Mimecast Secure Email Gateway - Spam Event Thread

Back


Id	df1b9377-5c29-4928-872f-9934a6b4f611
Rulename	Mimecast Secure Email Gateway - Spam Event Thread
Description	Detects threat from spam event thread protection logs
Severity	Low
Tactics	Discovery
Techniques	T1083
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
Version	1.0.1
Arm template	df1b9377-5c29-4928-872f-9934a6b4f611.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"

YAML

kind: Scheduled
triggerThreshold: 0
enabled: true
triggerOperator: gt
version: 1.0.1
tactics:
- Discovery
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 1d
    reopenClosedIncident: false
suppressionDuration: 5h
queryFrequency: 5m
id: df1b9377-5c29-4928-872f-9934a6b4f611
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastSIEM_CL
suppressionEnabled: false
name: Mimecast Secure Email Gateway - Spam Event Thread
description: Detects threat from spam event thread protection logs
customDetails:
  headerFrom: headerFrom_s
  Route: Route_s
  SenderDomain: SenderDomain_s
  SourceIP: SourceIP
  MsgId_s: MsgId_s
relevantTechniques:
- T1083
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: Recipient_s
    identifier: Recipient
  - columnName: Subject_s
    identifier: Subject
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
queryPeriod: 15m
severity: Low
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
eventGroupingSettings:
  aggregationKind: SingleAlert

ARM