Mimecast Secure Email Gateway - Spam Event Thread

Back


Id	df1b9377-5c29-4928-872f-9934a6b4f611
Rulename	Mimecast Secure Email Gateway - Spam Event Thread
Description	Detects threat from spam event thread protection logs
Severity	Low
Tactics	Discovery
Techniques	T1083
Required data connectors	MimecastSIEMAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
Version	1.0.1
Arm template	df1b9377-5c29-4928-872f-9934a6b4f611.json

KQL

MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"

YAML

suppressionEnabled: false
description: Detects threat from spam event thread protection logs
kind: Scheduled
tactics:
- Discovery
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastSIEM_CL
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Spam_Event.yaml
severity: Low
name: Mimecast Secure Email Gateway - Spam Event Thread
suppressionDuration: 5h
customDetails:
  SenderDomain: SenderDomain_s
  Route: Route_s
  headerFrom: headerFrom_s
  MsgId_s: MsgId_s
  SourceIP: SourceIP
triggerThreshold: 0
queryPeriod: 15m
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_spameventthread"
relevantTechniques:
- T1083
id: df1b9377-5c29-4928-872f-9934a6b4f611
queryFrequency: 5m
enabled: true
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - columnName: Sender_s
    identifier: Sender
  - columnName: Recipient_s
    identifier: Recipient
  - columnName: Subject_s
    identifier: Subject
version: 1.0.1
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert

ARM