Area1¶
About¶
Area1's mission is making INBOX.CLEAN™ a reality: stop phishing attacks — the root cause of 95% of breaches — before they reach users. Get the only solution that preemptively stops Business Email Compromise, malware, ransomware and other advanced threats by discovering and eliminating them before they cause damage.
Product Details¶
Vendor URL: Area1
Product Type: Email security
Product Tier: Tier II
Integration Method: Custom
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: AREA1
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| host | intermediary.hostname |
| sourcetype | metadata.product_event_type |
| time | metadata.event_timestamp |
| "Area1Security" | metadata.vendor_name |
| "Security" | metadata.product_name |
| "EMAIL_UNCATEGORIZED" | metadata.event_type |
| event.smtp_help_server_name | principal.hostname |
| event.envelope_to | network.email.cc |
| event.subject | network.email.subject |
| event.smtp_helo_server_ip_as_name | principal.administrative_domain |
| event.alert_reasons | principal.investigation.comments |
| event.message_id | network.email.mail_id |
| event.replyto_name | security_result.about.group.group_display_name |
| event.from_name | metadata.description |
| event.smtp_helo_server_ip | principal.asset.ip |
| event.smtp_helo_server_ip_geo | principal.asset.location.name |
| event.smtp_helo_server_ip_as_number | principal.asset.asset_id |
| event.envelope_from | security_result.about.resource_name |
| event.alert_id | metadata.product_log_id |
| event.replyto | network.email.reply_to |
| event.from | network.email.from |
| event.to | network.email.to |
Product Event Types¶
| Product Event | Description | UDM Event |
|---|---|---|
| All | All events | EMAIL_UNCATEGORIZED |
Log Sample¶
{"host": "<hostname>", "sourcetype": "mailstream", "time": 1641920822, "source": "area1security", "event": {"final_disposition": "MALICIOUS", "smtp_helo_server_name": "server.name", "envelope_to": ["john.doe@domain.com", "jane.doe@domain.com"], "subject": "<email subject>", "external_present": true, "smtp_helo_server_ip_as_name": "ip_as_name", "encrypted_feature_count": 0, "alert_reasons": ["alert reason 1", "alert reason 2", "alert reason 3"], "message_id": "<messageId>", "replyto_name": "john.doe@domain.com", "from_name": "description", "smtp_helo_server_ip": "10.10.95.65", "smtp_helo_server_ip_geo": "US", "smtp_helo_server_ip_as_number": "number", "envelope_from": " john.doe@domain.com", "alert_id": "<alert_id>", "replyto": "<replyto>", "from": "<from>", "to": ["<to>"], "delivery_mode": "DIRECT", "ts": "2022-01-11T17:07:02"}, "lambda-timestamp": "2022-01-11T17:07:07Z"}
Sample Parsing¶
intermediary.hostname = "<hostname>"
metadata.product_event_type = "mailstream"
metadata.event_timestamp = "1641920822"
metadata.vendor_name = "AREA1Security"
metadata.product_name = "Security"
metadata.event_timestamp = "2022-01-11T17:07:02"
metadata.event_type = "EMAIL_UNCATEGORIZED"
metadata.ingested_timestamp = ""
principal.hostname = server.name
network.email.cc = ["john.doe@domain.com", "jane.doe@domain.com"]
network.email.subject = "<email subject>"
principal.administrative_domain = "ip_as_name"
principal.investigation.comments = ["alert reason 1", "alert reason 2", "alert reason 3"]
network.email.mail_id = "<messageId>"
security_result.about.group.group_display_name = " john.doe@domain.com"
metadata.description = "description"
principal.asset.ip = "10.10.95.65"
principal.asset.location.name = "US"
principal.asset.asset_id = "number"
security_result.about.resource_name = " john.doe@domain.com"
metadata.product_log_id = "alert_id"
network.email.reply_to = "reply_to"
network.email.from = "from"
network.email.to = "to"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon