diff --git a/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPAttachment_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPAttachment_CL.json new file mode 100644 index 00000000000..91429618839 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPAttachment_CL.json @@ -0,0 +1,73 @@ +{ + "Name":"MimecastTTPAttachment_CL", + "Properties":[ + { + "Name":"senderAddress_s", + "Type":"String" + }, + { + "Name":"recipientAddress_s", + "Type":"String" + }, + { + "Name":"fileName_s", + "Type":"String" + }, + { + "Name":"fileType_s", + "Type":"String" + }, + { + "Name":"result_s", + "Type":"String" + }, + { + "Name":"actionTriggered_s", + "Type":"String" + }, + { + "Name":"date_t", + "Type":"DateTime" + }, + { + "Name":"details_s", + "Type":"String" + }, + { + "Name":"route_s", + "Type":"String" + }, + { + "Name":"messageId_s", + "Type":"String" + }, + { + "Name":"subject_s", + "Type":"String" + }, + { + "Name":"fileHash_s", + "Type":"String" + }, + { + "Name":"definition_s", + "Type":"String" + }, + { + "Name":"mimecastEventId_s", + "Type":"String" + }, + { + "Name":"mimecastEventCategory_s", + "Type":"String" + }, + { + "Name":"time_generated", + "Type":"DateTime" + }, + { + "name": "TimeGenerated", + "type": "DateTime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPImpersonation_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPImpersonation_CL.json new file mode 100644 index 00000000000..4f278eeb6bb --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPImpersonation_CL.json @@ -0,0 +1,77 @@ +{ + "Name":"MimecastTTPImpersonation_CL", + "Properties":[ + { + "Name":"id_s", + "Type":"String" + }, + { + "Name":"senderAddress_s", + "Type":"String" + }, + { + "Name":"recipientAddress_s", + "Type":"String" + }, + { + "Name":"subject_s", + "Type":"String" + }, + { + "Name":"definition_s", + "Type":"String" + }, + { + "Name":"hits_s", + "Type":"String" + }, + { + "Name":"identifiers_s", + "Type":"String" + }, + { + "Name":"action_s", + "Type":"String" + }, + { + "Name":"taggedExternal_b", + "Type":"Bool" + }, + { + "Name":"taggedMalicious_b", + "Type":"Bool" + }, + { + "Name":"senderIpAddress_s", + "Type":"String" + }, + { + "Name":"eventTime_t", + "Type":"DateTime" + }, + { + "Name":"impersonationResults_s", + "Type":"String" + }, + { + "Name":"messageId_s", + "Type":"String" + }, + { + "Name":"mimecastEventId_s", + "Type":"String" + }, + { + "Name":"mimecastEventCategory_s", + "Type":"String" + }, + { + "Name":"time_generated", + "Type":"DateTime" + }, + { + "name": "TimeGenerated", + "type": "DateTime" + } + ] +} diff --git a/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPUrl_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPUrl_CL.json new file mode 100644 index 00000000000..23a6ea6e8fc --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/MimecastTTPUrl_CL.json @@ -0,0 +1,105 @@ +{ + "Name": "MimecastTTPUrl_CL", + "Properties": [ + { + "Name": "userEmailAddress_s", + "Type": "String" + }, + { + "Name": "fromUserEmailAddress_s", + "Type": "String" + }, + { + "Name": "url_s", + "Type": "String" + }, + { + "Name": "ttpDefinition_s", + "Type": "String" + }, + { + "Name": "subject_s", + "Type": "String" + }, + { + "Name": "action_s", + "Type": "String" + }, + { + "Name": "adminOverride_s", + "Type": "String" + }, + { + "Name": "userOverride_s", + "Type": "String" + }, + { + "Name": "scanResult_s", + "Type": "String" + }, + { + "Name": "category_s", + "Type": "String" + }, + { + "Name": "sendingIp_s", + "Type": "String" + }, + { + "Name": "advancedPhishingResult_CredentialTheftBrands_s", + "Type": "String" + }, + { + "Name": "advancedPhishingResult_CredentialTheftTags_s", + "Type": "String" + }, + { + "Name": "advancedPhishingResult_CredentialTheftEvidence_s", + "Type": "String" + }, + { + "Name": "userAwarenessAction_s", + "Type": "String" + }, + { + "Name": "date_t", + "Type": "DateTime" + }, + { + "Name": "actions_s", + "Type": "String" + }, + { + "Name": "route_s", + "Type": "String" + }, + { + "Name": "creationMethod_s", + "Type": "String" + }, + { + "Name": "emailPartsDescription_s", + "Type": "String" + }, + { + "Name": "messageId_s", + "Type": "String" + }, + { + "Name": "mimecastEventId_s", + "Type": "String" + }, + { + "Name": "mimecastEventCategory_s", + "Type": "String" + }, + { + "Name": "time_generated", + "Type": "DateTime" + }, + { + "name": "TimeGenerated", + "type": "DateTime" + } + ] +} diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 3d424823fac..aff456865ec 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -198,6 +198,7 @@ "DynatraceProblems", "MicrosoftDefenderThreatIntelligence", "CortexXDR", + "MimecastTTPAPI", "MimecastAuditAPI", "PingFederateAma", "vArmourACAma", diff --git a/Sample Data/Custom/MimecastTTPAttachment_CL.json b/Sample Data/Custom/MimecastTTPAttachment_CL.json new file mode 100644 index 00000000000..9c941e78bea --- /dev/null +++ b/Sample Data/Custom/MimecastTTPAttachment_CL.json @@ -0,0 +1,178 @@ +[ + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/21/2021, 7:20:31.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "numbers.pdf", + "fileType_s": "application/pdf", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/21/2021, 7:20:31.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "Important Updated Numbers from the Center for Disease Control", + "fileHash_s": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", + "definition_s": "Inbound - Safe file with On-Demand Sandbox", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/1/2021, 5:13:02.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "POC Trial - We (Won, Lost) - Now What.pptx", + "fileType_s": "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/1/2021, 5:13:02.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 11 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "New slides", + "fileHash_s": "6137db2689141ab60ec81358e4746e9cce4e530ef691cf19f3e9af1560d7ad09", + "definition_s": "Inbound - Safe file with On-Demand Sandbox", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/1/2021, 2:42:35.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "POC Trial - We (Won, Lost) - Now What.pptx", + "fileType_s": "application/vnd.openxmlformats-officedocument.presentationml.presentation", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/1/2021, 2:42:35.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 14 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "New slides", + "fileHash_s": "6137db2689141ab60ec81358e4746e9cce4e530ef691cf19f3e9af1560d7ad09", + "definition_s": "Inbound - Safe file with On-Demand Sandbox", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/10/2021, 8:42:52.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "Benito_Harbard _Resume.docx", + "fileType_s": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/10/2021, 8:42:52.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 11 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "Executive Secretary / Administrative Assistant (228 Open Position)", + "fileHash_s": "b0d6f7a4ace6e875d68b0d60735aaed707c2b8364e9050e15f9e2a193a27ae58", + "definition_s": "Inbound - Safe File (Dynamic) with Safe File for everyone", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/7/2021, 4:35:43.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "testsheet.xlsx", + "fileType_s": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + "result_s": "safe", + "actionTriggered_s": "none, none", + "date_t [UTC]": "12/7/2021, 4:35:43.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 2 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "10:35", + "fileHash_s": "e86b3843f561fc08817704a3fec29b1763324eba3e7fa76cd14558805cfb7cb8", + "definition_s": "Inbound - Pre-emptive", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/8/2021, 12:06:16.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "SHA Word file.docx", + "fileType_s": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/8/2021, 12:06:16.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "Important Doc", + "fileHash_s": "71394df3b1135d37ddf1bde0c76e533effc61d2c165774cd73195cf2b810bd57", + "definition_s": "Inbound - Safe file with On-Demand Sandbox", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/7/2021, 1:05:24.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "SHA Word file.docx", + "fileType_s": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/7/2021, 1:05:24.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 8 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "important Doc", + "fileHash_s": "71394df3b1135d37ddf1bde0c76e533effc61d2c165774cd73195cf2b810bd57", + "definition_s": "Inbound - Safe file with On-Demand Sandbox", + "Type": "MimecastTTPAttachment_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/16/2021, 8:56:07.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_attachment", + "mimecastEventCategory_s": "ttp_attachment", + "senderAddress_s": "<>", + "recipientAddress_s": "sanitized@sanitized.com", + "fileName_s": "Benito_Harbard _Resume.docx", + "fileType_s": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "result_s": "safe", + "actionTriggered_s": "user release, none", + "date_t [UTC]": "12/16/2021, 8:56:07.000 PM", + "details_s": "Safe \r\nTime taken: 0 hrs, 0 min, 5 sec", + "route_s": "inbound", + "messageId_s": "sanitized@sanitized.com", + "subject_s": "Executive Secretary / Administrative Assistant (228 Open Position)", + "fileHash_s": "b0d6f7a4ace6e875d68b0d60735aaed707c2b8364e9050e15f9e2a193a27ae58", + "definition_s": "Inbound - Safe File (Dynamic) with Safe File for everyone", + "Type": "MimecastTTPAttachment_CL" + } +] diff --git a/Sample Data/Custom/MimecastTTPImpersonation_CL.json b/Sample Data/Custom/MimecastTTPImpersonation_CL.json new file mode 100644 index 00000000000..9f989f65136 --- /dev/null +++ b/Sample Data/Custom/MimecastTTPImpersonation_CL.json @@ -0,0 +1,222 @@ +[ + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/21/2021, 2:26:03.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIysjA2NDQz01EqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGO3EhU", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "FW: [EXTERNAL] file with credit card numbers?", + "definition_s": "IP - 2 hits (Hold for Review / User Hold)", + "hits_d": "2", + "identifiers_s": "[\r\n \"targeted_threat_dictionary\",\r\n \"internal_user_name\"\r\n]", + "action_s": "hold", + "taggedMalicious_b": true, + "senderIpAddress_s": "146.101.78.164", + "eventTime_t [UTC]": "12/21/2021, 2:26:03.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Brian Terry \",\r\n \"stringSimilarToDomain\": \"Brian Terry\",\r\n \"checkerResult\": \"hit\"\r\n },\r\n {\r\n \"impersonationDomainSource\": \"targeted_threat_dictionary\",\r\n \"stringSimilarToDomain\": \"number,send\"\r\n }\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/3/2021, 4:28:43.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjc1N7M011EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGWDEiM", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "mandatory tenant setup", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.86.101", + "eventTime_t [UTC]": "12/3/2021, 4:28:43.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Jamie Fenderson sanitized@sanitized.com\",\r\n \"stringSimilarToDomain\": \"Jamie Fenderson\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/9/2021, 9:22:04.000 AM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMrcwNLQw1FEqSy0qzszPU7ICskvywAoNDMyUagFj4BIV", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "RE: Fwd: FW: IP change for DOJ on the firewalls at NBSC-DC", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.86.101", + "eventTime_t [UTC]": "12/9/2021, 9:22:04.000 AM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Johan Nepgen sanitized@sanitized.com\",\r\n \"stringSimilarToDomain\": \"Johan Nepgen\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/9/2021, 10:35:56.000 AM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMrcwNDMx0lEqSy0qzszPU7Iy1FEqyQMrNDAwU6oFAGQcEhc", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "RE: RE: Fwd: FW: IP change for DOJ on the firewalls at NBSC-DC", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "146.101.78.150", + "eventTime_t [UTC]": "12/9/2021, 10:35:56.000 AM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Johan Nepgen sanitized@sanitized.com\",\r\n \"stringSimilarToDomain\": \"Johan Nepgen\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/9/2021, 10:27:08.000 AM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMje3MDEw1lEqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGQ3EhU", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "RE: RE: Fwd: FW: IP change for DOJ on the firewalls at NBSC-DC", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "207.82.80.128", + "eventTime_t [UTC]": "12/9/2021, 10:27:08.000 AM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Johan Nepgen \",\r\n \"stringSimilarToDomain\": \"Johan Nepgen\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/15/2021, 5:47:16.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMrc0MTY311EqSy0qzszPU7Iy1FEqyQMrNDAwUaoFAGUTEh4", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "SilverSky POC Scoping Notes - 12/15/2021", + "definition_s": "IP - 2 hits (Hold for Review / User Hold)", + "hits_d": "2", + "identifiers_s": "[\r\n \"internal_user_name\",\r\n \"targeted_threat_dictionary\"\r\n]", + "action_s": "hold", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.86.101", + "eventTime_t [UTC]": "12/15/2021, 5:47:16.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"targeted_threat_dictionary\",\r\n \"stringSimilarToDomain\": \"review,account\"\r\n },\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Bob Adams \",\r\n \"stringSimilarToDomain\": \"Bob Adams\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/15/2021, 7:01:19.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIysjA0MjU30lEqSy0qzszPU7Iy1FEqyQMrNDCwUKoFAGO-EhY", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "You have been sent a secure message", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.86.101", + "eventTime_t [UTC]": "12/15/2021, 7:01:19.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Domain postMaster address \",\r\n \"stringSimilarToDomain\": \"Domain postMaster address\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/15/2021, 7:24:41.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMrc0MzE00lEqSy0qzszPU7Iy1FEqyQMrNDAwUqoFAGQ3EhQ", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "RE: SilverSky POC Scoping Notes - 12/15/2021", + "definition_s": "IP - 2 hits (Hold for Review / User Hold)", + "hits_d": "2", + "identifiers_s": "[\r\n \"targeted_threat_dictionary\",\r\n \"internal_user_name\"\r\n]", + "action_s": "hold", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.85.101", + "eventTime_t [UTC]": "12/15/2021, 7:24:41.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"targeted_threat_dictionary\",\r\n \"stringSimilarToDomain\": \"review,account\"\r\n },\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Lisa Wood \",\r\n \"stringSimilarToDomain\": \"Lisa Wood\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/15/2021, 7:10:04.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIysjAwNjMy11EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGPMEhQ", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "You've been sent a secure message", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "207.82.80.237", + "eventTime_t [UTC]": "12/15/2021, 7:10:04.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Domain postMaster address \",\r\n \"stringSimilarToDomain\": \"Domain postMaster address\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "", + "Type": "MimecastTTPImpersonation_CL" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "TimeGenerated [UTC]": "12/13/2021, 7:57:29.000 PM", + "Computer": "", + "mimecastEventId_s": "ttp_impersonation", + "mimecastEventCategory_s": "ttp_impersonation", + "id_s": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMrc0NjY011EqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGRKEhY", + "senderAddress_s": "sanitized@sanitized.com", + "recipientAddress_s": "sanitized@sanitized.com", + "subject_s": "FW: Cloud Recording - archiving present is now available", + "definition_s": "IP - 1 hit (Tag email)", + "hits_d": "1", + "identifiers_s": "[\r\n \"internal_user_name\"\r\n]", + "action_s": "none", + "taggedMalicious_b": true, + "senderIpAddress_s": "185.58.86.101", + "eventTime_t [UTC]": "12/13/2021, 7:57:29.000 PM", + "impersonationResults_s": "[\r\n {\r\n \"impersonationDomainSource\": \"internal_user_name\",\r\n \"similarDomain\": \"Jamie Fenderson \",\r\n \"stringSimilarToDomain\": \"Jamie Fenderson\",\r\n \"checkerResult\": \"hit\"\r\n }\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPImpersonation_CL" + } +] diff --git a/Sample Data/Custom/MimecastTTPUrl_CL.json b/Sample Data/Custom/MimecastTTPUrl_CL.json new file mode 100644 index 00000000000..ffc6a43ee1b --- /dev/null +++ b/Sample Data/Custom/MimecastTTPUrl_CL.json @@ -0,0 +1,1676 @@ +[ + { + "TimeGenerated [UTC]": "12/27/2021, 2:38:31.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?s=AB2Xq4gTWGi-Q2f5q-jzQPoFKwc73LSIHjzNHGw&start=1640569016&end=1640572615&source=alertsmail&hl=en&gl=US&msgid=MTE1MzA3OTE1MzI4OTI2MzE4OQ#history", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 2:38:31.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 2:55:09.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://economictimes.indiatimes.com/markets/commodities/news/gold-edges-up-as-weaker-us-yields-counter-stronger-dollar/articleshow/88513686.cms&ss=tw&rt=Gold+edges+up+as+weaker+US+yields+counter+stronger+dollar+-+The+Economic+Times&cd=KhM0OTk0NDI0MzgyMDk3NzUyNzgxMhxjMmNjYzNlN2Y3YmFhNGFiOmNvbTplbjpVUzpM&ssp=AMJHsmXs8zjS2rK6rxSRdXAiRVpQv_QYpg", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 2:55:09.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 3:55:29.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feedback?ffu=https://www.marcoescapes.com/tigertail-and-sand-dollar-spit/&source=alertsmail&hl=en&gl=US&msgid=NzIwMDcxMTA4MDIxNDE3ODc0OQ&s=AB2Xq4i7OaFz4ss3vFU-wNb0DTELEKxhyDdFl54", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 3:55:29.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 4:38:14.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://www.si.com/fannation/nba/fastbreak/news/the-milwaukee-bucks-picked-up-their-20th-win-of-the-season-when-they-knocked-off-the-boston-celtics-117-113-in-wisconsin-on-christmas-day&ss=fb&rt=Here%27s+What+Giannis+Antetokounmpo+Tweeted+After+The+Bucks+Beat+The+Celtics+On+Christmas&cd=KhM0ODQwODQ1NjQxNzQ2MjQ3NjcwMhxjMzc4NzIwZjg2NzFjNjBmOmNvbTplbjpVUzpM&ssp=AMJHsmWVlWVfIRtKfl9uRNLGshLQSRQ-Cg", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 4:38:14.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 6:50:35.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/feedback?ffu=https://theowp.org/chinese-officials-agitated-by-american-involvement-with-taiwan/&source=alertsmail&hl=en&gl=US&msgid=Njk1ODg5MDY5NjM1MzQ4NzUwOA&s=AB2Xq4g-GUg7dJreWJN14pFdqYo0nYsyiVX2dK8", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 6:50:35.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 9:28:34.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feeds/00259755281018227146/836899131168148465", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "12/27/2021, 9:28:34.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:01:30.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://uk.report.cybergraph.mimecast.com/alert-details/?dep=lonB32Hq8FFOh5ciQgDWZg%3D%3DPtRizLFwH08%2Fd0WX626j8kxGhQ4dGo4Ou1FSEXGDMgPKpAHZOB4fqwICA5fZ6ygBJXW8j8%2F3YwelirV51X26MTLOsVIVlzODl20d4BkIfqmp23QptTr2ouusLW7mJVGpuvj5wtb2l8oESdfbGFl6swPMU3w4tGTm9HnVNLHU5beaxpOIo%2BHEe%2Fl9MlzjREKu31ii0MCtm8svOmQLOGM8%2BIEcuqEswfYN0p3mJXI9ibdJX3uWcJCzdxhClogBMitvTzIvWIvt6CHAscr99Qkoe88wwsVk2yp9lxn86F5%2B23CWegd04UrcwWBFFDJekuJAek0edNy2XuNo%2BWE5EPC20p8Il1T9Oha%2BHu%2FVTj0BI2F%2F9XEf1Da8uxDIsqCDa0APWMy9u01IT2COsXTSWqqnjfv7d3fFXrVryuWx2ZhoEK3ln2uQcorDMJP4wyhXw3bIiCOYt9DZGc0HVEXdt%2FV0sGCnjlC6rEp6hWDfeBs%2B%2FY3RkpsYDdbQPLxbkqd0K4OkUHFyqmYp4P%2BU0wJ%2BgRdQqpuGTqIQgP%2FHfzaiRMxaUnfSnGH1qvjFZeaTAwzTP%2FXBPDgmWvYdHwW40aS4CFf9eQ%3D%3D", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Mimecast Anti-Tracking Protection Summary", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "50.31.156.115", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "12/27/2021, 10:01:30.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:01:30.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://uk.report.cybergraph.mimecast.com/alert-details/?dep=hkmTaRN%2BnppFjUkXDSjtag%3D%3DQIRJzDsG35gOyuXbIxD%2BRzN020AWz0uQe6T5NX4p7c42APKlcjUNo%2BMU%2Bc0940i4Mlu3hqulHkGVt8E4C6okSCn04Xsz2ET6M2gFgI5qd6hYs1s1TnfsNDVZQ4wrCGtk5SqkFOQLOcQbHLC9QhCHkaSMdBE5Sczgw1%2FwRXCH4GhQDDYfKzPNpO%2F3lWQ%2B3bk4MylgVUXvDJLue79RJzCErpaEOGetj51PkngUPsEE3%2BRNlfF2uUXYADDIpZmmRFBLVA5MmEKhDycoX1kSbvbsIB3OLdKH533Mp4eQSxF6vCAri8%2F9qrmtFU57w7CC%2F1d%2B%2BkIOqi9wmTGmxTcWO7Mw1ccZI9EjXS9hGPp6Bc3rieM%2BBgXd5B7aPc2I%2Bp0DytT%2F1ddLhtJ6DoEYsFiNVUsv41lhiJzyW%2BPbOD6K26hPKnMaQPJrrh1x5GNx9yidtSrTv1LOunSgDaKmfIndkP8D4w%2FNxMbV%2F8lSvrKQ0R0ZPyzySzJ4IHQXZPFuMLBs4%2BVJp4MMI0uj2DpFHeM4Ed3RB5JVNeePbhx0HN%2BFK5PWRCOsb5eBiCVfPmkraAllaO%2FQQZFP6MBQ%2BcI%2BbieiQqYmJRdAwRKDAw%2FkKz47kYB%2FuCWmRF%2Ftc3LUEp8aO6dv2lhs", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Mimecast Anti-Tracking Protection Summary", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "50.31.156.113", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "12/27/2021, 10:01:30.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:01:31.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://login-uk.mimecast.com/u/login/?gta=apps&link=/sso/cybergraph#/login", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Mimecast Anti-Tracking Protection Summary", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "104.245.209.231", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "12/27/2021, 10:01:31.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:01:31.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://uk.report.cybergraph.mimecast.com/alert-details/?dep=3XDpopRWJ2zuqyiiKLBKlg%3D%3DE4oOaXvW9ZqryvRLuWC7ErcuTh0jyk5l57l1tauicSTfwWeecYbmujwPkYvnvE5Ds1YhbDlr8K8J8iMjr7ouEoV5svp0nOWf6V5HGmL39xu8bs4yesRBGbodYS3IzAB94zFK40iSKzcmC8MW17Aze7VbbFnCvIvbF8tyeB5zR6NJE%2BM4DwT%2FotvyFMllBhF9eD8aqoqnkPSNGG72YKhnBwbJghlNdPxCqpMHeEOf02aQsv%2BOtFs8aRycIdi0imH5wTcQGVDiUYwcJar26EcxU80uyGwc6e4%2BcAby4k%2FM9acgZ%2F9raZBGPZytL4I2T%2Fs5HEOlp9hIUTNj9wufEar5OHSx3dbyzJwPzRxzsHCsTHtHYPjTnFv12dH2ORBtqWOsD72KjGIeDHUe3gFknsDptH%2BxTbmxNTW2Let8rWy5VsbkGnhpI4HwEqFRakk9H5lFgcKCl48udgjnQGYyW3Z27Atf%2F81YITJ3ykIdTbnLiHajuW4LvCxrRedB1ERCputj64styjLDf%2FKRG5IhNtwKRch9e6T%2FZtTGIuulTNI7mKWTqPu%2F4F08v52fHb1lnIYmXftqOhmd1CdhO9aZGZTOKz%2BxiNs0osmYKzNmfZnZMSc%3D", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Mimecast Anti-Tracking Protection Summary", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "50.31.156.113", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "12/27/2021, 10:01:31.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 11:24:48.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://link.theskimm.com/click/26175136.608504/aHR0cHM6Ly9za2ltbXRoLmlzLzN5WmU4ekM/5d00018f283d8e33d1617794B7359ba34", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Daily Skimm: All Too Well (2021 Version)", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Entertainment", + "sendingIp_s": "192.64.236.76", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 11:24:48.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 1:50:05.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/feedback?ffu=https://www.cnn.com/2021/12/27/economy/china-industrial-profits-intl-hnk/index.html&source=alertsmail&hl=en&gl=US&msgid=MjQxNzg1NDI4NjY1NzE4ODUxNA&s=AB2Xq4g-GUg7dJreWJN14pFdqYo0nYsyiVX2dK8", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 1:50:05.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 5:09:13.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://rdir.conrad.de/r.html?uid=D.B.DEjw.BtyiF.CAbxO.B.Hy2AJEjKlnAAjtSXJE2WmVTYfNoubt9JpVaB7OsYbyRNJOGSWcly4O88Fqy9GGjW97H_R1POPN28b8EE2WOejw", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Abnehmen mit Fitness-Tracker, Laufband und Ergometer: So gelingen Neujahrsvorsätze - China: Kein Zugriff mehr auf Steam Global", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Business", + "sendingIp_s": "45.146.18.103", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 5:09:13.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 5:50:17.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/url?rct=j&sa=t&url=https://www.thehindu.com/sport/other-sports/china-talks-up-green-olympics-but-prepares-to-fight-smog/article38046202.ece&ct=ga&cd=CAEYASoSNjA1NDIzNTIyMzM5MDg3MjM0MhxmZDg3ZWNjOTEwYjExYThjOmNvLnphOmVuOlVT&usg=AFQjCNF2-Tn7YHQZhQIAO-fkH4povce_vw", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "News", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 5:50:17.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 6:27:56.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?source=alertsmail&hl=en&gl=US&msgid=MjA5MTAxMjU0Mjc0ODA4MzAzNA", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 6:27:56.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 11:55:32.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?s=AB2Xq4i7OaFz4ss3vFU-wNb0DTELEKxhyDdFl54&start=1640602482&end=1640606081&source=alertsmail&hl=en&gl=US&msgid=MTE4NzAyNzM0NzMyODIzMDMyMDI#history", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 11:55:32.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 1:28:27.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://www.newsnationnow.com/us-news/dc-riots/jan-6-panel-signals-interest-in-whether-trump-committed-crime/&ss=fb&rt=Jan.+6+panel+signals+interest+in+whether+Trump+committed+crime+%7C+NewsNation+Now&cd=KhQxNzEwNDk1Nzk0ODE2NzQ5NjM3OTIcNTMzZTAxNjlmYWFlMjAwZDpjb206ZW46VVM6TA&ssp=AMJHsmWQ2fY4znGi-8FkyStno6Ng8qNwsQ", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 1:28:27.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 2:49:56.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/share?hl=en&gl=US&ru=https://www.upi.com/Top_News/World-News/2021/12/26/China-replaces-Communist-Party-head-Xinjiang-region/5331640546632/&ss=fb&rt=China+replaces+Communist+Party+head+of+Xinjiang+region+-+UPI.com&cd=KhQxNDkyMTIzNjUyNzQ5ODkzODczNTIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw&ssp=AMJHsmXGC3SQS7qVxdZFBVSqC3GocrYtjw", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 2:49:56.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 3:28:33.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feedback?ffu=https://www.businessinsider.in/politics/world/news/candace-owens-suggests-trump-only-touted-vaccines-because-hes-too-old-to-know-how-to-find-alternative-sources-online/articleshow/88505402.cms&source=alertsmail&hl=en&gl=US&msgid=NzcwMDM4NjU1MjUxNzAxNDc2MQ&s=AB2Xq4hiDmIunBoqckhCTi0k4Y5Cp0tt3CqR-bs", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 3:28:33.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 4:50:33.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/url?rct=j&sa=t&url=https://www.tomshardware.com/news/china-fenghua-gpu-new-benchmark-demo&ct=ga&cd=CAEYAyoTMTc3NzM0Nzc4NTk5MTEwODUzNjIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw&usg=AFQjCNG40EmeX-BvOJu0DOErupyLz_IqwQ", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 4:50:33.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 5:55:34.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/url?rct=j&sa=t&url=https://www.zawya.com/mena/en/markets/story/Gold_steady_as_weaker_US_yields_counter_firmer_dollar-TR20211227nL1N2TC024X1/&ct=ga&cd=CAEYACoUMTU3MDgwMDQxOTY1MTk5NzczNTMyHGMyY2NjM2U3ZjdiYWE0YWI6Y29tOmVuOlVTOkw&usg=AFQjCNHVTNvBRJUhRVZN-K5hG-CzqbvT1Q", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Business", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 5:55:34.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 8:28:00.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/edit?source=alertsmail&hl=en&gl=US&msgid=ODc0NTAwNDk2ODA3MzA0MDE5MQ&s=AB2Xq4hiDmIunBoqckhCTi0k4Y5Cp0tt3CqR-bs&email=bpinnock%40twotoeight.com", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 8:28:00.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 11:37:23.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?source=alertsmail&hl=en&gl=US&msgid=MTY5NzE1ODQwNzcwOTcxMDU1OTI", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 11:37:23.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 12:28:34.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://www.msn.com/en-us/lifestyle/shopping/tiffany-trump-gets-edgy-for-christmas-in-fishnets-and-louis-vuitton-ankle-boots-with-marla-maples/ar-AAS9Db6&ss=tw&rt=Tiffany+Trump+Gets+Edgy+for+Christmas+in+Fishnets+and+Louis+Vuitton+Ankle+Boots+with+Marla+Maples&cd=KhQxMDAxNjkwOTIzNzk3NTMwNDAwMzIcNTMzZTAxNjlmYWFlMjAwZDpjb206ZW46VVM6TA&ssp=AMJHsmVEO0XRD3Yfa2RAbaCIK-BeSsQEQw", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 12:28:34.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 12:50:31.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/share?hl=en&gl=US&ru=https://www.cnbc.com/2021/12/27/china-to-remove-foreign-investment-limit-passenger-car-manufacturing.html&ss=fb&rt=China+to+remove+limits+on+foreign+investment+in+passenger+car+manufacturing+-+CNBC&cd=KhM3ODY4Mzk1MTQ1ODYxODYzMDAwMhxmZDg3ZWNjOTEwYjExYThjOmNvLnphOmVuOlVT&ssp=AMJHsmVulBiCZbrylqUM4mpTGmqk2M87VQ", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 12:50:31.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 1:37:45.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://gmenhq.com/2021/12/27/ny-giants-rumors-john-dorsey-alonzo-highsmith-dave-gettleman/&ss=fb&rt=Sources:+Two+veteran+executives+in+NY+Giants%27+sights+if+GM+job+comes+open&cd=KhQxNTg5NDg0NzY4MTU0MDc4NDkzNDIcYzM3ODcyMGY4NjcxYzYwZjpjb206ZW46VVM6TA&ssp=AMJHsmUtCQCIERmlRa-p5FVGOu_UXX-Y5g", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 1:37:45.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 4:27:54.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feedback?ffu=https://www.dailymail.co.uk/news/article-10345653/Dem-Rep-Debbie-Dingell-shares-vile-voicemail-received-two-years-Trump-attacked-her.html&source=alertsmail&hl=en&gl=US&msgid=MTYwMDEyMTk2NzUxNTg0MTU4NDQ&s=AB2Xq4hiDmIunBoqckhCTi0k4Y5Cp0tt3CqR-bs", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 4:27:54.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 6:55:52.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feedback?ffu=https://www.mytwintiers.com/news-cat/top-stories/robbery-of-dollar-store-in-bradford-county/&source=alertsmail&hl=en&gl=US&msgid=MTMwMDk1MTc0MjkyNTkwOTgxNzQ&s=AB2Xq4i7OaFz4ss3vFU-wNb0DTELEKxhyDdFl54", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 6:55:52.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 8:37:20.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?source=alertsmail&hl=en&gl=US&msgid=MzA3NzE2NTI3NDkxNjk2MTY", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 8:37:20.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 8:38:34.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://emails.azure.microsoft.com/redirect/?destination=https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3FLinkId%3D521839&p=bT03ZmNhNmQ2My0wM2QzLTRjZjctODA2MC1kMTM1ZGRlZWMwOGMmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1wcml2YWN5LXN0YXRlbWVudA%3D%3D", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "View your Exchange Online (Plan 1) invoice", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "13.70.32.43", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 8:38:34.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:35:13.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "patience.To", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Weekly digest: Microsoft service updates", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Shopping", + "sendingIp_s": "52.236.28.249", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 10:35:13.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:37:30.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://www.seahawks.com/news/what-the-bears-said-following-their-25-24-win-over-the-seahawks&ss=tw&rt=What+The+Bears+Said+Following+Their+25-24+Win+Over+The+Seahawks&cd=KhM4MzMzMTE3MTM1MzIzMjI5NDk1MhxjMzc4NzIwZjg2NzFjNjBmOmNvbTplbjpVUzpM&ssp=AMJHsmXjPAMT8pBrr-EUvp0mqwtkIQWCRg", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 10:37:30.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 10:50:49.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/share?hl=en&gl=US&ru=https://www.reuters.com/business/healthcare-pharmaceuticals/chinas-local-covid-19-cases-edge-higher-xian-enters-5th-day-lockdown-2021-12-27/&ss=fb&rt=China%27s+COVID-19+cases+edge+higher+as+Xian+steps+up+curbs+%7C+Reuters&cd=KhMxOTMzNDcyNjY5Mjc3NTMxNjQ4MhxmZDg3ZWNjOTEwYjExYThjOmNvLnphOmVuOlVT&ssp=AMJHsmVg_ooAsFR3VlbXwQXktLMhoNr3BQ", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 10:50:49.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 11:41:46.000 AM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://link.morningbrew.com/click/26157779.1287406/aHR0cHM6Ly93d3cubGlua2VkaW4uY29tL2NvbXBhbnkvOTQ1NTk3OC8/5ea04fc9fbd2977d8d029259B46189d99", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "☕️ The Golden Mug Awards are here", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Business", + "sendingIp_s": "192.64.236.184", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 11:41:46.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 12:33:56.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.livingsocial.com/deals/metro-door-of-boston?p=5&utm_source=ha_homeservices_broad&utm_medium=email&t_division=boston&date=20211227&uu=1bea09ca-8a29-11e9-b7f7-0242ac120002&CID=US&tx=0&s=body&c=deal-info&d=deal-page&utm_campaign=8b0b7def-2cda-4eb5-be92-abc36af0076a_0_20211227", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Landscaping, lawn care, house paining... You name it, we can help", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Business", + "sendingIp_s": "199.91.53.39", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 12:33:56.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 1:55:22.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?source=alertsmail&hl=en&gl=US&msgid=MTI1NTk4NDM0MDc2ODI5NTA1NzY", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 1:55:22.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TimeGenerated [UTC]": "12/27/2021, 2:01:44.000 PM", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://link.connected.staples.com/ss/c/A-l89nqdf2xZSU4Kf7wesdvbvN71aKQXHITUtT55k697aCqpmHD6gn-xVz40VP6275CWIgnxhnBBQY1XA1EfQdJvGpW6bCg6kMIfMV1EFMslZb4XncFnjqoFS4046FgljPRgcY4rIVp_N1xMJYDn2VfXE9hlQfIeIYEFpOAyixopm1a1xvvuKkvc6TYizRGoJiF4o7gL3SuJy6ztvU4Pt3e8GNn9xvSdAkfz2qIoQTD0TGRyMPXbAYndOoikgikS5WZTkT3mz5_Jz7WBoT8KfS8kwR7k_riFi9cPiWs_xmawFBVPZn58TO7LMvi-rlTWTP0DhToD9XSsT-27tkrQjq6ecJLk_KJYNF86plRdF5onKN3FynK9Gl8YJ_6Cw4HZI4Dw-WqhhxoG-WfHuTxYYpUCq7LEsCctuJZEhiXQW36NgbHGqApMAUL5Ab9pFARh/3i7/KZpGRmMDQ1exb6Tx1972Uw/h15/-3NMUX7JKwTk6k3wW5OXfbq5MM3mu03ESRG0XwQb9A8", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Taxes, but less taxing.\r\n", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Business", + "sendingIp_s": "149.72.1.230", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "12/27/2021, 2:01:44.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 8:37:43.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "[\r\n \"http://twotoeight.co/dropbox\"\r\n]", + "tagMap_CustomerManagedUrls_Blocklisted_s": "[\r\n \"ORIGINAL:http://twotoeight.co/dropbox\"\r\n]", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://twotoeight.co/dropbox", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Important Updated Numbers from the Center for Disease Control", + "action_s": "block", + "adminOverride_s": "Block", + "userOverride_s": "None", + "scanResult_s": "malicious", + "Category": "Customer managed url block list", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 8:37:43.000 PM", + "actions_s": "Block", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 8:39:20.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://info.mimecast.com/Subscription-Management.html?utm_source=EmailStationary", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "test", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 8:39:20.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 9:28:34.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts?source=alertsmail&hl=en&gl=US&msgid=NDEyODQ3MDQ5NTUyMzIxNDM4MA&s=AB2Xq4hiDmIunBoqckhCTi0k4Y5Cp0tt3CqR-bs&ffu=", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 9:28:34.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 10:07:17.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://www.reuters.com/business/navient-resolves-state-probes-into-student-loan-practices-2022-01-13/&ss=fb&rt=Navient+to+cancel+66000+loans+worth+%241.7+bln+to+resolve+predatory+lending+claims&cd=KhQxNjg2NjM0MTg4MTE1NDQ5MTg2OTIcYzM3ODcyMGY4NjcxYzYwZjpjb206ZW46VVM6TA&ssp=AMJHsmW74eXe02qHkKQs7o43F8ORZM_W5w", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 10:07:17.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 10:50:15.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/feeds/00259755281018227146/8874490387232957945", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/13/2022, 10:50:15.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 7:45:36.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "[\r\n \"https://accounts.google.login-mctp.com/google/\"\r\n]", + "tagMap_CustomerManagedUrls_Blocklisted_s": "[\r\n \"ORIGINAL:https://accounts.google.login-mctp.com/google/\"\r\n]", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://accounts.google.login-mctp.com/google/", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Security alert", + "action_s": "block", + "adminOverride_s": "Block", + "userOverride_s": "None", + "scanResult_s": "malicious", + "Category": "Customer managed url block list", + "sendingIp_s": "64.235.46.113", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 7:45:36.000 PM", + "actions_s": "Block", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 7:51:39.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://login.microsoftonline.com.office.o365test.anuk.myshn.net/common/reprocess?ctx=rQIIAXVSPW_TUACMkza0FRIVQoIJFYQ6IDn283t-_pAikcRpahLbTeI0xAxV6tiJ09gvcV7iJgMrLMDeEakClQUxIX4CU8XYX4BYQEyMpD-A4W65u-XuHmdADqiPEERiVzpWWKWLIYsUwLNdJGAWihBDgQc9kYfx7a3tt_nGm91zpH94_uT-pfny_IK5O6B0PFU5LkmSHPH9wPVyLgm5LwxzyTA_GOYsve5FbKt5kZ5iiBUsAywByCN5BZQzBX1pCi3oVDrUaJeRWeJ5S9PFmt1HHfuEGuFKX9ZFp10GTqV-6th1YLbLgmO71NBcwVzwvCmUQa29F5rDFnVWWVOrJ0bFgJbWT67St6zCjA6EayJxsPT-pDd9EodHYzKlZ5n3jDX2Ir1XIlHkuTR3bfMiGrhdGpDoICZjL6aBN82DqDg7fboYnpyw9oHQa5HhQEZWoY3EZg_3pRAfYuLIujZcVpP-HijFFSUZLXqYTParPpRKB11vaGnKYLxvl0fFkj935pO-Peoood8aPKsdNSUbD2vTgl7FtMQrlQm7dLqLUWP_EHjCUa36OZNd1RqS6HKN-bl2k8-oGxvZ7cy91E7q7xrzbn01zq_vu5nw00ft9UNkvjh-kPq2zsHZtGjILjlNZtXKrDk3q4GMSWAFRYGLuTEnyCO9EUxGaFHIyyr4nWVe3Uh93fzfqFdbd1ZnUFheYgHcAaIqSioSnX81", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "sanitized@sanitized.com", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "40.107.73.110", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/13/2022, 7:51:39.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 7:51:55.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://reisstrasse.top/office/microsoft/account/live/another.php", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Microsoft account security code", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "General", + "sendingIp_s": "104.47.49.223", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 7:51:55.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 8:47:04.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://biologicznieczynny.pl/#primary", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Links", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Unknown", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/13/2022, 8:47:04.000 PM", + "actions_s": "Browser Isolation", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/13/2022, 9:50:43.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/share?hl=en&gl=US&ru=https://www.wsj.com/articles/china-looks-to-secure-supplies-as-strains-with-u-s-and-its-allies-grow-11642075381&ss=tw&rt=China+Looks+to+Secure+Supplies+as+Strains+With+U.S.+and+Its+Allies+Grow+-+WSJ&cd=KhM1Nzk0ODU4ODk5OTA0NDgxMjQ1MhxmZDg3ZWNjOTEwYjExYThjOmNvLnphOmVuOlVT&ssp=AMJHsmVdzrE780LzZpetxU2CsJOODK8m6Q", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.199", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/13/2022, 9:50:43.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 7:55:22.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/remove?source=alertsmail&hl=en&gl=US&msgid=MTQ1MjU1OTkyMTgyMjkxNDU3OTE&s=AB2Xq4i7OaFz4ss3vFU-wNb0DTELEKxhyDdFl54", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/11/2022, 7:55:22.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 9:47:28.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://biologicznieczynny.pl/#primary", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Links", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Unknown", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/11/2022, 9:47:28.000 PM", + "actions_s": "Browser Isolation", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 9:47:38.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://www.naxteam-partner.fr/", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Links", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Unknown", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/11/2022, 9:47:38.000 PM", + "actions_s": "Browser Isolation", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 9:48:31.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://biologicznieczynny.pl/#primary", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Links", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Unknown", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/11/2022, 9:48:31.000 PM", + "actions_s": "Browser Isolation", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 9:48:32.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "http://biologicznieczynny.pl/#primary", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Links", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Unknown", + "sendingIp_s": "Mimecast IP", + "userAwarenessAction_s": "N/A", + "date_t [UTC]": "1/11/2022, 9:48:32.000 PM", + "actions_s": "Browser Isolation", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/10/2022, 7:50:09.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/edit?source=alertsmail&hl=en&gl=US&msgid=Njc5NDM0NjMyNDY1Mjk1NzIzMQ&s=AB2Xq4g-GUg7dJreWJN14pFdqYo0nYsyiVX2dK8&email=bpinnock%40twotoeight.com", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Computers & Technology", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/10/2022, 7:50:09.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/10/2022, 8:35:55.000 PM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://video.foxnews.com/v/6290841840001/&ss=tw&rt=The+establishment+is+using+Jan.+6+to+destroy+Trump:+Steve+Hilton+%7C+Fox+News+Video&cd=KhM5ODMwMjQyNzc0MTA0NDYyMjgyMhw1MzNlMDE2OWZhYWUyMDBkOmNvbTplbjpVUzpM&ssp=AMJHsmXgIlXAP_glu2VBPq8jgymMdfkdBw", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - Trump", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/10/2022, 8:35:55.000 PM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 12:50:08.000 AM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.co.za/alerts/feedback?ffu=https://www.ft.com/content/e0d01826-09d7-4597-ad46-75cd19403e1a&source=alertsmail&hl=en&gl=US&msgid=MTc5NDI1Mjk0NDc2ODI3MTcxMQ&s=AB2Xq4g-GUg7dJreWJN14pFdqYo0nYsyiVX2dK8", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - china", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.197", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/11/2022, 12:50:08.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 5:59:06.000 AM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/share?hl=en&gl=US&ru=https://floridagators.com/news/2022/1/10/mens-basketball-florida-at-ole-miss-rescheduled.aspx&ss=fb&rt=Florida+at+Ole+Miss+Rescheduled&cd=KhM0NTcxNTMzMjM1ODc0ODcxMjM3MhxjMzc4NzIwZjg2NzFjNjBmOmNvbTplbjpVUzpM&ssp=AMJHsmWFPgyWRnSF2FFDi2sG_FIjD2D38Q", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - news", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.200", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/11/2022, 5:59:06.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + }, + { + "TenantId": "886239f4-0dc6-4efb-aade-c9371461c99a", + "SourceSystem": "RestAPI", + "MG": "", + "ManagementGroupName": "", + "TimeGenerated [UTC]": "1/11/2022, 6:55:08.000 AM", + "Computer": "", + "RawData": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s": "", + "tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s": "", + "tagMap_CustomerManagedUrls_ManagedUrlEntry_s": "", + "tagMap_CustomerManagedUrls_Blocklisted_s": "", + "tagMap_AdvancedPhishing_CredentialTheftEvidence_s": "", + "tagMap_AdvancedPhishing_CredentialTheftTags_s": "", + "tagMap_UrlReputationScan_Type_s": "", + "tagMap_UrlReputationScan_UrlBlock_s": "", + "tagMap_UrlReputationScan_Url_s": "", + "mimecastEventId_s": "ttp_url", + "mimecastEventCategory_s": "ttp_url", + "advancedPhishingResult_CredentialTheftBrands_s": "", + "advancedPhishingResult_CredentialTheftEvidence_s": "", + "advancedPhishingResult_CredentialTheftTags_s": "", + "userEmailAddress_s": "sanitized@sanitized.com", + "fromUserEmailAddress_s": "sanitized@sanitized.com", + "url_s": "https://www.google.com/alerts/remove?source=alertsmail&hl=en&gl=US&msgid=MTc1MzkwMTI4MjI1MzkyNDAyMTY&s=AB2Xq4i7OaFz4ss3vFU-wNb0DTELEKxhyDdFl54", + "ttpDefinition_s": "Inbound URL 'Aggressive'", + "subject_s": "Google Alert - dollar", + "action_s": "allow", + "adminOverride_s": "N/A", + "userOverride_s": "None", + "scanResult_s": "clean", + "Category": "Search Engines & Portals", + "sendingIp_s": "209.85.219.198", + "userAwarenessAction_s": "Continue", + "date_t [UTC]": "1/11/2022, 6:55:08.000 AM", + "actions_s": "Allow", + "route_s": "inbound", + "creationMethod_s": "User Click", + "emailPartsDescription_s": "[\r\n \"Body\"\r\n]", + "messageId_s": "sanitized@sanitized.com", + "Type": "MimecastTTPUrl_CL", + "_ResourceId": "" + } +] diff --git a/Solutions/MimecastTTP/Analytic Rules/MimecastTTPAttachment.yaml b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPAttachment.yaml new file mode 100644 index 00000000000..b377da95ca1 --- /dev/null +++ b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPAttachment.yaml @@ -0,0 +1,47 @@ +id: aa75944c-a663-4901-969e-7b55bfa49a73 +name: Mimecast Targeted Threat Protection - Attachment Protect +description: Detects a threat for an unsafe attachment in an email +severity: High +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPAttachment_CL +enabled: true +query: MimecastTTPAttachment_CL| where result_s <> "safe"; +queryFrequency: 5m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- InitialAccess +- Discovery +relevantTechniques: +- T0865 +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1d + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +customDetails: + fileHash: fileHash_s + fileName: fileName_s + fileType: fileType_s + details: details_s +entityMappings: + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: senderAddress_s + - identifier: Recipient + columnName: recipientAddress_s + - identifier: Subject + columnName: subject_s +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/MimecastTTP/Analytic Rules/MimecastTTPImpersonation.yaml b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPImpersonation.yaml new file mode 100644 index 00000000000..05ca6e6b59d --- /dev/null +++ b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPImpersonation.yaml @@ -0,0 +1,43 @@ +id: d8e7eca6-4b59-4069-a31e-a022b2a12ea4 +name: Mimecast Targeted Threat Protection - Impersonation Protect +description: Detects a maliciously tagged impersonation +severity: High +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPImpersonation_CL +enabled: true +query: MimecastTTPImpersonation_CL| where taggedMalicious_b == true; +queryFrequency: 5m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- Exfiltration +- Collection +- Discovery +relevantTechniques: +- T1114 +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1d + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: senderAddress_s + - identifier: SenderIP + columnName: senderIpAddress_s + - identifier: Recipient + columnName: recipientAddress_s +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml new file mode 100644 index 00000000000..1cf5d463160 --- /dev/null +++ b/Solutions/MimecastTTP/Analytic Rules/MimecastTTPUrl.yaml @@ -0,0 +1,50 @@ +id: 9d5545bd-1450-4086-935c-62f15fc4a4c9 +name: Mimecast Targeted Threat Protection - URL Protect +description: Detects malicious scan results and actions which are not allowed +severity: High +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPUrl_CL +enabled: true +query: MimecastTTPUrl_CL| where scanResult_s == "malicious" and action_s != "allow"; +queryFrequency: 5m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- InitialAccess +- Discovery +relevantTechniques: +- T0865 +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: 1d + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: sendingIp_s + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: fromUserEmailAddress_s + - identifier: InternetMessageId + columnName: messageId_s + - identifier: Recipient + columnName: userEmailAddress_s + - entityType: URL + fieldMappings: + - identifier: Url + columnName: url_s +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/__init__.py b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/__init__.py new file mode 100644 index 00000000000..f1224de430b --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/__init__.py @@ -0,0 +1,87 @@ +import datetime +import logging +import json +import os +import azure.functions as func +from ..Helpers.date_helper import DateHelper +from ..Helpers.request_helper import RequestHelper +from ..Helpers.response_helper import ResponseHelper +from ..Helpers.azure_monitor_collector import AzureMonitorCollector +from ..Models.Request.get_ttp_attachment_logs import GetTTPAttachmentLogsRequest +from ..Models.Error.errors import MimecastRequestError, AzureMonitorCollectorRequestError +from ..Models.Enum.mimecast_endpoints import MimecastEndpoints +from ..TransformData.ttp_attachment_parser import TTPAttachmentParser + + +def main(mytimer: func.TimerRequest, checkpoint1: str) -> str: + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) + + request_helper = RequestHelper() + response_helper = ResponseHelper() + azure_monitor_collector = AzureMonitorCollector() + + request_helper.set_request_credentials( + email=os.environ["mimecast_email"], + password=os.environ["mimecast_password"], + app_id=os.environ["mimecast_app_id"], + app_key=os.environ["mimecast_app_key"], + access_key=os.environ["mimecast_access_key"], + secret_key=os.environ["mimecast_secret_key"], + base_url=os.environ["mimecast_base_url"], + ) + + # datetime manipulation is done to assure there is neither duplicate nor missing logs + start_date = checkpoint1 if checkpoint1 else DateHelper.get_utc_time_in_past(days=7) + mimecast_start_date = datetime.datetime.strptime(start_date, "%Y-%m-%dT%H:%M:%S%z") + datetime.timedelta(seconds=1) + mimecast_start_date = mimecast_start_date.strftime("%Y-%m-%dT%H:%M:%S%z") + end_date = datetime.datetime.fromisoformat(utc_timestamp) - datetime.timedelta(seconds=15) + mimecast_end_date = end_date.strftime("%Y-%m-%dT%H:%M:%S%z") + + mapped_response_data, model, next_token, has_more_logs = request_helper.set_initial_values() + ttp_attachment_parser = TTPAttachmentParser() + parsed_logs = [] + + try: + while has_more_logs: + model = GetTTPAttachmentLogsRequest(mimecast_start_date, mimecast_end_date, next_token) + response = request_helper.send_post_request(model.payload, MimecastEndpoints.get_ttp_attachment_logs) + response_helper.check_response_codes(response, MimecastEndpoints.get_ttp_attachment_logs) + success_response = response_helper.parse_success_response(response) + has_more_logs, next_token = response_helper.get_next_token(response) + parsed_logs.extend(ttp_attachment_parser.parse(logs=success_response[0]["attachmentLogs"])) + except MimecastRequestError as e: + logging.error( + "Failed to get TTP Attachment logs from Mimecast.", extra={"request_id": request_helper.request_id} + ) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e + + try: + if parsed_logs: + workspace_id = os.environ["log_analytics_workspace_id"] + workspace_key = os.environ["log_analytics_workspace_key"] + log_type = "MimecastTTPAttachment" + body = json.dumps(parsed_logs) + azure_monitor_collector.post_data(workspace_id, workspace_key, body, log_type) + # logs are sorted so next line will return the latest log date + return parsed_logs[-1]["date"] + else: + logging.info("There are no TTP Attachment logs for this period.") + return mimecast_end_date + except AzureMonitorCollectorRequestError as e: + logging.error( + "Failed to send TTP Attachment to Azure Sentinel.", extra={"request_id": request_helper.request_id} + ) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/function.json b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/function.json new file mode 100644 index 00000000000..ca91f346a7d --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/function.json @@ -0,0 +1,24 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 */5 * * * *" + }, + { + "name": "checkpoint1", + "type": "blob", + "dataType": "string", + "path": "ttp-checkpoints/attachment-checkpoint.txt", + "direction": "in" + }, + { + "name": "$return", + "type": "blob", + "path": "ttp-checkpoints/attachment-checkpoint.txt", + "direction": "out" + } + ] +} diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/readme.md b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/readme.md new file mode 100644 index 00000000000..e8b7e887365 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPAttachment/readme.md @@ -0,0 +1,11 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more + + Documentation diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/__init__.py b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/__init__.py new file mode 100644 index 00000000000..aa30c54c4a3 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/__init__.py @@ -0,0 +1,87 @@ +import datetime +import logging +import json +import os +import azure.functions as func +from ..Helpers.date_helper import DateHelper +from ..Helpers.request_helper import RequestHelper +from ..Helpers.response_helper import ResponseHelper +from ..Helpers.azure_monitor_collector import AzureMonitorCollector +from ..Models.Request.get_ttp_impersonation_logs import GetTTPImpersonationLogsRequest +from ..Models.Error.errors import MimecastRequestError, AzureMonitorCollectorRequestError +from ..Models.Enum.mimecast_endpoints import MimecastEndpoints +from ..TransformData.ttp_impersonation_parser import TTPImpersonationParser + + +def main(mytimer: func.TimerRequest, checkpoint2: str) -> str: + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) + + request_helper = RequestHelper() + response_helper = ResponseHelper() + azure_monitor_collector = AzureMonitorCollector() + + request_helper.set_request_credentials( + email=os.environ["mimecast_email"], + password=os.environ["mimecast_password"], + app_id=os.environ["mimecast_app_id"], + app_key=os.environ["mimecast_app_key"], + access_key=os.environ["mimecast_access_key"], + secret_key=os.environ["mimecast_secret_key"], + base_url=os.environ["mimecast_base_url"], + ) + + # datetime manipulation is done to assure there is neither duplicate nor missing logs + start_date = checkpoint2 if checkpoint2 else DateHelper.get_utc_time_in_past(days=7) + mimecast_start_date = datetime.datetime.strptime(start_date, "%Y-%m-%dT%H:%M:%S%z") + datetime.timedelta(seconds=1) + mimecast_start_date = mimecast_start_date.strftime("%Y-%m-%dT%H:%M:%S%z") + end_date = datetime.datetime.fromisoformat(utc_timestamp) - datetime.timedelta(seconds=15) + mimecast_end_date = end_date.strftime("%Y-%m-%dT%H:%M:%S%z") + + mapped_response_data, model, next_token, has_more_logs = request_helper.set_initial_values() + ttp_impersonation_parser = TTPImpersonationParser() + parsed_logs = [] + + try: + while has_more_logs: + model = GetTTPImpersonationLogsRequest(mimecast_start_date, mimecast_end_date, next_token) + response = request_helper.send_post_request(model.payload, MimecastEndpoints.get_ttp_impersonation_logs) + response_helper.check_response_codes(response, MimecastEndpoints.get_ttp_impersonation_logs) + success_response = response_helper.parse_success_response(response) + has_more_logs, next_token = response_helper.get_next_token(response) + parsed_logs.extend(ttp_impersonation_parser.parse(logs=success_response[0]["impersonationLogs"])) + except MimecastRequestError as e: + logging.error( + "Failed to get TTP Impersonation logs from Mimecast.", extra={"request_id": request_helper.request_id} + ) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e + + try: + if parsed_logs: + workspace_id = os.environ["log_analytics_workspace_id"] + workspace_key = os.environ["log_analytics_workspace_key"] + log_type = "MimecastTTPImpersonation" + body = json.dumps(parsed_logs) + azure_monitor_collector.post_data(workspace_id, workspace_key, body, log_type) + # logs are sorted so next line will return the latest log date + return parsed_logs[-1]["eventTime"] + else: + logging.info("There are no TTP Impersonation logs for this period.") + return mimecast_end_date + except AzureMonitorCollectorRequestError as e: + logging.error( + "Failed to send TTP Impersonation to Azure Sentinel.", extra={"request_id": request_helper.request_id} + ) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/function.json b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/function.json new file mode 100644 index 00000000000..d6f1bdaaeef --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/function.json @@ -0,0 +1,24 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 */5 * * * *" + }, + { + "name": "checkpoint2", + "type": "blob", + "dataType": "string", + "path": "ttp-checkpoints/impersonation-checkpoint.txt", + "direction": "in" + }, + { + "name": "$return", + "type": "blob", + "path": "ttp-checkpoints/impersonation-checkpoint.txt", + "direction": "out" + } + ] +} diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/readme.md b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/readme.md new file mode 100644 index 00000000000..e8b7e887365 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPImpersonation/readme.md @@ -0,0 +1,11 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more + + Documentation diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/__init__.py b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/__init__.py new file mode 100644 index 00000000000..38b4ed6f57a --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/__init__.py @@ -0,0 +1,83 @@ +import datetime +import logging +import json +import os +import azure.functions as func +from ..Helpers.date_helper import DateHelper +from ..Helpers.request_helper import RequestHelper +from ..Helpers.response_helper import ResponseHelper +from ..Helpers.azure_monitor_collector import AzureMonitorCollector +from ..Models.Request.get_ttp_url_logs import GetTTPUrlLogsRequest +from ..Models.Error.errors import MimecastRequestError, AzureMonitorCollectorRequestError +from ..Models.Enum.mimecast_endpoints import MimecastEndpoints +from ..TransformData.ttp_url_parser import TTPUrlParser + + +def main(mytimer: func.TimerRequest, checkpoint3: str) -> str: + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) + + request_helper = RequestHelper() + response_helper = ResponseHelper() + azure_monitor_collector = AzureMonitorCollector() + + request_helper.set_request_credentials( + email=os.environ["mimecast_email"], + password=os.environ["mimecast_password"], + app_id=os.environ["mimecast_app_id"], + app_key=os.environ["mimecast_app_key"], + access_key=os.environ["mimecast_access_key"], + secret_key=os.environ["mimecast_secret_key"], + base_url=os.environ["mimecast_base_url"], + ) + + # datetime manipulation is done to assure there is neither duplicate nor missing logs + start_date = checkpoint3 if checkpoint3 else DateHelper.get_utc_time_in_past(days=7) + mimecast_start_date = datetime.datetime.strptime(start_date, "%Y-%m-%dT%H:%M:%S%z") + datetime.timedelta(seconds=1) + mimecast_start_date = mimecast_start_date.strftime("%Y-%m-%dT%H:%M:%S%z") + end_date = datetime.datetime.fromisoformat(utc_timestamp) - datetime.timedelta(seconds=15) + mimecast_end_date = end_date.strftime("%Y-%m-%dT%H:%M:%S%z") + + mapped_response_data, model, next_token, has_more_logs = request_helper.set_initial_values() + ttp_url_parser = TTPUrlParser() + parsed_logs = [] + + try: + while has_more_logs: + model = GetTTPUrlLogsRequest(mimecast_start_date, mimecast_end_date, next_token) + response = request_helper.send_post_request(model.payload, MimecastEndpoints.get_ttp_url_logs) + response_helper.check_response_codes(response, MimecastEndpoints.get_ttp_url_logs) + success_response = response_helper.parse_success_response(response) + has_more_logs, next_token = response_helper.get_next_token(response) + parsed_logs.extend(ttp_url_parser.parse(logs=success_response[0]["clickLogs"])) + except MimecastRequestError as e: + logging.error("Failed to get TTP Url logs from Mimecast.", extra={"request_id": request_helper.request_id}) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e + + try: + if parsed_logs: + workspace_id = os.environ["log_analytics_workspace_id"] + workspace_key = os.environ["log_analytics_workspace_key"] + log_type = "MimecastTTPUrl" + body = json.dumps(parsed_logs) + azure_monitor_collector.post_data(workspace_id, workspace_key, body, log_type) + # logs are sorted so next line will return the latest log date + return parsed_logs[-1]["date"] + else: + logging.info("There are no TTP Url logs for this period.") + return mimecast_end_date + except AzureMonitorCollectorRequestError as e: + logging.error("Failed to send TTP Url to Azure Sentinel.", extra={"request_id": request_helper.request_id}) + e.request_id = request_helper.request_id + raise e + except Exception as e: + logging.error("Unknown Exception raised.", extra={"request_id": request_helper.request_id}) + raise e diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/function.json b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/function.json new file mode 100644 index 00000000000..a6cea0e3ef4 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/function.json @@ -0,0 +1,24 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 */5 * * * *" + }, + { + "name": "checkpoint3", + "type": "blob", + "dataType": "string", + "path": "ttp-checkpoints/url-checkpoint.txt", + "direction": "in" + }, + { + "name": "$return", + "type": "blob", + "path": "ttp-checkpoints/url-checkpoint.txt", + "direction": "out" + } + ] +} diff --git a/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/readme.md b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/readme.md new file mode 100644 index 00000000000..e8b7e887365 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/GetTTPUrl/readme.md @@ -0,0 +1,11 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more + + Documentation diff --git a/Solutions/MimecastTTP/Data Connectors/Helpers/azure_monitor_collector.py b/Solutions/MimecastTTP/Data Connectors/Helpers/azure_monitor_collector.py new file mode 100644 index 00000000000..e8871248e26 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Helpers/azure_monitor_collector.py @@ -0,0 +1,54 @@ +import requests +import datetime +import hashlib +import hmac +import base64 +import logging + +from ..Models.Error.errors import AzureMonitorCollectorRequestError + + +class AzureMonitorCollector: + """AzureMonitorCollector responsible for sending data from all functions to Log Analytics Workspace(Sentinel).""" + + @staticmethod + def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource): + """Generating proper Authorization header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(shared_key) + encoded_hash = base64.b64encode( + hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest() + ).decode() + authorization = "SharedKey {}:{}".format(customer_id, encoded_hash) + return authorization + + def post_data(self, customer_id, shared_key, body, log_type): + """Sending logs through proper API version to Log Analytics Workspace.""" + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + signature = self.build_signature( + customer_id, shared_key, rfc1123date, content_length, method, content_type, resource + ) + uri = "https://" + customer_id + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + "time-generated-field": "time_generated", + } + + response = requests.post(uri, data=body, headers=headers) + if 200 <= response.status_code <= 299: + logging.info("Logs sent successfully!") + else: + logging.error("Azure Monitor Collector response code: {}".format(response.status_code)) + raise AzureMonitorCollectorRequestError( + "Azure Monitor Collector response code: {}".format(response.status_code) + ) diff --git a/Solutions/MimecastTTP/Data Connectors/Helpers/date_helper.py b/Solutions/MimecastTTP/Data Connectors/Helpers/date_helper.py new file mode 100644 index 00000000000..f79ef7abf32 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Helpers/date_helper.py @@ -0,0 +1,35 @@ +import datetime + +from ..Models.Error.errors import ParsingError + + +class DateHelper: + """DateHelper class responsible for making Mimecast specific date formats needed in request models.""" + + @staticmethod + def get_utc_time_from_now(days): + """Generating time by adding days to current UTC time.""" + now = datetime.datetime.utcnow() + offset_time = now + datetime.timedelta(days=days) + return offset_time.strftime("%Y-%m-%dT%H:%M:%SZ") + + @staticmethod + def get_utc_time_in_past(days): + """Generating time by subtracting days from current UTC time.""" + now = datetime.datetime.utcnow() + offset_time = now - datetime.timedelta(days=days) + offset_time = offset_time.replace(tzinfo=datetime.timezone.utc) + return offset_time.strftime("%Y-%m-%dT%H:%M:%S%z") + + @staticmethod + def convert_from_mimecast_format(datetime_str): + try: + datetime_obj = datetime.datetime.strptime(datetime_str, "%Y-%m-%dT%H:%M:%S%z") + except ValueError: + try: + datetime_obj = datetime.datetime.strptime(datetime_str, "%Y-%m-%dT%H:%M:%S.%fZ") + except ValueError: + raise ParsingError(f"Unknown time format: {datetime_str}") + + converted_datetime = datetime_obj.astimezone(datetime.timezone.utc).isoformat() + return converted_datetime diff --git a/Solutions/MimecastTTP/Data Connectors/Helpers/request_helper.py b/Solutions/MimecastTTP/Data Connectors/Helpers/request_helper.py new file mode 100644 index 00000000000..2eb679903f5 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Helpers/request_helper.py @@ -0,0 +1,136 @@ +from ..Models.Enum.mimecast_endpoints import MimecastEndpoints +from ..Models.Enum.mimecast_response_codes import MimecastResponseCodes +from ..Models.Error.errors import MimecastRequestError +from ..Models.Request.refresh_access_key import RefreshAccessKeyRequest +import base64 +from hashlib import sha1 as EncryptionAlgo +import hmac +import uuid +import datetime +import requests +import logging +import time +import math + + +class RequestHelper: + """HttpClient responsible for making proper request headers and sending POST requests to APIs.""" + + request_id = None + app_id = None + app_key = None + access_key = None + secret_key = None + base_url = None + email = None + password = None + https_ip = None + https_port = None + proxy_username = None + proxy_password = None + + def set_request_credentials(self, app_id, app_key, access_key, secret_key, base_url, email, password): + """Setting object credentials to be used for generating proper request headers.""" + self.app_id = app_id + self.app_key = app_key + self.access_key = access_key + self.secret_key = secret_key + self.base_url = base_url + self.email = email + self.password = password + + def set_proxy_credentials(self, https_ip, https_port, proxy_username, proxy_password): + """Setting object proxy credentials to be used for generating proper proxy request configuration.""" + self.https_ip = https_ip + self.https_port = https_port + self.proxy_username = proxy_username + self.proxy_password = proxy_password + + def send_post_request(self, payload, request_uri): + """Sending POST requests to Mimecast API.""" + headers = self.generate_proper_headers(request_uri) + proxies = {} + if hasattr(self, "https_ip") and self.https_ip: + https_proxy = "https://{https_ip}:{https_port}".format(https_ip=self.https_ip, https_port=self.https_port) + proxies.update({"https": https_proxy}) + if hasattr(self, "proxy_username") and self.proxy_username: + auth = "https://{proxy_username}:{proxy_password}@{https_ip}:{https_port}/".format( + proxy_username=self.proxy_username, + proxy_password=self.proxy_password, + https_ip=self.https_ip, + https_port=self.https_port, + ) + proxies.update({"https": auth}) + try: + if proxies: + response = requests.post( + url=self.base_url + request_uri, headers=headers, data=str(payload), timeout=120, proxies=proxies + ) + else: + response = requests.post( + url=self.base_url + request_uri, headers=headers, data=str(payload), timeout=120 + ) + except Exception: + raise MimecastRequestError("Call to " + self.base_url + request_uri + " failed.") + + if response.status_code == MimecastResponseCodes.quota_exceeded: + sleep_duration = math.ceil(int(response.headers["X-RateLimit-Reset"]) / 1000) + logging.info("Rate limit hit. Sleeping for {0} seconds.".format(sleep_duration)) + if sleep_duration > 0: + time.sleep(sleep_duration) + logging.info("Trying again...") + response = self.send_post_request(payload, request_uri) + elif response.status_code == MimecastResponseCodes.binding_expired: + model = RefreshAccessKeyRequest(self.email, self.access_key) + logging.info("Access key expired. Refreshing access key.") + self.send_post_request(model.payload, MimecastEndpoints.refresh_access_key) + logging.info("Access key refreshed.") + response = self.send_post_request(payload, request_uri) + return response + + def generate_proper_headers(self, request_uri): + """Condition for generating headers for refresh access key request or for all other requests.""" + if request_uri == MimecastEndpoints.refresh_access_key: + headers = self.make_refresh_token_request_headers() + else: + headers = self.make_request_headers(request_uri) + logging.info("URL: {0} Request ID: {1}".format(self.base_url + request_uri, headers["x-mc-req-id"])) + return headers + + def make_request_headers(self, request_uri): + """Generating specific headers from Mimecast credentials.""" + self.request_id = str(uuid.uuid4()) + hdr_date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S UTC") + unsigned_auth_header = "{date}:{req_id}:{uri}:{app_key}".format( + date=hdr_date, req_id=self.request_id, uri=request_uri, app_key=self.app_key + ) + hmac_sha1 = hmac.new( + base64.b64decode(self.secret_key), unsigned_auth_header.encode(), digestmod=EncryptionAlgo + ).digest() + sig = base64.encodebytes(hmac_sha1).rstrip() + headers = { + "Authorization": "MC " + self.access_key + ":" + sig.decode(), + "x-mc-app-id": self.app_id, + "x-mc-date": hdr_date, + "x-mc-req-id": self.request_id, + "Content-Type": "application/json", + } + return headers + + def make_refresh_token_request_headers(self): + """Generating specific headers only for refreshing access key API call.""" + authorization_header_value = base64.b64encode("{0}:{1}".format(self.email, self.password).encode()) + headers = { + "Authorization": "Basic-Cloud {encoded_header}".format( + encoded_header=authorization_header_value.decode("ascii") + ), + "x-mc-app-id": self.app_id, + "Content-Type": "application/json", + "x-mc-api-version": "2014.6.1", + } + return headers + + @staticmethod + def set_initial_values(): + """Generating default values before execution enters the loop.""" + return [], {}, "", True diff --git a/Solutions/MimecastTTP/Data Connectors/Helpers/response_helper.py b/Solutions/MimecastTTP/Data Connectors/Helpers/response_helper.py new file mode 100644 index 00000000000..0ecef57cace --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Helpers/response_helper.py @@ -0,0 +1,64 @@ +from ..Models.Enum.mimecast_response_codes import MimecastResponseCodes +import logging +import json + +from ..Models.Error.errors import InvalidDataError + + +class ResponseHelper: + """ResponseHelper responsible for checking is token in response headers, also parsing and mapping responses.""" + + next_token = "" + response = [] + + def __init__(self): + """Initial setup of logger and default value for Mimecast endpoint.""" + self.mimecast_endpoint = None + + def check_response_codes(self, response, mimecast_endpoint): + """Checking all response codes from Mimecast documentation and logging errors.""" + self.mimecast_endpoint = mimecast_endpoint + if response.status_code == MimecastResponseCodes.success: + return response + elif response.status_code == MimecastResponseCodes.bad_request: + logging.error("Request cannot be processed because it is either malformed or not correct.") + elif response.status_code == MimecastResponseCodes.unauthorized: + logging.error("Authorization information is either missing, incomplete or incorrect.") + elif response.status_code == MimecastResponseCodes.forbidden: + logging.error( + "Access is denied to the requested resource." + "The user may not have enough permission to perform the action." + ) + elif response.status_code == MimecastResponseCodes.not_found: + logging.error("The requested resource does not exist.") + elif response.status_code == MimecastResponseCodes.conflict: + logging.error("The current status of the relying data does not match what is defined in the request.") + elif response.status_code == MimecastResponseCodes.internal_server_error: + logging.error("The request was not processed successfully or an issue has occurred on the Mimecast side.") + else: + logging.error("Unknown error.Please contact API administrator.") + + def parse_success_response(self, response): + """Logging and checking response body for errors.""" + try: + response_text = json.loads(response.text) + except json.JSONDecodeError: + logging.error(self.mimecast_endpoint + ": Invalid content provided. Probably no more logs left.") + raise InvalidDataError("Invalid content provided. Probably no more logs.") + if response_text["fail"]: + logging.error(self.mimecast_endpoint + ": " + response_text["fail"][0]["errors"][0]["message"]) + else: + return response_text["data"] + + @staticmethod + def get_next_token(response): + """Extracting token from response headers.""" + has_more_data = False + dictionary_response = json.loads(response.text) + if "pagination" in dictionary_response["meta"]: + if "next" in dictionary_response["meta"]["pagination"]: + has_more_data = True + ResponseHelper.next_token = dictionary_response["meta"]["pagination"]["next"] + else: + ResponseHelper.next_token = "" + return has_more_data, ResponseHelper.next_token diff --git a/Solutions/MimecastTTP/Data Connectors/MimecastTTPAzureConn.zip b/Solutions/MimecastTTP/Data Connectors/MimecastTTPAzureConn.zip new file mode 100644 index 00000000000..e1d5ebe9644 Binary files /dev/null and b/Solutions/MimecastTTP/Data Connectors/MimecastTTPAzureConn.zip differ diff --git a/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json b/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json new file mode 100644 index 00000000000..fb8758c95cb --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/MimecastTTP_API_FunctionApp.json @@ -0,0 +1,167 @@ +{ + "id": "MimecastTTPAPI", + "title": "Mimecast Targeted Threat Protection", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "MimecastTTPUrl_CL", + "baseQuery": "MimecastTTPUrl_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "MimecastTTPAttachment_CL", + "baseQuery": "MimecastTTPAttachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "MimecastTTPImpersonation_CL", + "baseQuery": "MimecastTTPImpersonation_CL" + } + ], + "sampleQueries": [ + { + "description" : "MimecastTTPUrl_CL", + "query": "MimecastTTPUrl_CL\n| sort by TimeGenerated desc" + }, + { + "description" : "MimecastTTPAttachment_CL", + "query": "MimecastTTPAttachment_CL\n| sort by TimeGenerated desc" + }, + { + "description" : "MimecastTTPImpersonation_CL", + "query": "MimecastTTPImpersonation_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "MimecastTTPUrl_CL", + "lastDataReceivedQuery": "MimecastTTPUrl_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPAttachment_CL", + "lastDataReceivedQuery": "MimecastTTPAttachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPImpersonation_CL", + "lastDataReceivedQuery": "MimecastTTPImpersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastTTPUrl_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPAttachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPImpersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "You need to have the following pieces of information to configure the integration:\n- mimecastEmail: Email address of a dedicated Mimecast admin user\n- mimecastPassword: Password for the dedicated Mimecast admin user\n- mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAccessKey: Access Key for the dedicated Mimecast admin user\n- mimecastSecretKey: Secret Key for the dedicated Mimecast admin user\n- mimecastBaseURL: Mimecast Regional API Base URL\n\n> The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.\n\n> The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/" + } + ] + }, + "instructionSteps": [ + { + "title": "Resource group", + "description": "You need to have a resource group created with a subscription you are going to use." + }, + { + "title": "Functions app", + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret" + }, + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Deploy the Mimecast Targeted Threat Protection Data Connector:", + "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n" + } + ], + "metadata": { + "id": "4588c4ec-1e98-4ddc-841f-35c015f12654", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Mimecast" + }, + "author": { + "name": "Mimecast" + }, + "support": { + "tier": "Partner", + "name": "Mimecast", + "email": "support@mimecast.com", + "link": "https://community.mimecast.com/s/contactsupport" + } + } +} diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Enum/__init__.py b/Solutions/MimecastTTP/Data Connectors/Models/Enum/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_endpoints.py b/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_endpoints.py new file mode 100644 index 00000000000..fd59b6b7710 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_endpoints.py @@ -0,0 +1,6 @@ +class MimecastEndpoints: + + get_ttp_url_logs = "/api/ttp/url/get-logs" + get_ttp_impersonation_logs = "/api/ttp/impersonation/get-logs" + get_ttp_attachment_logs = "/api/ttp/attachment/get-logs" + refresh_access_key = "/api/login/login" diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_response_codes.py b/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_response_codes.py new file mode 100644 index 00000000000..dd60500f0d1 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Enum/mimecast_response_codes.py @@ -0,0 +1,31 @@ +class MimecastResponseCodes: + + success = 200 + """The request was processed and executed. This does not mean that the requested action was successful. + Function-level success or failure is indicated in the response body content.""" + + bad_request = 400 + """The request cannot be processed because it is either malformed or not correct.""" + + unauthorized = 401 + """Authorization information is either missing, incomplete or incorrect.""" + + forbidden = 403 + """Access is denied to the requested resource. The user may not have enough permission to perform the action.""" + + not_found = 404 + """The requested resource does not exist.""" + + conflict = 409 + """The current status of the relying data does not match what is defined in the request.""" + + binding_expired = 418 + """The TTL of the access key and secret key issued on successful login has lapsed and the binding should be + refreshed as described in the Authentication guide.""" + + quota_exceeded = 429 + """The number of requests sent to the given resource has exceeded the rate limiting policy applied to the resource + for a given time period. Rate limiting is applied differently per resource and is subject to change.""" + + internal_server_error = 500 + """The request was not processed successfully or an issue has occurred in the Mimecast platform.""" diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Error/__init__.py b/Solutions/MimecastTTP/Data Connectors/Models/Error/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Error/errors.py b/Solutions/MimecastTTP/Data Connectors/Models/Error/errors.py new file mode 100644 index 00000000000..7312edf8515 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Error/errors.py @@ -0,0 +1,23 @@ +class BaseError(Exception): + request_id = None + + def __init__(self, message, request_id=None): + if request_id: + self.request_id = request_id + super(BaseError, self).__init__(message) + + +class MimecastRequestError(BaseError): + pass + + +class ParsingError(MimecastRequestError): + pass + + +class InvalidDataError(MimecastRequestError): + pass + + +class AzureMonitorCollectorRequestError(BaseError): + pass diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Request/__init__.py b/Solutions/MimecastTTP/Data Connectors/Models/Request/__init__.py new file mode 100644 index 00000000000..385e1e9890b --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Request/__init__.py @@ -0,0 +1,7 @@ +# trigger times in minutes +GET_AUDIT_EVENTS_TRIGGER_TIME = 5 +GET_DLP_LOGS_TRIGGER_TIME = 5 +GET_THREAT_INTEL_FEED_TRIGGER_TIME = 5 +GET_TTP_ATTACHMENT_TRIGGER_TIME = 5 +GET_TTP_IMPERSONATION_TRIGGER_TIME = 5 +GET_TTP_URL_TRIGGER_TIME = 5 diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_attachment_logs.py b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_attachment_logs.py new file mode 100644 index 00000000000..ad355610a15 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_attachment_logs.py @@ -0,0 +1,8 @@ +class GetTTPAttachmentLogsRequest: + def __init__(self, from_date, to_date, token): + self.payload = { + "meta": {"pagination": {"pageSize": 500}}, + "data": [{"from": from_date, "to": to_date, "oldestFirst": True, "route": "all", "result": "all"}], + } + if token: + self.payload["meta"]["pagination"]["pageToken"] = token diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_impersonation_logs.py b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_impersonation_logs.py new file mode 100644 index 00000000000..a82d9cfce6e --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_impersonation_logs.py @@ -0,0 +1,8 @@ +class GetTTPImpersonationLogsRequest: + def __init__(self, from_date, to_date, token): + self.payload = { + "meta": {"pagination": {"pageSize": 500}}, + "data": [{"oldestFirst": True, "from": from_date, "to": to_date}], + } + if token: + self.payload["meta"]["pagination"]["pageToken"] = token diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_url_logs.py b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_url_logs.py new file mode 100644 index 00000000000..35ce12445c3 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Request/get_ttp_url_logs.py @@ -0,0 +1,8 @@ +class GetTTPUrlLogsRequest: + def __init__(self, from_date, to_date, token): + self.payload = { + "meta": {"pagination": {"pageSize": 500}}, + "data": [{"from": from_date, "to": to_date, "oldestFirst": True, "route": "all", "scanResult": "all"}], + } + if token: + self.payload["meta"]["pagination"]["pageToken"] = token diff --git a/Solutions/MimecastTTP/Data Connectors/Models/Request/refresh_access_key.py b/Solutions/MimecastTTP/Data Connectors/Models/Request/refresh_access_key.py new file mode 100644 index 00000000000..63f9e724468 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/Models/Request/refresh_access_key.py @@ -0,0 +1,5 @@ +class RefreshAccessKeyRequest: + def __init__(self, email, expired_access_key): + self.payload = {"data": [{"userName": email}]} + if expired_access_key: + self.payload["data"][0]["accessKey"] = expired_access_key diff --git a/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_attachment_parser.py b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_attachment_parser.py new file mode 100644 index 00000000000..46477bb87b7 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_attachment_parser.py @@ -0,0 +1,17 @@ +from ..Helpers.date_helper import DateHelper + + +class TTPAttachmentParser: + def __init__(self): + self.date_helper = DateHelper() + + def parse(self, logs): + for log in logs: + if "checkpoints" in log: + continue + event_id = "ttp_attachment" + category = "ttp_attachment" + timestamp = self.date_helper.convert_from_mimecast_format(log["date"]) + log.update({"mimecastEventId": event_id, "mimecastEventCategory": category, "time_generated": timestamp}) + + return logs diff --git a/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_impersonation_parser.py b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_impersonation_parser.py new file mode 100644 index 00000000000..f3d18775241 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_impersonation_parser.py @@ -0,0 +1,17 @@ +from ..Helpers.date_helper import DateHelper + + +class TTPImpersonationParser: + def __init__(self): + self.date_helper = DateHelper() + + def parse(self, logs): + for log in logs: + if "checkpoints" in log: + continue + event_id = "ttp_impersonation" + category = "ttp_impersonation" + timestamp = self.date_helper.convert_from_mimecast_format(log["eventTime"]) + log.update({"mimecastEventId": event_id, "mimecastEventCategory": category, "time_generated": timestamp}) + + return logs diff --git a/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_url_parser.py b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_url_parser.py new file mode 100644 index 00000000000..5a9728ab26d --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/TransformData/ttp_url_parser.py @@ -0,0 +1,17 @@ +from ..Helpers.date_helper import DateHelper + + +class TTPUrlParser: + def __init__(self): + self.date_helper = DateHelper() + + def parse(self, logs): + for log in logs: + if "checkpoints" in log: + continue + event_id = "ttp_url" + category = "ttp_url" + timestamp = self.date_helper.convert_from_mimecast_format(log["date"]) + log.update({"mimecastEventId": event_id, "mimecastEventCategory": category, "time_generated": timestamp}) + + return logs diff --git a/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json b/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json new file mode 100644 index 00000000000..9c351d85c08 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/azuredeploy_MimecastTTP_AzureFunctionApp.json @@ -0,0 +1,463 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "appName": { + "type": "string", + "metadata": { + "description": "The name of the function app that you wish to create." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Unique object ID in the Azure Active Directory." + } + }, + "storageAccountType": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_RAGRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "appInsightsLocation": { + "type": "string", + "metadata": { + "description": "Location for Application Insights." + } + }, + "mimecastEmail": { + "type": "string", + "metadata": { + "description": "Mimecast API email address." + } + }, + "mimecastPassword": { + "type": "string", + "metadata": { + "description": "Mimecast API password." + } + }, + "mimecastAppId": { + "type": "string", + "metadata": { + "description": "Mimecast API Application ID." + } + }, + "mimecastAppKey": { + "type": "string", + "metadata": { + "description": "Mimecast API Application Key." + } + }, + "mimecastAccessKey": { + "type": "string", + "metadata": { + "description": "Mimecast API Access Key." + } + }, + "mimecastSecretKey": { + "type": "string", + "metadata": { + "description": "Mimecast API Secret Key." + } + }, + "mimecastBaseURL": { + "type": "string", + "metadata": { + "description": "Mimecast API Base URL in format https://region-api.mimecast.com." + } + }, + "activeDirectoryAppId": { + "type": "string", + "metadata": { + "description": "Application (client) ID of the registered application." + } + }, + "activeDirectoryAppSecret": { + "type": "string", + "metadata": { + "description": "Application secret of the registered application." + } + } + }, + "variables": { + "functionAppName": "[parameters('appName')]", + "hostingPlanName": "[parameters('appName')]", + "applicationInsightsName": "[parameters('appName')]", + "storageAccountName": "[parameters('appName')]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_RAGRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat('default/', 'ttp-checkpoints')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "publicAccess": "None" + } + } + ] + }, + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2020-09-01", + "name": "[variables('hostingPlanName')]", + "location": "[parameters('location')]", + "kind": "functionapp", + "sku": { + "name": "Y1", + "tier": "Dynamic", + "size": "Y1", + "family": "Y", + "capacity": 0 + }, + "properties": { + "name": "[variables('hostingPlanName')]", + "computeMode": "Dynamic", + "kind": "functionapp", + "reserved": true, + "isXenon": false, + "hyperV": false, + "azBalancing": false + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('functionAppName')]", + "location": "[parameters('location')]", + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ], + "properties": { + "siteConfig": { + "linuxFxVersion": "Python|3.8" + }, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]", + "clientAffinityEnabled": false + }, + "resources": [{ + "apiVersion": "2015-08-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]", + "[resourceId('Microsoft.KeyVault/vaults/', variables('functionAppName'))]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-email')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-password')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-app-id')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-app-key')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-access-key')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-secret-key')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'mimecast-base-url')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'active-directory-app-id')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'active-directory-app-secret')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'active-directory-tenant-id')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'log-analytics-workspace-id')]", + "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('functionAppName'), 'log-analytics-workspace-key')]" + ], + "properties": { + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]", + "FUNCTIONS_EXTENSION_VERSION": "~3", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2020-02-02-preview').InstrumentationKey]", + "mimecast_email": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-email', '/)')]", + "mimecast_password": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-password', '/)')]", + "mimecast_app_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-app-id', '/)')]", + "mimecast_app_key": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-app-key', '/)')]", + "mimecast_access_key": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-access-key', '/)')]", + "mimecast_secret_key": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-secret-key', '/)')]", + "mimecast_base_url": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'mimecast-base-url', '/)')]", + "active_directory_app_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'active-directory-app-id', '/)')]", + "active_directory_app_secret": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'active-directory-app-secret', '/)')]", + "active_directory_tenant_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'active-directory-tenant-id', '/)')]", + "log_analytics_workspace_id": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'log-analytics-workspace-id', '/)')]", + "log_analytics_workspace_key": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('functionAppName'), '.vault.azure.net/secrets/', 'log-analytics-workspace-key', '/)')]", + "WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastTTP/Data%20Connectors/MimecastTTPAzureConn.zip" + } + }] + }, + { + "apiVersion": "2015-03-20", + "name": "[variables('functionAppName')]", + "location": "[parameters('location')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "pergb2018" + }, + "retentionInDays": 30, + "features": { + "legacy": 0, + "searchVersion": 1, + "enableLogAccessUsingOnlyResourcePermissions": true + }, + "publicNetworkAccessForIngestion": "Enabled", + "publicNetworkAccessForQuery": "Enabled" + } + }, + { + "type": "Microsoft.OperationsManagement/solutions", + "apiVersion": "2015-11-01-preview", + "name": "[concat('SecurityInsights','(', variables('functionAppName'),')')]", + "location": "[parameters('location')]", + "plan": { + "name": "[concat('SecurityInsights','(', variables('functionAppName'),')')]", + "promotionCode": "", + "product": "OMSGallery/SecurityInsights", + "publisher": "Microsoft" + }, + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('functionAppName'))]" + ], + "properties": { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', variables('functionAppName'))]" + } + }, + { + "type": "microsoft.insights/components", + "apiVersion": "2020-02-02-preview", + "name": "[variables('applicationInsightsName')]", + "location": "[parameters('appInsightsLocation')]", + "tags": { + "[concat('hidden-link:', resourceId('Microsoft.Web/sites', variables('applicationInsightsName')))]": "Resource" + }, + "properties": { + "ApplicationId": "[variables('applicationInsightsName')]", + "Request_Source": "IbizaWebAppExtensionCreate" + } + }, + { + "type": "Microsoft.KeyVault/vaults", + "name": "[variables('functionAppName')]", + "location": "[parameters('location')]", + "apiVersion": "2019-09-01", + "tags": { + "displayName": "KeyVault" + }, + "properties": { + "enabledForDeployment": false, + "enabledForTemplateDeployment": false, + "enabledForDiskEncryption": false, + "tenantId": "[subscription().tenantId]", + "accessPolicies": [{ + "objectId": "[reference(resourceId('Microsoft.Web/sites', variables('functionAppName')),'2019-08-01', 'full').identity.principalId]", + "tenantId": "[subscription().tenantId]", + "permissions": { + "secrets": [ + "Get", + "List", + "Set", + "Delete", + "Recover", + "Backup", + "Restore" + ] + } + }, + { + "objectId": "[parameters('objectId')]", + "tenantId": "[subscription().tenantId]", + "permissions": { + "secrets": [ + "Get", + "List", + "Set", + "Delete", + "Recover", + "Backup", + "Restore" + ] + } + } + ], + "sku": { + "family": "A", + "name": "Standard" + }, + "networkAcls": { + "defaultAction": "Allow", + "bypass": "AzureServices" + } + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-email')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastEmail')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-password')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastPassword')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-app-id')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastAppId')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-app-key')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastAppKey')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-access-key')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastAccessKey')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-secret-key')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastSecretKey')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'mimecast-base-url')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('mimecastBaseURL')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'active-directory-app-id')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('activeDirectoryAppId')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'active-directory-app-secret')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[parameters('activeDirectoryAppSecret')]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'active-directory-tenant-id')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]" + ], + "properties": { + "value": "[subscription().tenantId]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'log-analytics-workspace-id')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('appName'))]" + ], + "properties": { + "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('appName')), '2015-03-20').customerId]" + } + }, + { + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "name": "[concat(variables('functionAppName'), '/', 'log-analytics-workspace-key')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', parameters('appName'))]", + "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('appName'))]" + ], + "properties": { + "value": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces/', parameters('appName')), '2015-03-20').primarySharedKey]" + } + } + ] +} diff --git a/Solutions/MimecastTTP/Data Connectors/host.json b/Solutions/MimecastTTP/Data Connectors/host.json new file mode 100644 index 00000000000..e1a6a9f9f84 --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/host.json @@ -0,0 +1,15 @@ +{ + "version": "2.0", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[2.*, 3.0.0)" + } +} diff --git a/Solutions/MimecastTTP/Data Connectors/requirements.txt b/Solutions/MimecastTTP/Data Connectors/requirements.txt new file mode 100644 index 00000000000..f1645ceb22f --- /dev/null +++ b/Solutions/MimecastTTP/Data Connectors/requirements.txt @@ -0,0 +1,5 @@ +# Do not include azure-functions-worker as it may conflict with the Azure Functions platform + +azure-functions +requests~=2.25.1 +msal~=1.9.0 diff --git a/Solutions/MimecastTTP/Data/Solution_MimecastTTP.json b/Solutions/MimecastTTP/Data/Solution_MimecastTTP.json new file mode 100644 index 00000000000..3bd1088ee55 --- /dev/null +++ b/Solutions/MimecastTTP/Data/Solution_MimecastTTP.json @@ -0,0 +1,22 @@ +{ + "Name": "MimecastTTP", + "Author": "Mimecast - dlapi@mimecast.com", + "Logo": "", + "Description": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.", + "Analytic Rules": [ + "Analytic Rules/MimecastTTPAttachment.yaml", + "Analytic Rules/MimecastTTPImpersonation.yaml", + "Analytic Rules/MimecastTTPUrl.yaml" + ], + "Workbooks": [ + "Workbooks/MimecastTTPWorkbook.json" + ], + "Data Connectors": [ + "Data Connectors/MimecastTTP/MimecastTTP_API_FunctionApp.json" + ], + "BasePath": "C:\\Azure-Sentinel\\Solutions\\MimecastTTP", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/MimecastTTP/Package/3.0.0.zip b/Solutions/MimecastTTP/Package/3.0.0.zip new file mode 100644 index 00000000000..465c1bdb038 Binary files /dev/null and b/Solutions/MimecastTTP/Package/3.0.0.zip differ diff --git a/Solutions/MimecastTTP/Package/createUiDefinition.json b/Solutions/MimecastTTP/Package/createUiDefinition.json new file mode 100644 index 00000000000..11f51ce1fb7 --- /dev/null +++ b/Solutions/MimecastTTP/Package/createUiDefinition.json @@ -0,0 +1,197 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for MimecastTTP. You can get MimecastTTP custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "MimecastTTP", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Targeted Threat Protection." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - Attachment Protect", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a threat for an unsafe attachment in an email" + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - Impersonation Protect", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a maliciously tagged impersonation" + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - URL Protect", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects malicious scan results and actions which are not allowed" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/MimecastTTP/Package/mainTemplate.json b/Solutions/MimecastTTP/Package/mainTemplate.json new file mode 100644 index 00000000000..304012f93f3 --- /dev/null +++ b/Solutions/MimecastTTP/Package/mainTemplate.json @@ -0,0 +1,1074 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Mimecast - dlapi@mimecast.com", + "comments": "Solution template for MimecastTTP" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "MimecastTTP", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "dlapi@mimecast.com", + "_email": "[variables('email')]", + "_solutionName": "MimecastTTP", + "_solutionVersion": "3.0.0", + "solutionId": "mimecast.azure-sentinel-solution-mimecastttp", + "_solutionId": "[variables('solutionId')]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "aa75944c-a663-4901-969e-7b55bfa49a73", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "_analyticRulecontentProductId1": "[variables('analyticRulecontentProductId1')]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "d8e7eca6-4b59-4069-a31e-a022b2a12ea4", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "_analyticRulecontentProductId2": "[variables('analyticRulecontentProductId2')]", + "analyticRuleVersion3": "1.0.0", + "analyticRulecontentId3": "9d5545bd-1450-4086-935c-62f15fc4a4c9", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "_analyticRulecontentProductId3": "[variables('analyticRulecontentProductId3')]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "MimecastTTPWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_workbookcontentProductId1": "[variables('workbookcontentProductId1')]", + "uiConfigId1": "MimecastTTPAPI", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "MimecastTTPAPI", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_dataConnectorcontentProductId1": "[variables('dataConnectorcontentProductId1')]", + "solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "_solutioncontentProductId": "[variables('solutioncontentProductId')]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastTTPAttachment_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a threat for an unsafe attachment in an email", + "displayName": "Mimecast Targeted Threat Protection - Attachment Protect", + "enabled": false, + "query": "MimecastTTPAttachment_CL| where result_s <> \"safe\";", + "queryFrequency": "PT5M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPAttachment_CL" + ] + } + ], + "tactics": [ + "InitialAccess", + "Discovery" + ], + "techniques": [ + "T0865" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "columnName": "senderAddress_s", + "identifier": "Sender" + }, + { + "columnName": "recipientAddress_s", + "identifier": "Recipient" + }, + { + "columnName": "subject_s", + "identifier": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "fileType": "fileType_s", + "fileName": "fileName_s", + "fileHash": "fileHash_s", + "details": "details_s" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "lookbackDuration": "1d", + "reopenClosedIncident": false, + "matchingMethod": "AllEntities", + "enabled": true + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "MimecastTTP Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - Attachment Protect", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastTTPImpersonation_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a maliciously tagged impersonation", + "displayName": "Mimecast Targeted Threat Protection - Impersonation Protect", + "enabled": false, + "query": "MimecastTTPImpersonation_CL| where taggedMalicious_b == true;", + "queryFrequency": "PT5M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPImpersonation_CL" + ] + } + ], + "tactics": [ + "Exfiltration", + "Collection", + "Discovery" + ], + "techniques": [ + "T1114" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "columnName": "senderAddress_s", + "identifier": "Sender" + }, + { + "columnName": "senderIpAddress_s", + "identifier": "SenderIP" + }, + { + "columnName": "recipientAddress_s", + "identifier": "Recipient" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "lookbackDuration": "1d", + "reopenClosedIncident": false, + "matchingMethod": "AllEntities", + "enabled": true + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "MimecastTTP Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - Impersonation Protect", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastTTPUrl_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects malicious scan results and actions which are not allowed", + "displayName": "Mimecast Targeted Threat Protection - URL Protect", + "enabled": false, + "query": "MimecastTTPUrl_CL| where scanResult_s == \"malicious\" and action_s != \"allow\";", + "queryFrequency": "PT5M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPUrl_CL" + ] + } + ], + "tactics": [ + "InitialAccess", + "Discovery" + ], + "techniques": [ + "T0865" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "sendingIp_s", + "identifier": "Address" + } + ] + }, + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "columnName": "fromUserEmailAddress_s", + "identifier": "Sender" + }, + { + "columnName": "messageId_s", + "identifier": "InternetMessageId" + }, + { + "columnName": "userEmailAddress_s", + "identifier": "Recipient" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "url_s", + "identifier": "Url" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "createIncident": true, + "groupingConfiguration": { + "lookbackDuration": "1d", + "reopenClosedIncident": false, + "matchingMethod": "AllEntities", + "enabled": true + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "MimecastTTP Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - URL Protect", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastTTPWorkbookWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Targeted Threat Protection." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82fedb33-961a-4199-a5ab-16340948ed10\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"time range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"# Advanced Threat Detections\"},\"name\":\"text - 17\"},{\"type\":1,\"content\":{\"json\":\"#### Detection counts for Attachment Protect, URL Protect and Impersonation Protect\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union MimecastTTPUrl_CL, MimecastTTPAttachment_CL, MimecastTTPImpersonation_CL\\n| summarize Count=count() by Type, bin(TimeGenerated, 1h)\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Type\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"Type\",\"sourceIdField\":\"Count\",\"targetIdField\":\"Type\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"nodeSize\":\"\",\"staticNodeSize\":100,\"colorSettings\":\"\",\"hivesMargin\":5},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPUrl_CL\",\"label\":\"URL Protect\"},{\"seriesName\":\"MimecastTTPAttachment_CL\",\"label\":\"Attachment Protect\"},{\"seriesName\":\"MimecastTTPImpersonation_CL\",\"label\":\"Impersonation Protect\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# URL Protect\"},\"name\":\"text - 15\"},{\"type\":1,\"content\":{\"json\":\"#### Malicious URL Detections\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by Type, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPUrl_CL\",\"label\":\"URL Protect\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"query - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Targeted Recipients\",\"style\":\"info\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by userEmailAddress_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 4\"}]},\"customWidth\":\"33\",\"name\":\"top 10 targeted recipients \",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Senders of Malicious URLs\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where TimeGenerated > ago(100d) and scanResult_s == \\\"malicious\\\" and action_s != \\\"allow\\\"\\n| summarize count() by fromUserEmailAddress_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 6\"}]},\"customWidth\":\"33\",\"name\":\"top 10 senders\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Malicious URLs\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by url_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"url_s\",\"createOtherGroup\":10}},\"name\":\"query - 8\"}]},\"customWidth\":\"33\",\"name\":\"top 10 urls\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Advanced Phishing Results - Credential Theft Brands\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| extend advancedPhishingResult_CredentialTheftBrands = column_ifexists(\\\"advancedPhishingResult_CredentialTheftBrands_s\\\",\\\"\\\")\\n| where scanResult_s == \\\"malicious\\\" and advancedPhishingResult_CredentialTheftBrands != \\\"\\\"\\n| summarize count() by advancedPhishingResult_CredentialTheftBrands\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"advancedPhishingResult_CredentialTheftTags_s\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"advancedPhishingResult_CredentialTheftTags_s\",\"sortOrder\":1}]},\"name\":\"query - 10\"}]},\"customWidth\":\"33\",\"name\":\"top 10 cred theft brand\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Advanced Phishing Results - Credential Theft Evidence\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and advancedPhishingResult_CredentialTheftEvidence_s !=\\\"\\\"\\n| summarize count() by advancedPhishingResult_CredentialTheftEvidence_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 12\"}]},\"customWidth\":\"33\",\"name\":\"top 10 cred theft evidence\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Advanced Phishing Result - Credential Theft Tags\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and advancedPhishingResult_CredentialTheftTags_s !=\\\"\\\"\\n| summarize count() by advancedPhishingResult_CredentialTheftTags_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"advancedPhishingResult_CredentialTheftTags_s\"]},\"labelSettings\":[{\"columnId\":\"advancedPhishingResult_CredentialTheftTags_s\",\"label\":\"Credential Theft Tags\"},{\"columnId\":\"url_s\",\"label\":\"URLs\"},{\"columnId\":\"count_\",\"label\":\"Occurences\"}]}},\"name\":\"query - 14\"}]},\"customWidth\":\"33\",\"name\":\"Credential Theft Tags\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 URL Protect Definitions\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and ttpDefinition_s !=\\\"\\\"\\n| summarize count() by ttpDefinition_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 16\"}]},\"customWidth\":\"33\",\"name\":\"URL Protect Definitions\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 URL Protect Actions\",\"style\":\"info\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and action_s !=\\\"\\\"\\n| summarize count() by action_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 18\"}]},\"customWidth\":\"33\",\"name\":\"URL Protect Actions\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Admin Over-rides\",\"style\":\"info\"},\"name\":\"text - 20\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and adminOverride_s !=\\\"N/A\\\"\\n| summarize count() by adminOverride_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 19\"}]},\"customWidth\":\"33\",\"name\":\"Admin Over-rides\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 User Over-rides\",\"style\":\"info\"},\"name\":\"text - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\" and userOverride_s !=\\\"None\\\"\\n| summarize count() by userOverride_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 22\"}]},\"customWidth\":\"33\",\"name\":\"User Over-rides\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Categories\",\"style\":\"info\"},\"name\":\"text - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by Category\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 24\"}]},\"customWidth\":\"33\",\"name\":\"Categories\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Sending IP Addresses\",\"style\":\"info\"},\"name\":\"text - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by sendingIp_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"sendingIp_s\",\"createOtherGroup\":10}},\"name\":\"query - 26\"}]},\"customWidth\":\"33\",\"name\":\"Sending IP Addresses\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 User Awareness Action\",\"style\":\"info\"},\"name\":\"text - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by userAwarenessAction_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 27\"}]},\"customWidth\":\"33\",\"name\":\"User Awareness Action\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Internal Email Protect Mitigations by Actions\",\"style\":\"info\"},\"name\":\"text - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by actions_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 30\"}]},\"customWidth\":\"33\",\"name\":\"Internal Email Protect\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Email Subjects Containing Malicious URLs\",\"style\":\"info\"},\"name\":\"text - 32\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl_CL\\n| where scanResult_s == \\\"malicious\\\"\\n| summarize count() by subject_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 31\"}]},\"customWidth\":\"33\",\"name\":\"Email Subjects Containing Malicious URLs\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 5\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Attachment Protect\"},\"name\":\"text - 17\"},{\"type\":1,\"content\":{\"json\":\"#### Malicious Attachment Detections\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL \\n| where result_s != \\\"safe\\\"\\n| summarize count() by Type, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPAttachment_CL\",\"label\":\"Attachment Protect\"}]}},\"name\":\"query - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Recipients of Malicious Attachments\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by recipientAddress_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 4\"}]},\"customWidth\":\"33\",\"name\":\"Recipients of Malicious Attachments\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Senders of Malicious Attachments\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s <> \\\"safe\\\"\\n| summarize count() by senderAddress_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 6\"}]},\"customWidth\":\"33\",\"name\":\"Senders of Malicious Attachments\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Protectection Actions Triggered\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by actionTriggered_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 8\"}]},\"customWidth\":\"33\",\"name\":\"Protectection Actions Triggered\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Malicious Attachment File Mime Types\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by fileType_s\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 10\"}]},\"customWidth\":\"33\",\"name\":\"Malicious Attachment File Mime Types\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Attachment Event Results\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by result_s\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 12\"}]},\"customWidth\":\"33\",\"name\":\"Attachment Event Results\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Attachment Protect Event Details\",\"style\":\"info\"},\"name\":\"text - 14\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by details_s\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"name\":\"query - 13\"}]},\"customWidth\":\"33\",\"name\":\"Attachment Protect Event Details\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"dounts group 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Subjects for Emails Containing Malicious Attachments \",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by subject_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 16\"}]},\"customWidth\":\"50\",\"name\":\"Subjects for Emails\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Top 10 Malicious Sha256 File Hashes\",\"style\":\"info\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment_CL\\n| where result_s != \\\"safe\\\"\\n| summarize count() by fileHash_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 18\"}]},\"customWidth\":\"50\",\"name\":\"Malicious Sha256 File Hashes\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"name\":\"dounts group 3\"}]},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Impersonation Protect\"},\"name\":\"text - 16\"},{\"type\":1,\"content\":{\"json\":\"#### Impersonation Detections\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation_CL\\n| where taggedMalicious_b == true\\n| summarize count() by Type, bin(TimeGenerated, 1h)\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Impersonation Protect\"}]}},\"name\":\"query - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Top 10 Recipients of Impersonation Emails\\n\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"#### Recipients targeted with impersonation emails\",\"style\":\"info\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation_CL\\n| where taggedMalicious_b == true\\n| summarize count() by recipientAddress_s\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 7\"}]},\"customWidth\":\"50\",\"name\":\"Recipients of Impersonation Emails\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Top 10 Senders of Impersonation Emails\\n\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"#### Senders that trigged Impersonation Protect events\",\"style\":\"info\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation_CL\\n| where taggedMalicious_b == true and TimeGenerated > ago(100d)\\n| summarize count() by senderAddress_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 6\"}]},\"customWidth\":\"50\",\"name\":\"Senders of Impersonation Emails\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"name\":\"donuts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Top 10 Impersonation Events\\n\"},\"name\":\"text - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Grouped by Impersonation Result\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation_CL\\n| where taggedMalicious_b == true\\n| summarize count() by impersonationResults_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"recipientAddress_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TenantId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"hits_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"yAxis\":[\"count_\"],\"group\":\"impersonationResults_s\",\"createOtherGroup\":10},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 3\"}]},\"customWidth\":\"50\",\"name\":\" Impersonation Events\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"#### Grouped by Impersonation Identifiers\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation_CL\\n| where taggedMalicious_b == true\\n| summarize count() by identifiers_s\\n\",\"size\":3,\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"name\":\"query - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\"},\"name\":\"group - 4\"}]},\"customWidth\":\"50\",\"name\":\" Impersonation Identifiers\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"name\":\"dounts group 2\"}]},\"name\":\"group - 6\"}],\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=MimecastTTPWorkbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Targeted Threat Protection.; dataTypesDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=MimecastTTP; templateRelativePath=MimecastTTPWorkbook.json; subtitle=Mimecast Targeted Threat Protection; provider=Mimecast}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "MimecastTTPUrl_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastTTPAttachment_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastTTPImpersonation_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastTTP data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Mimecast Targeted Threat Protection (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "MimecastTTPUrl_CL", + "baseQuery": "MimecastTTPUrl_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "MimecastTTPAttachment_CL", + "baseQuery": "MimecastTTPAttachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "MimecastTTPImpersonation_CL", + "baseQuery": "MimecastTTPImpersonation_CL" + } + ], + "sampleQueries": [ + { + "description": "MimecastTTPUrl_CL", + "query": "MimecastTTPUrl_CL\n| sort by TimeGenerated desc" + }, + { + "description": "MimecastTTPAttachment_CL", + "query": "MimecastTTPAttachment_CL\n| sort by TimeGenerated desc" + }, + { + "description": "MimecastTTPImpersonation_CL", + "query": "MimecastTTPImpersonation_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "MimecastTTPUrl_CL", + "lastDataReceivedQuery": "MimecastTTPUrl_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPAttachment_CL", + "lastDataReceivedQuery": "MimecastTTPAttachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPImpersonation_CL", + "lastDataReceivedQuery": "MimecastTTPImpersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastTTPUrl_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPAttachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPImpersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "You need to have the following pieces of information to configure the integration:\n- mimecastEmail: Email address of a dedicated Mimecast admin user\n- mimecastPassword: Password for the dedicated Mimecast admin user\n- mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAccessKey: Access Key for the dedicated Mimecast admin user\n- mimecastSecretKey: Secret Key for the dedicated Mimecast admin user\n- mimecastBaseURL: Mimecast Regional API Base URL\n\n> The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.\n\n> The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n", + "title": "Deploy the Mimecast Targeted Threat Protection Data Connector:" + } + ], + "metadata": { + "id": "4588c4ec-1e98-4ddc-841f-35c015f12654", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Mimecast" + }, + "author": { + "name": "Mimecast" + }, + "support": { + "tier": "Partner", + "name": "Mimecast", + "email": "support@mimecast.com", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Targeted Threat Protection (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Targeted Threat Protection (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "MimecastTTPUrl_CL", + "baseQuery": "MimecastTTPUrl_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "MimecastTTPAttachment_CL", + "baseQuery": "MimecastTTPAttachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "MimecastTTPImpersonation_CL", + "baseQuery": "MimecastTTPImpersonation_CL" + } + ], + "dataTypes": [ + { + "name": "MimecastTTPUrl_CL", + "lastDataReceivedQuery": "MimecastTTPUrl_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPAttachment_CL", + "lastDataReceivedQuery": "MimecastTTPAttachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "MimecastTTPImpersonation_CL", + "lastDataReceivedQuery": "MimecastTTPImpersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastTTPUrl_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPAttachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "MimecastTTPImpersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "MimecastTTPUrl_CL", + "query": "MimecastTTPUrl_CL\n| sort by TimeGenerated desc" + }, + { + "description": "MimecastTTPAttachment_CL", + "query": "MimecastTTPAttachment_CL\n| sort by TimeGenerated desc" + }, + { + "description": "MimecastTTPImpersonation_CL", + "query": "MimecastTTPImpersonation_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "You need to have the following pieces of information to configure the integration:\n- mimecastEmail: Email address of a dedicated Mimecast admin user\n- mimecastPassword: Password for the dedicated Mimecast admin user\n- mimecastAppId: API Application Id of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAppKey: API Application Key of the Mimecast Microsoft Sentinel app registered with Mimecast\n- mimecastAccessKey: Access Key for the dedicated Mimecast admin user\n- mimecastSecretKey: Secret Key for the dedicated Mimecast admin user\n- mimecastBaseURL: Mimecast Regional API Base URL\n\n> The Mimecast Application Id, Application Key, along with the Access Key and Secret keys for the dedicated Mimecast admin user are obtainable via the Mimecast Administration Console: Administration | Services | API and Platform Integrations.\n\n> The Mimecast API Base URL for each region is documented here: https://integrations.mimecast.com/documentation/api-overview/global-base-urls/" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-mimecastttp-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the following fields:\n - appName: Unique string that will be used as id for the app in Azure platform\n - objectId: Azure portal ---> Azure Active Directory ---> more info ---> Profile -----> Object ID\n - appInsightsLocation(default): westeurope\n - mimecastEmail: Email address of dedicated user for this integraion\n - mimecastPassword: Password for dedicated user\n - mimecastAppId: Application Id from the Microsoft Sentinel app registered with Mimecast\n - mimecastAppKey: Application Key from the Microsoft Sentinel app registered with Mimecast\n - mimecastAccessKey: Access Key for the dedicated Mimecast user\n - mimecastSecretKey: Secret Key for dedicated Mimecast user\n - mimecastBaseURL: Regional Mimecast API Base URL\n - activeDirectoryAppId: Azure portal ---> App registrations ---> [your_app] ---> Application ID\n - activeDirectoryAppSecret: Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> [your_app_secret]\n\n >Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n\n6. Go to ***Azure portal ---> Resource groups ---> [your_resource_group] ---> [appName](type: Storage account) ---> Storage Explorer ---> BLOB CONTAINERS ---> TTP checkpoints ---> Upload*** and create empty files on your machine named attachment-checkpoint.txt, impersonation-checkpoint.txt, url-checkpoint.txt and select them for upload (this is done so that date_range for TTP logs are stored in consistent state)\n", + "title": "Deploy the Mimecast Targeted Threat Protection Data Connector:" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "MimecastTTP", + "publisherDisplayName": "Mimecast", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The data connector for Mimecast Targeted Threat Protection provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
\nThe Mimecast products included within the connector are:

\n
    \n
  • URL Protect
    • \n
  • Impersonation Protect
    • \n
  • Attachment Protect
    • \n
\n

Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "MimecastTTP", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId3')]", + "version": "[variables('analyticRuleVersion3')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2022-02-24", + "lastPublishDate": "2022-02-24", + "providers": [ + "Mimecast" + ], + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/MimecastTTP/ReleaseNotes.md b/Solutions/MimecastTTP/ReleaseNotes.md new file mode 100644 index 00000000000..a97fa385729 --- /dev/null +++ b/Solutions/MimecastTTP/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 23-08-2023 | Initial solution release | diff --git a/Solutions/MimecastTTP/SolutionMetadata.json b/Solutions/MimecastTTP/SolutionMetadata.json new file mode 100644 index 00000000000..c2f3b9eaae7 --- /dev/null +++ b/Solutions/MimecastTTP/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "mimecast", + "offerId": "azure-sentinel-solution-mimecastttp", + "firstPublishDate": "2022-02-24", + "lastPublishDate": "2022-02-24", + "providers": [ + "Mimecast" + ], + "categories": { + "domains": [ + "Security - Network" + ] + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } +} \ No newline at end of file diff --git a/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack1.png b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack1.png new file mode 100644 index 00000000000..72eda9a22cf Binary files /dev/null and b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack1.png differ diff --git a/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack2.png b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack2.png new file mode 100644 index 00000000000..99412108573 Binary files /dev/null and b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPBlack2.png differ diff --git a/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite1.png b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite1.png new file mode 100644 index 00000000000..b8f46272b90 Binary files /dev/null and b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite1.png differ diff --git a/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite2.png b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite2.png new file mode 100644 index 00000000000..91e00eefaf8 Binary files /dev/null and b/Solutions/MimecastTTP/Workbooks/Images/Preview/MimecastTTPWhite2.png differ diff --git a/Solutions/MimecastTTP/Workbooks/MimecastTTPWorkbook.json b/Solutions/MimecastTTP/Workbooks/MimecastTTPWorkbook.json new file mode 100644 index 00000000000..848a5b87a77 --- /dev/null +++ b/Solutions/MimecastTTP/Workbooks/MimecastTTPWorkbook.json @@ -0,0 +1,1664 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "82fedb33-961a-4199-a5ab-16340948ed10", + "version": "KqlParameterItem/1.0", + "name": "time_range", + "label": "time range", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 2592000000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 1, + "content": { + "json": "# Advanced Threat Detections" + }, + "name": "text - 17" + }, + { + "type": 1, + "content": { + "json": "#### Detection counts for Attachment Protect, URL Protect and Impersonation Protect", + "style": "info" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union MimecastTTPUrl_CL, MimecastTTPAttachment_CL, MimecastTTPImpersonation_CL\n| summarize Count=count() by Type, bin(TimeGenerated, 1h)", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "Type", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Type", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "Type", + "sourceIdField": "Count", + "targetIdField": "Type", + "graphOrientation": 3, + "showOrientationToggles": false, + "nodeSize": null, + "staticNodeSize": 100, + "colorSettings": null, + "hivesMargin": 5 + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPUrl_CL", + "label": "URL Protect" + }, + { + "seriesName": "MimecastTTPAttachment_CL", + "label": "Attachment Protect" + }, + { + "seriesName": "MimecastTTPImpersonation_CL", + "label": "Impersonation Protect" + } + ] + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# URL Protect" + }, + "name": "text - 15" + }, + { + "type": 1, + "content": { + "json": "#### Malicious URL Detections", + "style": "info" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by Type, bin(TimeGenerated, 1h)\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "graphSettings": { + "type": 0 + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPUrl_CL", + "label": "URL Protect" + } + ] + }, + "mapSettings": { + "locInfo": "LatLong" + } + }, + "name": "query - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Targeted Recipients", + "style": "info" + }, + "name": "text - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by userEmailAddress_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 4" + } + ] + }, + "customWidth": "33", + "name": "top 10 targeted recipients ", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Senders of Malicious URLs", + "style": "info" + }, + "name": "text - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where TimeGenerated > ago(100d) and scanResult_s == \"malicious\" and action_s != \"allow\"\n| summarize count() by fromUserEmailAddress_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 6" + } + ] + }, + "customWidth": "33", + "name": "top 10 senders", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Malicious URLs", + "style": "info" + }, + "name": "text - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by url_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "sortBy": [], + "chartSettings": { + "group": "url_s", + "createOtherGroup": 10 + } + }, + "name": "query - 8" + } + ] + }, + "customWidth": "33", + "name": "top 10 urls", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Advanced Phishing Results - Credential Theft Brands", + "style": "info" + }, + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| extend advancedPhishingResult_CredentialTheftBrands = column_ifexists(\"advancedPhishingResult_CredentialTheftBrands_s\",\"\")\n| where scanResult_s == \"malicious\" and advancedPhishingResult_CredentialTheftBrands != \"\"\n| summarize count() by advancedPhishingResult_CredentialTheftBrands", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "advancedPhishingResult_CredentialTheftTags_s", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "advancedPhishingResult_CredentialTheftTags_s", + "sortOrder": 1 + } + ] + }, + "name": "query - 10" + } + ] + }, + "customWidth": "33", + "name": "top 10 cred theft brand", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Advanced Phishing Results - Credential Theft Evidence", + "style": "info" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and advancedPhishingResult_CredentialTheftEvidence_s !=\"\"\n| summarize count() by advancedPhishingResult_CredentialTheftEvidence_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false + }, + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 12" + } + ] + }, + "customWidth": "33", + "name": "top 10 cred theft evidence", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Advanced Phishing Result - Credential Theft Tags", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and advancedPhishingResult_CredentialTheftTags_s !=\"\"\n| summarize count() by advancedPhishingResult_CredentialTheftTags_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "advancedPhishingResult_CredentialTheftTags_s" + ] + }, + "labelSettings": [ + { + "columnId": "advancedPhishingResult_CredentialTheftTags_s", + "label": "Credential Theft Tags" + }, + { + "columnId": "url_s", + "label": "URLs" + }, + { + "columnId": "count_", + "label": "Occurences" + } + ] + } + }, + "name": "query - 14" + } + ] + }, + "customWidth": "33", + "name": "Credential Theft Tags", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 URL Protect Definitions", + "style": "info" + }, + "name": "text - 15" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and ttpDefinition_s !=\"\"\n| summarize count() by ttpDefinition_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 16" + } + ] + }, + "customWidth": "33", + "name": "URL Protect Definitions", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 URL Protect Actions", + "style": "info" + }, + "name": "text - 17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and action_s !=\"\"\n| summarize count() by action_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 18" + } + ] + }, + "customWidth": "33", + "name": "URL Protect Actions", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Admin Over-rides", + "style": "info" + }, + "name": "text - 20" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and adminOverride_s !=\"N/A\"\n| summarize count() by adminOverride_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 19" + } + ] + }, + "customWidth": "33", + "name": "Admin Over-rides", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 User Over-rides", + "style": "info" + }, + "name": "text - 21" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\" and userOverride_s !=\"None\"\n| summarize count() by userOverride_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "name": "query - 22" + } + ] + }, + "customWidth": "33", + "name": "User Over-rides", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Categories", + "style": "info" + }, + "name": "text - 23" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by Category", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 24" + } + ] + }, + "customWidth": "33", + "name": "Categories", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Sending IP Addresses", + "style": "info" + }, + "name": "text - 25" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by sendingIp_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "sendingIp_s", + "createOtherGroup": 10 + } + }, + "name": "query - 26" + } + ] + }, + "customWidth": "33", + "name": "Sending IP Addresses", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 User Awareness Action", + "style": "info" + }, + "name": "text - 28" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by userAwarenessAction_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 27" + } + ] + }, + "customWidth": "33", + "name": "User Awareness Action", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Internal Email Protect Mitigations by Actions", + "style": "info" + }, + "name": "text - 29" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by actions_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 30" + } + ] + }, + "customWidth": "33", + "name": "Internal Email Protect", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Email Subjects Containing Malicious URLs", + "style": "info" + }, + "name": "text - 32" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl_CL\n| where scanResult_s == \"malicious\"\n| summarize count() by subject_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 31" + } + ] + }, + "customWidth": "33", + "name": "Email Subjects Containing Malicious URLs", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 5" + } + ] + }, + "name": "group - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Attachment Protect" + }, + "name": "text - 17" + }, + { + "type": 1, + "content": { + "json": "#### Malicious Attachment Detections", + "style": "info" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL \n| where result_s != \"safe\"\n| summarize count() by Type, bin(TimeGenerated, 1h)\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPAttachment_CL", + "label": "Attachment Protect" + } + ] + } + }, + "name": "query - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Recipients of Malicious Attachments", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by recipientAddress_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 4" + } + ] + }, + "customWidth": "33", + "name": "Recipients of Malicious Attachments", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Senders of Malicious Attachments", + "style": "info" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s <> \"safe\"\n| summarize count() by senderAddress_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 6" + } + ] + }, + "customWidth": "33", + "name": "Senders of Malicious Attachments", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Protectection Actions Triggered", + "style": "info" + }, + "name": "text - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by actionTriggered_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 8" + } + ] + }, + "customWidth": "33", + "name": "Protectection Actions Triggered", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Malicious Attachment File Mime Types", + "style": "info" + }, + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by fileType_s\n\n\n\n\n\n\n\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 10" + } + ] + }, + "customWidth": "33", + "name": "Malicious Attachment File Mime Types", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Attachment Event Results", + "style": "info" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by result_s\n\n\n\n\n\n\n\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 12" + } + ] + }, + "customWidth": "33", + "name": "Attachment Event Results", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Attachment Protect Event Details", + "style": "info" + }, + "name": "text - 14" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by details_s\n\n\n\n\n\n\n\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "name": "query - 13" + } + ] + }, + "customWidth": "33", + "name": "Attachment Protect Event Details", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "dounts group 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Subjects for Emails Containing Malicious Attachments ", + "style": "info" + }, + "name": "text - 15" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by subject_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 16" + } + ] + }, + "customWidth": "50", + "name": "Subjects for Emails", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Top 10 Malicious Sha256 File Hashes", + "style": "info" + }, + "name": "text - 17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment_CL\n| where result_s != \"safe\"\n| summarize count() by fileHash_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 18" + } + ] + }, + "customWidth": "50", + "name": "Malicious Sha256 File Hashes", + "styleSettings": { + "maxWidth": "50%" + } + } + ] + }, + "name": "dounts group 3" + } + ] + }, + "name": "group - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "# Impersonation Protect" + }, + "name": "text - 16" + }, + { + "type": 1, + "content": { + "json": "#### Impersonation Detections", + "style": "info" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation_CL\n| where taggedMalicious_b == true\n| summarize count() by Type, bin(TimeGenerated, 1h)\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "count_", + "label": "Impersonation Protect" + } + ] + } + }, + "name": "query - 12" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top 10 Recipients of Impersonation Emails\n" + }, + "name": "text - 4" + }, + { + "type": 1, + "content": { + "json": "#### Recipients targeted with impersonation emails", + "style": "info" + }, + "name": "text - 13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation_CL\n| where taggedMalicious_b == true\n| summarize count() by recipientAddress_s", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 7" + } + ] + }, + "customWidth": "50", + "name": "Recipients of Impersonation Emails", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top 10 Senders of Impersonation Emails\n" + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "#### Senders that trigged Impersonation Protect events", + "style": "info" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation_CL\n| where taggedMalicious_b == true and TimeGenerated > ago(100d)\n| summarize count() by senderAddress_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 6" + } + ] + }, + "customWidth": "50", + "name": "Senders of Impersonation Emails", + "styleSettings": { + "maxWidth": "50%" + } + } + ] + }, + "name": "donuts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top 10 Impersonation Events\n" + }, + "name": "text - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Grouped by Impersonation Result", + "style": "info" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation_CL\n| where taggedMalicious_b == true\n| summarize count() by impersonationResults_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "sortBy": [], + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "recipientAddress_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "TenantId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "hits_d", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "yAxis": [ + "count_" + ], + "group": "impersonationResults_s", + "createOtherGroup": 10 + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "count_", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 3" + } + ] + }, + "customWidth": "50", + "name": " Impersonation Events", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "#### Grouped by Impersonation Identifiers", + "style": "info" + }, + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation_CL\n| where taggedMalicious_b == true\n| summarize count() by identifiers_s\n", + "size": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "time_range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10 + } + }, + "name": "query - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [] + }, + "name": "group - 4" + } + ] + }, + "customWidth": "50", + "name": " Impersonation Identifiers", + "styleSettings": { + "maxWidth": "50%" + } + } + ] + }, + "name": "dounts group 2" + } + ] + }, + "name": "group - 6" + } + ], + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 596b8904c95..64ad99fb31b 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -5490,6 +5490,27 @@ "subtitle": "", "provider": "SalemCyber" }, +{ + "workbookKey": "MimecastTTPWorkbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Targeted Threat Protection.", + "dataTypesDependencies": [ + "MimecastTTPUrl_CL", + "MimecastTTPAttachment_CL", + "MimecastTTPImpersonation_CL" + ], + "previewImagesFileNames": [ + "MimecastTTPBlack1.png", + "MimecastTTPBlack2.png", + "MimecastTTPWhite1.png", + "MimecastTTPWhite2.png" + ], + "version": "1.0.0", + "title": "MimecastTTP", + "templateRelativePath": "MimecastTTPWorkbook.json", + "subtitle": "Mimecast Targeted Threat Protection", + "provider": "Mimecast" +}, { "workbookKey": "MimecastAuditWorkbook", "logoFileName": "Mimecast.svg",