Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ProofpointPOD - Binary file in attachment

ProofpointPOD - Binary file in attachment

Back
Ideb68b129-5f17-4f56-bf6d-dde48d5e615a
RulenameProofpointPOD - Binary file in attachment
DescriptionDetects when email received with binary file as attachment.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsProofpointPOD
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODBinaryInAttachment.yaml
Version1.0.3
Arm templateeb68b129-5f17-4f56-bf6d-dde48d5e615a.json
Deploy To Azure
let lbtime = 10m;
let binaryTypes = dynamic(['zip', 'octet-stream', 'java-archive', 'rar', 'tar', 'x-7z-compressed', 'x-msdownload', 'portable-executable']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedMimeType = tostring(todynamic(MsgParts)[0]['detectedMime'])
| where attachedMimeType has_any (binaryTypes)
| project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject
| extend Name = tostring(split(AccountCustomEntity, "@")[0]), UPNSuffix = tostring(split(AccountCustomEntity, "@")[1])

queryPeriod: 10m
query: |
  let lbtime = 10m;
  let binaryTypes = dynamic(['zip', 'octet-stream', 'java-archive', 'rar', 'tar', 'x-7z-compressed', 'x-msdownload', 'portable-executable']);
  ProofpointPOD
  | where TimeGenerated > ago(lbtime)
  | where EventType == 'message'
  | where NetworkDirection == 'inbound'
  | where FilterDisposition !in ('reject', 'discard')
  | extend attachedMimeType = tostring(todynamic(MsgParts)[0]['detectedMime'])
  | where attachedMimeType has_any (binaryTypes)
  | project SrcUserUpn, AccountCustomEntity = tostring(parse_json(DstUserUpn)[0]), attachedMimeType, MsgHeaderSubject
  | extend Name = tostring(split(AccountCustomEntity, "@")[0]), UPNSuffix = tostring(split(AccountCustomEntity, "@")[1])  
name: ProofpointPOD - Binary file in attachment
entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODBinaryInAttachment.yaml
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
description: |
    'Detects when email received with binary file as attachment.'
kind: Scheduled
version: 1.0.3
status: Available
severity: Medium
relevantTechniques:
- T1078
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: eb68b129-5f17-4f56-bf6d-dde48d5e615a