Mimecast Secure Email Gateway - Spam Event Thread
| Id | df1b9377-5c29-4928-872f-9934a6b4f611 |
| Rulename | Mimecast Secure Email Gateway - Spam Event Thread |
| Description | Detects threat from spam event thread protection logs |
| Severity | Low |
| Tactics | Discovery |
| Techniques | T1083 |
| Required data connectors | MimecastSIEMAPI |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml |
| Version | 1.0.1 |
| Arm template | df1b9377-5c29-4928-872f-9934a6b4f611.json |
MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
kind: Scheduled
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionDuration: 5h
entityMappings:
- entityType: MailMessage
fieldMappings:
- columnName: Sender_s
identifier: Sender
- columnName: Recipient_s
identifier: Recipient
- columnName: Subject_s
identifier: Subject
description: Detects threat from spam event thread protection logs
severity: Low
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 1d
enabled: true
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1083
suppressionEnabled: false
customDetails:
MsgId_s: MsgId_s
headerFrom: headerFrom_s
SourceIP: SourceIP
Route: Route_s
SenderDomain: SenderDomain_s
tactics:
- Discovery
name: Mimecast Secure Email Gateway - Spam Event Thread
id: df1b9377-5c29-4928-872f-9934a6b4f611
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
requiredDataConnectors:
- dataTypes:
- MimecastSIEM_CL
connectorId: MimecastSIEMAPI
version: 1.0.1
enabled: true
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
queryPeriod: 15m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/df1b9377-5c29-4928-872f-9934a6b4f611')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/df1b9377-5c29-4928-872f-9934a6b4f611')]",
"properties": {
"alertRuleTemplateName": "df1b9377-5c29-4928-872f-9934a6b4f611",
"customDetails": {
"headerFrom": "headerFrom_s",
"MsgId_s": "MsgId_s",
"Route": "Route_s",
"SenderDomain": "SenderDomain_s",
"SourceIP": "SourceIP"
},
"description": "Detects threat from spam event thread protection logs",
"displayName": "Mimecast Secure Email Gateway - Spam Event Thread",
"enabled": true,
"entityMappings": [
{
"entityType": "MailMessage",
"fieldMappings": [
{
"columnName": "Sender_s",
"identifier": "Sender"
},
{
"columnName": "Recipient_s",
"identifier": "Recipient"
},
{
"columnName": "Subject_s",
"identifier": "Subject"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "P1D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml",
"query": "MimecastSIEM_CL| where mimecastEventId_s==\"mail_spameventthread\"",
"queryFrequency": "PT5M",
"queryPeriod": "PT15M",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1083"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}