detection.wiki

Detection rules › Kusto

Mimecast Secure Email Gateway - Virus

Severity
informational
Time window
15m
Source
github.com/Azure/Azure-Sentinel

Detect threat for virus from mail receipt virus event

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1053 Scheduled Task/Job

Rule body kusto

id: 30f73baa-602c-4373-8f02-04ff5e51fc7f
name: Mimecast Secure Email Gateway - Virus
description: Detect threat for virus from mail receipt virus event
severity: Informational
requiredDataConnectors:
  - connectorId: MimecastSIEMAPI
    dataTypes:
      - MimecastSIEM_CL
enabled: true
query: MimecastSIEM_CL| where mimecastEventId_s=="mail_receipt_virus"
queryFrequency: 5m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
suppressionDuration: 5h
suppressionEnabled: false
tactics:
- Execution
relevantTechniques:
- T1053
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1d
    matchingMethod: AllEntities
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
customDetails:
  IP: IP_s
  MsgId_s: MsgId_s
  Virus: Virus_s
  RejType: RejType_s
  Error: Error_s
  RejCode: RejCode_s
  Dir: Dir_s
  headerFrom: headerFrom_s
  Act: Act_s
  RejInfo: RejInfo_s
  TlsVer: TlsVer_s
  Cphr: Cphr_s
entityMappings:
- entityType: MailMessage
  fieldMappings:
  - identifier: Sender
    columnName: Sender_s
  - identifier: Recipient
    columnName: Rcpt_s
  - identifier: Subject
    columnName: Subject_s
version: 1.0.1
kind: Scheduled

Stages and Predicates

Stage 1: source

MimecastSIEM_CL

Stage 2: where

| where mimecastEventId_s=="mail_receipt_virus"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
mimecastEventId_seq
  • mail_receipt_virus transforms: cased