Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ProofpointPOD - Multiple protected emails to unknown recipient

ProofpointPOD - Multiple protected emails to unknown recipient

Back
Idf8127962-7739-4211-a4a9-390a7a00e91f
RulenameProofpointPOD - Multiple protected emails to unknown recipient
DescriptionDetects when multiple protected messages where sent to early not seen recipient.
SeverityMedium
TacticsExfiltration
TechniquesT1567
Required data connectorsProofpointPOD
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml
Version1.1.1
Arm templatef8127962-7739-4211-a4a9-390a7a00e91f.json
Deploy To Azure
let lbtime = 30m;
let lbperiod = 14d;
let knownrecipients = ProofpointPOD
| where TimeGenerated > ago(lbperiod)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where SrcUserUpn != ''
| where array_length(todynamic(DstUserUpn)) == 1
| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn
| extend commcol = SrcUserUpn;
ProofpointPOD
| where TimeGenerated between (ago(lbtime) .. now())
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| extend isProtected = todynamic(MsgParts)[0]['isProtected']
| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']
| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'
| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])
| extend commcol = tostring(todynamic(DstUserUpn)[0])
| join knownrecipients on commcol
| where recipients !contains DstUserMail
| project SrcUserUpn, DstUserMail
| extend AccountCustomEntity = SrcUserUpn

query: |
  let lbtime = 30m;
  let lbperiod = 14d;
  let knownrecipients = ProofpointPOD
  | where TimeGenerated > ago(lbperiod)
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | where SrcUserUpn != ''
  | where array_length(todynamic(DstUserUpn)) == 1
  | summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn
  | extend commcol = SrcUserUpn;
  ProofpointPOD
  | where TimeGenerated between (ago(lbtime) .. now())
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | extend isProtected = todynamic(MsgParts)[0]['isProtected']
  | extend mimePgp = todynamic(MsgParts)[0]['detectedMime']
  | where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'
  | extend DstUserMail = tostring(todynamic(DstUserUpn)[0])
  | extend commcol = tostring(todynamic(DstUserUpn)[0])
  | join knownrecipients on commcol
  | where recipients !contains DstUserMail
  | project SrcUserUpn, DstUserMail
  | extend AccountCustomEntity = SrcUserUpn  
relevantTechniques:
- T1567
severity: Medium
tactics:
- Exfiltration
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml
id: f8127962-7739-4211-a4a9-390a7a00e91f
version: 1.1.1
description: |
    'Detects when multiple protected messages where sent to early not seen recipient.'
queryPeriod: 30m
name: ProofpointPOD - Multiple protected emails to unknown recipient
requiredDataConnectors:
- connectorId: ProofpointPOD
  dataTypes:
  - ProofpointPOD_message_CL
status: Available
triggerOperator: gt
queryFrequency: 30m
kind: Scheduled