Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

ProofpointPOD - Multiple protected emails to unknown recipient

Back
Idf8127962-7739-4211-a4a9-390a7a00e91f
RulenameProofpointPOD - Multiple protected emails to unknown recipient
DescriptionDetects when multiple protected messages where sent to early not seen recipient.
SeverityMedium
TacticsExfiltration
TechniquesT1567
Required data connectorsProofpointPOD
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml
Version1.1.1
Arm templatef8127962-7739-4211-a4a9-390a7a00e91f.json
Deploy To Azure
let lbtime = 30m;
let lbperiod = 14d;
let knownrecipients = ProofpointPOD
| where TimeGenerated > ago(lbperiod)
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| where SrcUserUpn != ''
| where array_length(todynamic(DstUserUpn)) == 1
| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn
| extend commcol = SrcUserUpn;
ProofpointPOD
| where TimeGenerated between (ago(lbtime) .. now())
| where EventType == 'message'
| where NetworkDirection == 'outbound'
| extend isProtected = todynamic(MsgParts)[0]['isProtected']
| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']
| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'
| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])
| extend commcol = tostring(todynamic(DstUserUpn)[0])
| join knownrecipients on commcol
| where recipients !contains DstUserMail
| project SrcUserUpn, DstUserMail
| extend AccountCustomEntity = SrcUserUpn
kind: Scheduled
status: Available
triggerThreshold: 0
relevantTechniques:
- T1567
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml
requiredDataConnectors:
- dataTypes:
  - ProofpointPOD_message_CL
  connectorId: ProofpointPOD
queryPeriod: 30m
tactics:
- Exfiltration
severity: Medium
triggerOperator: gt
description: |
    'Detects when multiple protected messages where sent to early not seen recipient.'
query: |
  let lbtime = 30m;
  let lbperiod = 14d;
  let knownrecipients = ProofpointPOD
  | where TimeGenerated > ago(lbperiod)
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | where SrcUserUpn != ''
  | where array_length(todynamic(DstUserUpn)) == 1
  | summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn
  | extend commcol = SrcUserUpn;
  ProofpointPOD
  | where TimeGenerated between (ago(lbtime) .. now())
  | where EventType == 'message'
  | where NetworkDirection == 'outbound'
  | extend isProtected = todynamic(MsgParts)[0]['isProtected']
  | extend mimePgp = todynamic(MsgParts)[0]['detectedMime']
  | where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'
  | extend DstUserMail = tostring(todynamic(DstUserUpn)[0])
  | extend commcol = tostring(todynamic(DstUserUpn)[0])
  | join knownrecipients on commcol
  | where recipients !contains DstUserMail
  | project SrcUserUpn, DstUserMail
  | extend AccountCustomEntity = SrcUserUpn  
name: ProofpointPOD - Multiple protected emails to unknown recipient
version: 1.1.1
id: f8127962-7739-4211-a4a9-390a7a00e91f
queryFrequency: 30m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f8127962-7739-4211-a4a9-390a7a00e91f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f8127962-7739-4211-a4a9-390a7a00e91f')]",
      "properties": {
        "alertRuleTemplateName": "f8127962-7739-4211-a4a9-390a7a00e91f",
        "customDetails": null,
        "description": "'Detects when multiple protected messages where sent to early not seen recipient.'\n",
        "displayName": "ProofpointPOD - Multiple protected emails to unknown recipient",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Proofpoint On demand(POD) Email Security/Analytic Rules/ProofpointPODMultipleProtectedEmailsToUnknownRecipient.yaml",
        "query": "let lbtime = 30m;\nlet lbperiod = 14d;\nlet knownrecipients = ProofpointPOD\n| where TimeGenerated > ago(lbperiod)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where SrcUserUpn != ''\n| where array_length(todynamic(DstUserUpn)) == 1\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\n| extend commcol = SrcUserUpn;\nProofpointPOD\n| where TimeGenerated between (ago(lbtime) .. now())\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\n| join knownrecipients on commcol\n| where recipients !contains DstUserMail\n| project SrcUserUpn, DstUserMail\n| extend AccountCustomEntity = SrcUserUpn\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1567"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}