Mimecast Secure Email Gateway - Spam Event Thread

Back


Id	df1b9377-5c29-4928-872f-9934a6b4f611
Rulename	Mimecast Secure Email Gateway - Spam Event Thread
Description	Detects threat from spam event thread protection logs
Severity	Low
Tactics	Discovery
Techniques	T1083
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
Version	1.0.1
Arm template	df1b9377-5c29-4928-872f-9934a6b4f611.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"

YAML

suppressionEnabled: false
name: Mimecast Secure Email Gateway - Spam Event Thread
relevantTechniques:
- T1083
id: df1b9377-5c29-4928-872f-9934a6b4f611
enabled: true
requiredDataConnectors:
- dataTypes:
  - MimecastSIEM_CL
  connectorId: MimecastSIEMAPI
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.1
severity: Low
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: Sender_s
  - identifier: Recipient
    columnName: Recipient_s
  - identifier: Subject
    columnName: Subject_s
  entityType: MailMessage
kind: Scheduled
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1d
    enabled: true
  createIncident: true
suppressionDuration: 5h
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
tactics:
- Discovery
customDetails:
  SourceIP: SourceIP
  Route: Route_s
  SenderDomain: SenderDomain_s
  MsgId_s: MsgId_s
  headerFrom: headerFrom_s
description: Detects threat from spam event thread protection logs
triggerOperator: gt

ARM