id: 5b2dc14b-a55c-4002-8c2a-94f521baa0f4 name: Trend Micro CAS - Files received via email services description: | 'Query searches for top files recieved via email services.' severity: Medium requiredDataConnectors: - connectorId: TrendMicroCAS dataTypes: - TrendMicroCAS tactics: - InitialAccess relevantTechniques: - T1566 query: | TrendMicroCAS | where TimeGenerated > ago(24h) | where EventCategoryType in~ ('exchange', 'gmail', 'exchangeserver') | where isnotempty(MailMessageFileName) | summarize count() by MailMessageFileName, EventOriginalResultDetails | extend FileCustomEntity = MailMessageFileName entityMappings: - entityType: File fieldMappings: - identifier: Name columnName: FileCustomEntity