Skip to content

IronScales

IronScales

About

IRONSCALES™ is an integrated cloud email security (ICES) platform that provides organizations with a complete solution for enterprise email security.

Product Details

Vendor URL: IronScales

Product Type: Email

Product Tier: Tier II

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details

Log Format: CEF

Expected Normalization Rate: near 100%

Data Label: IRONSCALES

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
"IronScales" metadata.vendor_name
"IronTraps" metadata.product_name
EMAIL_TRANSACTION metadata.event_type
observer observer.hostname
version metadata.product_version
event metadata.product_event_type
desc metadata.description
cs1 principal.user.user_display_name
duid target.user.userid
request target.url
fname target.file.full_path
fileHash target.file.md5
cs2 target.user.user_display_name
suser network.email.from
duser network.email.to
cs3 network.email.mail_id
cs4 network.email.subject
reason security_result.summary
severity_details security_result.severity_details
cn1 security_result.detection_fields
cn2 security_result.detection_fields
cs5 security_result.detection_fields
cfp1 security_result.detection_fields

Product Event Types

Product Event Description UDM Event
All All events EMAIL_TRANSACTION

Log Sample

Jan  9 21:09:29 observer.hostname CEF:0|IronScales|IronTraps|2.0|attack attachment|Phishing Email Attack Attachment|10|suser=johndoe@co.com duser=ajanedoe@co.com duid=profile5753899 reason=Automated Threat Detection Email Report cn1=32139894 cn1Label=Report Id cs1=Call Support LOG -PhoneDesk cs1Label=Sender Name cs2=empName cs2Label=Employee Name cs3=<1234> cs3Label=Message-ID cs4=[EXTERNAL]: □□Tdsclinical: CALLER DETAILS AVAILABLE | REF #  On 1 January cs4Label=Email Subject cs5=Verified Attack cs5Label=Report State fname=file.htm. fileHash=e00d00f00c00bcee00abcfbe0ba0aca0

Sample Parsing

metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "IronScales"
metadata.product_name = "IronTraps"
metadata.product_version = "2.0"
metadata.product_event_type = "attack attachment"
metadata.description = "Phishing Email Attack Attachment"
principal.user.user_display_name = "Call Support LOG -PhoneDesk"
target.user.userid = "profile5753899"
target.user.user_display_name = "empName"
target.file.md5 = "e00d00f00c00bcee00abcfbe0ba0aca0"
target.file.full_path: "file.htm."
observer.hostname = "observer.hostname"
security_result.detection_fields.key = "Report Id"
security_result.detection_fields.value = "32139894"
security_result.detection_fields.key = "Report State"
security_result.detection_fields.value = "Verified Attack"
security_result.summary = "Automated Threat Detection Email Report"
security_result.severity_details = "10"
network.email.from = "johndoe@co.com"
network.email.to = "ajanedoe@co.com"
network.email.mail_id = "<1234>"
network.email.subject = "[EXTERNAL]: \342\226\241\342\226\241Tdsclinical: CALLER DETAILS AVAILABLE | REF #  On 1 January"