Avanan (Email Security)¶
About¶
Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.
Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™. The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.
Product Details¶
Vendor URL: Avanan
Product Type: Email Security
Product Tier: Tier III
Integration Method: JSON
Integration URL: Avanan Integrations - SIEM
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: AVANAN_EMAIL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| eventid | metadata.product_event_type |
| "Avanan Email Security" | metadata.vendor_name |
| "EMAIL_TRANSACTION" | metadata.event_type |
| aggregation_id | security_result.detection_fields |
| av_file_hash_md5 | principal.process.file.md5 |
| av_file_hash_sha1 | principal.process.file.sha1 |
| av_file_hash_sha256 | principal.process.file.sha256 |
| av_file_mime | principal.process.file.mime_type |
| av_mail_hash | security_result.detection_fields |
| Body_ContentType | security_result.detection_fields |
| current_state | additional.fields |
| customer_domain | additional.fields |
| description | metadata.description |
| entity_link | principal.process.file.full_path |
| entity_source | security_result.detection_fields |
| entity_type | security_result.detection_fields |
| From | target.process.product_specific_process_id |
| id | metadata.product_log_id |
| incoming | network.direction |
| InternetMessageId | network.email.mail_id |
| InternetMessageIdHash | security_result.detection_fields |
| is_quarantined,in_s3_quarantine | security_result.action |
| is_restored_from_quarantine,is_in_inbox,is_inline_released | security_result.action |
| matched_security_tool | additional.fields |
| policy_rule_id | security_result.rule_id |
| recipient_emails | network.email.to |
| recipients_hash | target.process.file.sha256 |
| recipients | network.email.to |
| sec_event_id | security_result.detection_fields |
| sender_ip | principal.ip |
| Sender | target.process.product_specific_process_id |
| severity | security_result.severity |
| Size | target.file.size |
| Subject | network.email.subject |
| user_email | network.email.from |
| user_id | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | EMAIL_TRANSACTION |
Log Sample¶
{"recipients_hash": "7f814939c9c97fffffffff455c9b1873", "entity_id": "7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-428f-a9fd-5b1df6c2dd5a:Bcc", "customer_domain": "myco", "entity_type": "office365_emails_email_recipient", "message_id": null, "recipient_type": "Bcc", "user_id": "cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a", "id": "7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a:Bcc"}
Sample Parsing¶
metadata.product_log_id"7f814939c9c97fffffffff455c9b1873:cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a:Bcc"
metadata.event_timestamp"2022-12-07T16:01:28.338745Z"
metadata.event_type"EMAIL_TRANSACTION"
metadata.vendor_name"Avanan Email Security"
metadata.ingested_timestamp"2022-12-07T16:01:28.338745Z"
metadata.id"AAAAAJETdgC9f/4ojz7kqcY6yNQAAAAADwAAAMcAAAA="
additional.fields["customer_domain"]"myco"
principal.user.userid"cf00bb85-bdf0-0000-ffff-5b1df6c2dd5a"
target.process.file.sha256"7f814939c9c97fffffffff455c9b1873"
security_result[0].action[0]"UNKNOWN_ACTION"
security_result[0].detection_fields[0].key"entity_type"
security_result[0].detection_fields[0].value"office365_emails_email_recipient"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon