Broadcom Messaging Gateway¶
About¶
The Symantec™ Messaging Gateway is an on-premise email security solution that provides inbound and outbound protection against the latest messaging threats, including ransomware, spear phishing, and business email compromise (BEC).It catches more than 99 percent of spam and provides built-in data protection capabilities to keep your email secure and confidential, and it effectively responds to new messaging threats with real-time antispam and antimalware intelligence.
Product Details¶
Vendor URL: Broadcom Messaging Gateway
Product Type: Email Gateway
Product Tier: Tier II
Integration Method: Custom
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: SYMANTEC_MAIL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
Broadcom | metadata.vendor_name |
Broadcom Messaging Gateway | metadata.product_name |
dkim | security_result.detection_fields |
dkim_signing_domain | security_result.detection_fields |
dmarc | security_result.detection_fields |
dmarc_override_action | security_result.detection_fields |
dmarc_policy | security_result.detection_fields |
dmasDelivered | security_result.detection_fields |
dmasInfo | security_result.detection_fields |
EMAIL_TRANSACTION | metadata.event_type |
emailInfo.avQuarantinePenId | metadata.product_log_id |
emailInfo.envFrom | principal.user.email_addresses |
emailInfo.headerFrom | network.email.from |
emailInfo.headerReplyTo | network.email.reply_to |
emailInfo.HELOString | network.smtp.helo |
emailInfo.messageId | network.email.mail_id |
emailInfo.senderIp | principal.ip |
emailInfo.senderMailserver | principal.hostname |
emailInfo.subject | network.email.subject |
emailInfo.xMsgRef | network.session_id |
incidents.0.action | security_result.action_details |
incidents.0.addressContexts.0.domain | security_result.about.administrative_domain |
incidents.0.addressContexts.0.name | security_result.about.user.userid |
incidents.0.detectionMethod | security_result.rule_name |
incidents.0.reason | security_result.description |
incidents.0.securityService | security_result.about.application |
incidents.0.severity | security_result.severity_details |
incidents.0.severity | security_result.severity |
incidents.0.verdict | security_result.summary |
isSender | security_result.detection_fields |
longMsgRef | additional.fields |
messageSize | additional.fields |
raw_header | security_result.detection_fields |
receipt | network.email.to |
spf | security_result.detection_fields |
toemail | target.user.email_addresses |
Log Sample¶
{"emailInfo":{"HELOString":"mailserver","authResults":{"dkim":"DKIM_PASS","dkim_signing_domain":"signingserver","dmarc":"DMARC_PASS","dmarc_override_action":"","dmarc_policy":"DMARC_POLICY_REJECT","raw_header":"Authentication-Results: authserver; spf=pass (sendingserver: domain of signingserver designates 10.10.10.10 as permitted sender) smtp.mailfrom=signingserver; dkim=pass (good signature) header.i=@signingserver header.s=20221208; dmarc=pass (p=reject adkim=r aspf=r) header.from=signingserver\n","spf":"SPF_PASS"},"avQuarantinePenId":"penid","country":"","envFrom":"user@signingserver","envTo":["emailto"],"filesAndLinks":[{"fileNameOrURL":"message.htm","fileSize":5336,"fileType":"text/html","index":3,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":2,"sha256":"sha256"},{"fileNameOrURL":"url1","fileSize":0,"fileType":"","index":4,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url2","fileSize":0,"fileType":"","index":5,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url3","fileSize":0,"fileType":"","index":6,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url4","fileSize":0,"fileType":"","index":7,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url5","fileSize":0,"fileType":"","index":8,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url6","fileSize":0,"fileType":"","index":9,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url7","fileSize":0,"fileType":"","index":10,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"file1","fileSize":5459,"fileType":"Email/HeaderPart","index":2,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":1,"sha256":"sha256"},{"fileNameOrURL":"SMTP Envelope (0)","fileSize":3284,"fileType":"Email/Header","index":1,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":0,"sha256":"sha256"}],"headerFrom":"email@signingserver","headerReplyTo":"","headerTo":["emailto"],"isOutbound":false,"longMsgRef":"sendingserver","mailProcessingStartTime":1682524813,"messageId":"messageid","messageSize":8743,"senderIp":"10.10.10.10","senderMailserver":"mailserver","subject":"emailsubject {project_id=proj, function_name=funct, region=reg}","xMsgRef":"msgref"},"incidents":null}
Sample Parsing¶
about.file.md5 = "md5"
about.file.mime_type = "text/html"
about.file.names = "message.htm"
about.file.sha256 = "sha256"
about.file.size = "5336"
about.url = "url1"
about.url = "url2"
about.url = "url3"
about.url = "url4"
about.url = "url5"
about.url = "url6"
about.url = "url7"
about.file.md5 = "md5"
about.file.mime_type = "Email/HeaderPart"
about.file.names = "file1"
about.file.sha256 = "sha256"
about.file.size = "5459"
about.file.md5 = "md5"
about.file.mime_type = "Email/Header"
about.file.names = "SMTP Envelope (0)"
about.file.sha256 = "sha256"
about.file.size = "3284"
additional.fields["longMsgRef"] = "sendingserver"
additional.fields["messageSize"] = "8743"
metadata.event_timestamp.seconds = 1682524813
metadata.event_timestamp.nanos = 0
metadata.event_type = "EMAIL_TRANSACTION"
metadata.log_type = "SYMANTEC_MAIL"
metadata.product_log_id = "penid"
metadata.product_name = "Broadcom Messaging Gateway"
metadata.vendor_name = "Broadcom"
network.direction = "INBOUND"
network.email.from = "email@signingserver"
network.email.mail_id = "messageid"
network.email.subject = "emailsubject {project_id=proj, function_name=funct, region=reg}"
network.email.to = "emailto"
network.session_id = "msgref"
network.smtp.helo = "mailserver"
principal.hostname = "mailserver"
principal.ip = "10.10.10.10"
principal.user.email_addresses = "user@signingserver"
security_result.detection_fields.key = "dkim"
security_result.detection_fields.value = "DKIM_PASS"
security_result.detection_fields.key = "dkim_signing_domain"
security_result.detection_fields.value = "signingserver"
security_result.detection_fields.key = "dmarc"
security_result.detection_fields.value = "DMARC_PASS"
security_result.detection_fields.key = "dmarc_override_action"
security_result.detection_fields.key = "dmarc_policy"
security_result.detection_fields.value = "DMARC_POLICY_REJECT"
security_result.detection_fields.key = "raw_header"
security_result.detection_fields.value = "Authentication-Results: authserver; spf=pass (sendingserver: domain of signingserver designates 10.10.10.10 as permitted sender) smtp.mailfrom=signingserver; dkim=pass (good signature) header.i=@signingserver header.s=20221208; dmarc=pass (p=reject adkim=r aspf=r) header.from=signingserver"
security_result.detection_fields.key = "spf"
security_result.detection_fields.value = "SPF_PASS"
target.user.email_addresses = "emailto"