Merge pull request #7992 from prathikc/mailguard365-1

MailGuard 365 Sentinel Solution
Azure · Sep 7, 2023 · f78fc4d · f78fc4d
2 parents 36c2ef9 + dc665ca
commit f78fc4d
Show file tree

Hide file tree

Showing 14 changed files with 1,664 additions and 0 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/MailGuard365_Threats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/MailGuard365_Threats_CL.json
@@ -0,0 +1,133 @@
+{
+    "Name": "MailGuard365_Threats_CL",
+    "Properties": [
+        {
+            "Name": "TenantId",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceSystem",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "MessageId_s",
+            "Type": "String"
+        },
+        {
+            "Name": "HeaderMessageId_s",
+            "Type": "String"
+        },
+        {
+            "Name": "UserId_g",
+            "Type": "String"
+        },
+        {
+            "Name": "CustomerTenantId_g",
+            "Type": "String"
+        },
+        {
+            "Name": "Score_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "Virus_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Category",
+            "Type": "String"
+        },
+        {
+            "Name": "Attachments_s",
+            "Type": "String"
+        },
+        {
+            "Name": "Sender_Email_s",
+            "Type": "Double"
+        },
+        {
+            "Name": "Sender_Domain_s",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "Recipients_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ReceivedHeaders_s",
+            "Type": "String"
+        },
+        {
+            "Name": "SenderHeader_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ToHeader_s",
+            "Type": "Guid"
+        },
+        {
+            "Name": "CcHeader_s",
+            "Type": "String"
+        },
+        {
+            "Name": "Subject_s",
+            "Type": "String"
+        },
+        {
+            "Name": "OriginCountry_s",
+            "Type": "String"
+        },
+        {
+            "Name": "MessageDate_t",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "MessageSize_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "Action_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ReceivedDateTime_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "ForefrontAntiSpam_s",
+            "Type": "String"
+        },
+        {
+            "Name": "MicrosoftAntiSpam_s",
+            "Type": "String"
+        },
+        {
+            "Name": "IsInWhiteList_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "IsInBlackList_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Email_s",
+            "Type": "String"
+        },
+        {
+            "Name": "HasAttachment_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "HasImage_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Type",
+            "Type": "String"
+        }
+    ]
+}
diff --git a/Logos/MailGuard365_logo.svg b/Logos/MailGuard365_logo.svg
diff --git a/Sample Data/MailGuard365_Threats_CL.csv b/Sample Data/MailGuard365_Threats_CL.csv
@@ -0,0 +1,160 @@
+TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [UTC]",Computer,RawData,"MessageId_s","HeaderMessageId_s","UserId_g","CustomerTenantId_g","Score_d","Virus_b",Category,"Attachments_s","Sender_Email_s","Sender_Domain_s","Recipients_s","ReceivedHeaders_s","SenderHeader_s","ToHeader_s","CcHeader_s","Subject_s","OriginCountry_s","MessageDate_t [UTC]","MessageSize_d","Action_s","ReceivedDateTime_d","ForefrontAntiSpam_s","MicrosoftAntiSpam_s","IsInWhiteList_b","IsInBlackList_b","Email_s","HasAttachment_b","HasImage_b",Type,"_ResourceId","MailMessage_0_NetworkMessageId","MailMessage_0_Recipient"
+"e51bd602-0194-11ee-be56-0242ac120002",RestAPI,,,"5/30/2023, 2:30:00.000 PM",,,"c17d72c2-0195-11ee-be56-0242ac120002","<f81fe5f8787371d246fc46de9@bad-domain.com>","1bff3a60-0195-11ee-be56-0242ac120002","21979fe4-0195-11ee-be56-0242ac120002","30.1",false,Phishing,"[]","bounce@bad-domain.com","bad-domain.com","[
+  {
+    ""Email"": ""usera@mailguard.com.au"",
+    ""Domain"": ""mailguard.com.au""
+  }
+]","[
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:59 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:59"",
+    ""DnsHost"": null,
+    ""Helo"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:1111:111:111::11"",
+    ""Mta"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:59+00:00""
+  },
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:56 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:56"",
+    ""DnsHost"": null,
+    ""Helo"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:10c6:10:5::31"",
+    ""Mta"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:56+00:00""
+  }
+]","Admin-Reset <info@bad-domain.com>","<usera@mailguard.com.au>",,"Forgot your password",US,"5/30/2023, 2:29:59.000 PM",86592,Moved,1685457000,"CIP:198.11.111.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:bad-domain.com;PTR:bad-domain.com;CAT:NONE;SFS:(13230028)(966005)(26005)(559001)(579004);DIR:INB;","BCL:5;",false,false,"usera@mailguard.com.au",false,false,"MailGuard365_Threats_CL",,"74971cc8-0196-11ee-be56-0242ac120002","usera@mailguard.com.au"
+"e51bd602-0194-11ee-be56-0242ac120002",RestAPI,,,"5/30/2023, 2:30:00.000 PM",,,"c17d72c2-0195-11ee-be56-0242ac120002","<f81fe5f8787371d246fc46de9@bad-domain.com>","1bff3a60-0195-11ee-be56-0242ac120002","21979fe4-0195-11ee-be56-0242ac120002","20.1",false,"Malicious Attachment","[
+  {
+    ""FileName"": ""VoiceMail.html"",
+    ""FileType"": ""html"",
+    ""FileSize"": 3265,
+    ""ProcessedDate"": 0
+  }
+]","bounce@bad-domain.com","bad-domain.com","[
+  {
+    ""Email"": ""usera@mailguard.com.au"",
+    ""Domain"": ""mailguard.com.au""
+  }
+]","[
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:59 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:59"",
+    ""DnsHost"": null,
+    ""Helo"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:1111:111:111::11"",
+    ""Mta"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:59+00:00""
+  },
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:56 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:56"",
+    ""DnsHost"": null,
+    ""Helo"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:10c6:10:5::31"",
+    ""Mta"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:56+00:00""
+  }
+]","VoiceMail <info@bad-domain.com>","<usera@mailguard.com.au>",,"You have a new voicemail",US,"5/30/2023, 2:29:59.000 PM",86592,Moved,1685457000,"CIP:198.11.111.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:bad-domain.com;PTR:bad-domain.com;CAT:NONE;SFS:(13230028)(966005)(26005)(559001)(579004);DIR:INB;","BCL:5;",false,false,"usera@mailguard.com.au",false,false,"MailGuard365_Threats_CL",,"74971cc8-0196-11ee-be56-0242ac120002","usera@mailguard.com.au"
+"e51bd602-0194-11ee-be56-0242ac120002",RestAPI,,,"5/30/2023, 2:30:00.000 PM",,,"c17d72c2-0195-11ee-be56-0242ac120002","<f81fe5f8787371d246fc46de9@bad-domain.com>","1bff3a60-0195-11ee-be56-0242ac120002","21979fe4-0195-11ee-be56-0242ac120002","22.4",false,"Malicious Attachment","[
+  {
+    ""FileName"": ""Invoice#2345.html"",
+    ""FileType"": ""html"",
+    ""FileSize"": 3265,
+    ""ProcessedDate"": 0
+  }
+]","bounce@bad-domain.com","bad-domain.com","[
+  {
+    ""Email"": ""usera@mailguard.com.au"",
+    ""Domain"": ""mailguard.com.au""
+  }
+]","[
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:59 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:59"",
+    ""DnsHost"": null,
+    ""Helo"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:1111:111:111::11"",
+    ""Mta"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:59+00:00""
+  },
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:56 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:56"",
+    ""DnsHost"": null,
+    ""Helo"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:10c6:10:5::31"",
+    ""Mta"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:56+00:00""
+  }
+]","Invoice Mailer <info@bad-domain.com>","<usera@mailguard.com.au>",,"Pay your Invoice",US,"5/30/2023, 2:29:59.000 PM",86592,Moved,1685457000,"CIP:198.11.111.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:bad-domain.com;PTR:bad-domain.com;CAT:NONE;SFS:(13230028)(966005)(26005)(559001)(579004);DIR:INB;","BCL:5;",false,false,"usera@mailguard.com.au",false,false,"MailGuard365_Threats_CL",,"74971cc8-0196-11ee-be56-0242ac120002","usera@mailguard.com.au"
+"e51bd602-0194-11ee-be56-0242ac120002",RestAPI,,,"5/30/2023, 2:30:00.000 PM",,,"c17d72c2-0195-11ee-be56-0242ac120002","<f81fe5f8787371d246fc46de9@bad-domain.com>","1bff3a60-0195-11ee-be56-0242ac120002","21979fe4-0195-11ee-be56-0242ac120002","34.2",false,Phishing,"[]","bounce@bad-domain.com","bad-domain.com","[
+  {
+    ""Email"": ""usera@mailguard.com.au"",
+    ""Domain"": ""mailguard.com.au""
+  }
+]","[
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:59 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:59"",
+    ""DnsHost"": null,
+    ""Helo"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:1111:111:111::11"",
+    ""Mta"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:59+00:00""
+  },
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:56 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:56"",
+    ""DnsHost"": null,
+    ""Helo"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:10c6:10:5::31"",
+    ""Mta"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:56+00:00""
+  }
+]","Admin <info@bad-domain.com>","<usera@mailguard.com.au>",,"Reset your password",US,"5/30/2023, 2:29:59.000 PM",86592,Moved,1685457000,"CIP:198.11.111.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:bad-domain.com;PTR:bad-domain.com;CAT:NONE;SFS:(13230028)(966005)(26005)(559001)(579004);DIR:INB;","BCL:5;",false,false,"usera@mailguard.com.au",false,false,"MailGuard365_Threats_CL",,"74971cc8-0196-11ee-be56-0242ac120002","usera@mailguard.com.au"
+"e51bd602-0194-11ee-be56-0242ac120002",RestAPI,,,"5/30/2023, 2:30:00.000 PM",,,"c17d72c2-0195-11ee-be56-0242ac120002","<f81fe5f8787371d246fc46de9@bad-domain.com>","1bff3a60-0195-11ee-be56-0242ac120002","21979fe4-0195-11ee-be56-0242ac120002","10.1",false,Spam,"[]","bounce@bad-domain.com","bad-domain.com","[
+  {
+    ""Email"": ""usera@mailguard.com.au"",
+    ""Domain"": ""mailguard.com.au""
+  }
+]","[
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:59 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:59"",
+    ""DnsHost"": null,
+    ""Helo"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:1111:111:111::11"",
+    ""Mta"": ""ME3PR0QBE0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:59+00:00""
+  },
+  {
+    ""Time"": ""Tue, 30 May 2023 14:29:56 +0000"",
+    ""TimeUtc"": ""2023-05-30 14:29:56"",
+    ""DnsHost"": null,
+    ""Helo"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""Host"": null,
+    ""Ip"": ""2603:10c6:10:5::31"",
+    ""Mta"": ""SYBPR0HGF0000.ausprd01.prod.outlook.com"",
+    ""GeoIp"": null,
+    ""ReceivedDateTime"": ""2023-05-30T14:29:56+00:00""
+  }
+]","Insurance <info@bad-domain.com>","<usera@mailguard.com.au>",,"Your options",US,"5/30/2023, 2:29:59.000 PM",86592,Moved,1685457000,"CIP:198.11.111.111;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:bad-domain.com;PTR:bad-domain.com;CAT:NONE;SFS:(13230028)(966005)(26005)(559001)(579004);DIR:INB;","BCL:5;",false,false,"usera@mailguard.com.au",false,false,"MailGuard365_Threats_CL",,"74971cc8-0196-11ee-be56-0242ac120002","usera@mailguard.com.au"