Skip to content

Avanan (Email Security)

Avanan (Email Security)

About

Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.

Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™. The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.

Product Details

Vendor URL: Avanan

Product Type: Email Security

Product Tier: Tier III

Integration Method: JSON

Integration URL: Avanan Integrations - SIEM

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: AVANAN_EMAIL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
eventid metadata.product_event_type
"Avanan Email Security" metadata.vendor_name
"EMAIL_TRANSACTION" metadata.event_type
aggregation_id security_result.detection_fields
av_file_hash_md5 principal.process.file.md5
av_file_hash_sha1 principal.process.file.sha1
av_file_hash_sha256 principal.process.file.sha256
av_file_mime principal.process.file.mime_type
av_mail_hash security_result.detection_fields
Body_ContentType security_result.detection_fields
current_state additional.fields
customer_domain additional.fields
description metadata.description
entity_link principal.process.file.full_path
entity_source security_result.detection_fields
entity_type security_result.detection_fields
From target.process.product_specific_process_id
id metadata.product_log_id
incoming network.direction
InternetMessageId network.email.mail_id
InternetMessageIdHash security_result.detection_fields
is_quarantined,in_s3_quarantine security_result.action
is_restored_from_quarantine,is_in_inbox,is_inline_released security_result.action
matched_security_tool additional.fields
policy_rule_id security_result.rule_id
recipient_emails network.email.to
recipients_hash target.process.file.sha256
recipients network.email.to
sec_event_id security_result.detection_fields
sender_ip principal.ip
Sender target.process.product_specific_process_id
severity security_result.severity
Size target.file.size
Subject network.email.subject
user_email network.email.from
user_id principal.user.userid

Product Event Types

Event UDM Event Classification
all events EMAIL_TRANSACTION

Log Sample

{"recipients_hash": "7f814939c9c97fffffffff455c9b1873", "entity_id": "7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-428f-a9fd-5b1df6c2dd5a:Bcc", "customer_domain": "myco", "entity_type": "office365_emails_email_recipient", "message_id": null, "recipient_type": "Bcc", "user_id": "cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a", "id": "7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a:Bcc"}

Sample Parsing

metadata.product_log_id"7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a:Bcc"
metadata.event_timestamp"2022-12-07T16:01:28.338745Z"
metadata.event_type"EMAIL_TRANSACTION"
metadata.vendor_name"Avanan Email Security"
metadata.ingested_timestamp"2022-12-07T16:01:28.338745Z"
metadata.id"AAAAAJETdgC9f/4ojz7kqcY6yNQAAAAADwAAAMcAAAA="
additional.fields["customer_domain"]"myco"
principal.user.userid"cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a"
target.process.file.sha256"7f814939c9c97fffffffff455c9b1873"
security_result[0].action[0]"UNKNOWN_ACTION"
security_result[0].detection_fields[0].key"entity_type"
security_result[0].detection_fields[0].value"office365_emails_email_recipient"

Parser Alerting

This product currently does not have any Parser-based Alerting