let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
version: 1.0.2
description: |
'Detects when email contains suspicious attachment (file type).'
queryPeriod: 10m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
status: Available
id: f6a51e2c-2d6a-4f92-a090-cfb002ca611f
tactics:
- InitialAccess
name: ProofpointPOD - Suspicious attachment
queryFrequency: 10m
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODSuspiciousAttachment.yaml
kind: Scheduled
relevantTechniques:
- T1566
query: |
let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
severity: Medium
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:
- ProofpointPOD_message_CL
