackDuration: 1d
createIncident: true
suppressionDuration: 5h
description: Detects threat from spam event thread protection logs
