let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
name: ProofpointPOD - Suspicious attachment
id: f6a51e2c-2d6a-4f92-a090-cfb002ca611f
description: |
'Detects when email contains suspicious attachment (file type).'
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
version: 1.0.2
triggerOperator: gt
query: |
let lbtime = 10m;
let disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);
ProofpointPOD
| where TimeGenerated > ago(lbtime)
| where EventType == 'message'
| where NetworkDirection == 'inbound'
| where FilterDisposition !in ('reject', 'discard')
| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']
| where tolower(attachedExt) in (disallowed_ext)
| project SrcUserUpn, AccountCustomEntity = parse_json(DstUserUpn)[0], attachedExt
tactics:
- InitialAccess
kind: Scheduled
queryFrequency: 10m
severity: Medium
queryPeriod: 10m
requiredDataConnectors:
- dataTypes:
- ProofpointPOD_message_CL
connectorId: ProofpointPOD
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODSuspiciousAttachment.yaml
relevantTechniques:
- T1566
