Skip to content

FireEye ETP

FireEye ETP

About

Comprehensive email protection to catch what other solutions miss.

Product Details

Vendor URL: FireEye ETP

Product Type: Email Security

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: FIREEYE_ETP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDMField
attributes.emailSize additional.fields["emailSize"]
static metadata.event_type
static metadata.log_type
type metadata.product_event_type
static metadata.product_log_id
static metadata.product_name
static metadata.vendor_name
attributes.senderHeader network.email.bounce_address
attributes.senderSMTP network.email.from
id network.email.mail_id
attributes.subject network.email.subject
attributes.recipientSMTP network.email.to
senderIP principal.ip
attributes.status security_result.action_details
custom logic security_result.action
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.verdicts values security_result.detection_fields.key
attributes.verdicts values security_result.detection_fields.value
attributes.domain target.administrative_domain
attributes.countryCode target.location.country_or_region
custom filter from attributes.recipientSMTP target.user.user_display_name

Product Event Types

Event UDM Event Classification
all others EMAIL_UNCATEGORIZED

Log Sample

{
  "attributes": {
    "acceptedDateTime": "2023-04-17T14:51:13.000",
    "countryCode": "us",
    "domain": "domain.com",
    "downStreamMsgID": "250 2.6.0 8693.168@hostname.com\u003e [InternalId=4261117524897, Hostname=prod.outlook.com] 68330 bytes in 0.232, 286.540 KB/sec Queued mail for delivery",
    "emailSize": 51.57,
    "lastModifiedDateTime": "2023-04-17T14:51:20.440",
    "originalMessageID": "8693.168@hostname.com\u003e",
    "recipientHeader": [
      "john.doe@domain.com"
    ],
    "recipientSMTP": [
      "john.doe@domain.com"
    ],
    "senderHeader": "Power Apps Team \u003cPowerApps@email.microsoft.com\u003e",
    "senderIP": "10.10.0.1",
    "senderSMTP": "email.microsoft.com",
    "status": "delivered",
    "subject": "Learn to code",
    "verdicts": {
      "AS": "pass",
      "AT": "pass",
      "AV": "pass",
      "ActionYARA": "no match",
      "PV": "pass",
      "YARA": "pass"
    },
    "yaraRulesAction": "no match"
  },
  "id": "aaaP5Gzh-57470-09F088187341EC5D3465a08a53b",
  "included": [
    {
      "attributes": {
        "name": "domain.com"
      },
      "type": "domain"
    }
  ],
  "type": "trace"
}

Sample Parsing

additional.fields["emailSize"] = "51.57"
metadata.event_timestamp.seconds = 1681743789
metadata.event_timestamp.nanos = 623078000
metadata.event_type = "EMAIL_UNCATEGORIZED"
metadata.log_type = "FIREEYE_ETP"
metadata.product_event_type = "trace"
metadata.product_log_id = "<8693.168@hostname.com>"
metadata.product_name = "ETP"
metadata.vendor_name = "Fireeye"
network.email.bounce_address = "Power Apps Team <PowerApps@email.microsoft.com>"
network.email.from = "email.microsoft.com"
network.email.mail_id = "aaaP5Gzh-57470-09F088187341EC5D3465a08a53b"
network.email.subject = "Learn to code"
network.email.to = "john.doe@domain.com"
principal.ip = "10.10.0.1"
security_result.action_details = "delivered"
security_result.action = "ALLOW"
security_result.detection_fields.key = "verdict_AS"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_AT"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_AV"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_ActionYARA"
security_result.detection_fields.value = "no match"
security_result.detection_fields.key = "verdict_PV"
security_result.detection_fields.value = "pass"
security_result.detection_fields.key = "verdict_YARA"
security_result.detection_fields.value = "pass"
target.administrative_domain = "domain.com"
target.location.country_or_region = "us"
target.user.user_display_name = "john.doe"