FireEye ETP¶
About¶
Comprehensive email protection to catch what other solutions miss.
Product Details¶
Vendor URL: FireEye ETP
Product Type: Email Security
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: FIREEYE_ETP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDMField |
---|---|
attributes.emailSize | additional.fields["emailSize"] |
static | metadata.event_type |
static | metadata.log_type |
type | metadata.product_event_type |
static | metadata.product_log_id |
static | metadata.product_name |
static | metadata.vendor_name |
attributes.senderHeader | network.email.bounce_address |
attributes.senderSMTP | network.email.from |
id | network.email.mail_id |
attributes.subject | network.email.subject |
attributes.recipientSMTP | network.email.to |
senderIP | principal.ip |
attributes.status | security_result.action_details |
custom logic | security_result.action |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.verdicts values | security_result.detection_fields.key |
attributes.verdicts values | security_result.detection_fields.value |
attributes.domain | target.administrative_domain |
attributes.countryCode | target.location.country_or_region |
custom filter from attributes.recipientSMTP | target.user.user_display_name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all others | EMAIL_UNCATEGORIZED |
Log Sample¶
{
"attributes": {
"acceptedDateTime": "2023-04-17T14:51:13.000",
"countryCode": "us",
"domain": "domain.com",
"downStreamMsgID": "250 2.6.0 8693.168@hostname.com\u003e [InternalId=4261117524897, Hostname=prod.outlook.com] 68330 bytes in 0.232, 286.540 KB/sec Queued mail for delivery",
"emailSize": 51.57,
"lastModifiedDateTime": "2023-04-17T14:51:20.440",
"originalMessageID": "8693.168@hostname.com\u003e",
"recipientHeader": [
"john.doe@domain.com"
],
"recipientSMTP": [
"john.doe@domain.com"
],
"senderHeader": "Power Apps Team \u003cPowerApps@email.microsoft.com\u003e",
"senderIP": "10.10.0.1",
"senderSMTP": "email.microsoft.com",
"status": "delivered",
"subject": "Learn to code",
"verdicts": {
"AS": "pass",
"AT": "pass",
"AV": "pass",
"ActionYARA": "no match",
"PV": "pass",
"YARA": "pass"
},
"yaraRulesAction": "no match"
},
"id": "aaaP5Gzh-57470-09F088187341EC5D3465a08a53b",
"included": [
{
"attributes": {
"name": "domain.com"
},
"type": "domain"
}
],
"type": "trace"
}
Sample Parsing¶
additional.fields["emailSize"] = "51.57"
metadata.event_timestamp.seconds = 1681743789
metadata.event_timestamp.nanos = 623078000
metadata.event_type = "EMAIL_UNCATEGORIZED"
metadata.log_type = "FIREEYE_ETP"
metadata.product_event_type = "trace"
metadata.product_log_id = "<8693.168@hostname.com>"
metadata.product_name = "ETP"
metadata.vendor_name = "Fireeye"
network.email.bounce_address = "Power Apps Team <PowerApps@email.microsoft.com>"
network.email.from = "email.microsoft.com"
network.email.mail_id = "aaaP5Gzh-57470-09F088187341EC5D3465a08a53b"
network.email.subject = "Learn to code"
network.email.to = "john.doe@domain.com"
principal.ip = "10.10.0.1"
security_result.action_details = "delivered"
security_result.action = "ALLOW"
security_result.detection_fields.key = "verdict_AS"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_AT"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_AV"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_ActionYARA"
security_result.detection_fields.value = "no match"
security_result.detection_fields.key = "verdict_PV"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_YARA"
security_result.detection_fields.value = "pass"
target.administrative_domain = "domain.com"
target.location.country_or_region = "us"
target.user.user_display_name = "john.doe"