Menlo Security¶
About¶
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Product Details¶
Vendor URL: Menlo Security
Product Type: CASB
Product Tier: Tier II
Integration Method: Custom
Integration URL: Menlo Security - Cyderes Documentation
Log Guide: [N/A]
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: MENLO_SECURITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| event.browser_and_version | principal.application |
| event.categories | security_result.rule_name |
| event.domain | security_result.about.administrative_domain |
| event.dst | target.ip |
| event.egress_ip | principal.nat_ip |
| event.filename | target.file.full_path |
| event.from | principal.user.email_addresses |
| event.from | network.email.from |
| event.message_id | network.email.mail_id |
| event.name | metadata.product_event_type |
| event.pe_action | security_result.action |
| event.product | metadata.product_name |
| event.protocol | network.application_protocol |
| event.request_type | network.http.method |
| event.response_code | network.http.response_code |
| event.rewritten | metadata.description |
| event.risk_score | security_result.confidence_details |
| event.severity | security_result.severity_details |
| event.subject | network.email.subject |
| event.to | target.user.email_addresses |
| event.to | network.email.to |
| event.top_url | network.http.referral_url |
| event.url | security_result.about.url |
| event.user-agent | network.http.user_agent |
| event.userid | principal.user.userid |
| x_client_ip | principal.ip |
Product Event Types¶
| event.name, event.pe_action | metadata.event_type | security_result.category |
|---|---|---|
| any | NETWORK_CATEGORIZED_CONTENT | |
| application_request | NETWORK_CONNECTION | |
| url-rewrite | EMAIL_TRANSACTION |
Log Sample¶
{"event":{"egress_country":"US","protocol":"https","egress_ip":"10.10.135.36","dst":"10.10.197.180","version":"2.0","soph_dlp_ref":"NA","ua_type":"non_browser","casb_risk_score":"3","x-client-country":"US","request_type":"GET","userid":"Unknown","pe_action":"allow","filename":"NA","product":"MSIP","domain":"domainname","file_size":"NA","severity":"5","reqId":"UO1Iasdfwe","xff_ip":"NA","is_iframe":"NA","has_password":"NA","event_time":"2021-12-16T20:15:27.612000","pe_reason":"44c6ee37-c0a8-ac363sas","x-client-ip":"10.10.116.193","url":"domainname","response_code":"200","top_url":"NA","risk_tally":"-1","casb_app_name":"WebsiteAlive","vendor":"Menlo Security","categories":"Business and Economy","name":"application_request","origin_ip":"10.10.197.180","user-agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) alive5/1.0.0 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36","origin_country":"US","casb_cat_name":"Instant Messaging","referer":"domainname","region":"east","casb_org_name":"ACME CO","browser_and_version":"NA","risk_score":"low","connId":"4oasZsa","content-type":"application/json; charset=utf-8"}}
Sample Parsing¶
metadata.event_timestamp = "2021-12-16T20:25:25.558156Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Menlo Security"
metadata.product_name = "MSIP"
metadata.product_event_type = "application_request"
metadata.ingested_timestamp = "2021-12-16T20:25:25.558156Z"
principal.user.userid = "Unknown"
principal.ip = "10.10.116.193"
principal.application = "NA"
principal.nat_ip = "10.10.135.36"
principal.asset.ip = "10.10.116.193"
target.ip = "10.10.197.180"
target.file.full_path = "NA"
security_result.about.administrative_domain = "domainname"
security_result.about.url = "domainname"
security_result.category = "NETWORK_CATEGORIZED_CONTENT"
security_result.rule_name = "Business and Economy"
security_result.action = "ALLOW"
security_result.severity_details = "5"
security_result.confidence_details = "low"
network.application_protocol = "HTTPS"
network.http.method = "GET"
network.http.referral_url = "NA"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) alive5/1.0.0 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36"
network.http.response_code = 200
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon