Mimecast Secure Email Gateway - URL Protect

MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_url" and reason_s != "clean"

version: 1.0.1
enabled: true
suppressionDuration: 5h
queryPeriod: 15m
suppressionEnabled: false
entityMappings:
- fieldMappings:
  - identifier: Sender
    columnName: sender_s
  - identifier: Recipient
    columnName: recipient_s
  - identifier: Subject
    columnName: subject_s
  entityType: MailMessage
customDetails:
  SourceIP: SourceIP
  reason: reason_s
  credentialTheft: credentialTheft_s
  action: action_s
  senderDomain: senderDomain_s
  MsgId_s: msgid_s
  urlCategory: urlCategory_s
  url: url_s
  route: route_s
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1566
triggerThreshold: 0
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastSEG/Analytic Rules/MimecastSIEM_Url_Protect.yaml
triggerOperator: gt
kind: Scheduled
tactics:
- InitialAccess
- Discovery
- Execution
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_ttp_url" and reason_s != "clean"
requiredDataConnectors:
- connectorId: MimecastSIEMAPI
  dataTypes:
  - MimecastSIEM_CL
id: ea19dae6-bbb3-4444-a1b8-8e9ae6064aab
name: Mimecast Secure Email Gateway - URL Protect
severity: High
description: Detect threat when potentially malicious url found
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1d
  createIncident: true