let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
queryPeriod: 10m
query: |
let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
name: ProofpointPOD - Suspicious attachment
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODSuspiciousAttachment.yaml
requiredDataConnectors:
- connectorId: ProofpointPOD
dataTypes:
- ProofpointPOD_message_CL
description: |
'Detects when email contains suspicious attachment (file type).'
kind: Scheduled
version: 1.0.2
status: Available
severity: Medium
relevantTechniques:
- T1566
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: f6a51e2c-2d6a-4f92-a090-cfb002ca611f
