Skip to content

Broadcom Messaging Gateway

Broadcom Messaging Gateway

About

The Symantec™ Messaging Gateway is an on-premise email security solution that provides inbound and outbound protection against the latest messaging threats, including ransomware, spear phishing, and business email compromise (BEC).It catches more than 99 percent of spam and provides built-in data protection capabilities to keep your email secure and confidential, and it effectively responds to new messaging threats with real-time antispam and antimalware intelligence.

Product Details

Vendor URL: Broadcom Messaging Gateway

Product Type: Email Gateway

Product Tier: Tier II

Integration Method: Custom

Integration URL: N/A

Log Guide: N/A

Parser Details

Log Format: JSON

Expected Normalization Rate: 90%

Data Label: SYMANTEC_MAIL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Broadcom metadata.vendor_name
Broadcom Messaging Gateway metadata.product_name
dkim security_result.detection_fields
dkim_signing_domain security_result.detection_fields
dmarc security_result.detection_fields
dmarc_override_action security_result.detection_fields
dmarc_policy security_result.detection_fields
dmasDelivered security_result.detection_fields
dmasInfo security_result.detection_fields
EMAIL_TRANSACTION metadata.event_type
emailInfo.avQuarantinePenId metadata.product_log_id
emailInfo.envFrom principal.user.email_addresses
emailInfo.headerFrom network.email.from
emailInfo.headerReplyTo network.email.reply_to
emailInfo.HELOString network.smtp.helo
emailInfo.messageId network.email.mail_id
emailInfo.senderIp principal.ip
emailInfo.senderMailserver principal.hostname
emailInfo.subject network.email.subject
emailInfo.xMsgRef network.session_id
incidents.0.action security_result.action_details
incidents.0.addressContexts.0.domain security_result.about.administrative_domain
incidents.0.addressContexts.0.name security_result.about.user.userid
incidents.0.detectionMethod security_result.rule_name
incidents.0.reason security_result.description
incidents.0.securityService security_result.about.application
incidents.0.severity security_result.severity_details
incidents.0.severity security_result.severity
incidents.0.verdict security_result.summary
isSender security_result.detection_fields
longMsgRef additional.fields
messageSize additional.fields
raw_header security_result.detection_fields
receipt network.email.to
spf security_result.detection_fields
toemail target.user.email_addresses

Log Sample

{"emailInfo":{"HELOString":"mailserver","authResults":{"dkim":"DKIM_PASS","dkim_signing_domain":"signingserver","dmarc":"DMARC_PASS","dmarc_override_action":"","dmarc_policy":"DMARC_POLICY_REJECT","raw_header":"Authentication-Results: authserver; spf=pass (sendingserver: domain of signingserver designates 10.10.10.10 as permitted sender) smtp.mailfrom=signingserver; dkim=pass (good signature) header.i=@signingserver header.s=20221208; dmarc=pass (p=reject adkim=r aspf=r) header.from=signingserver\n","spf":"SPF_PASS"},"avQuarantinePenId":"penid","country":"","envFrom":"user@signingserver","envTo":["emailto"],"filesAndLinks":[{"fileNameOrURL":"message.htm","fileSize":5336,"fileType":"text/html","index":3,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":2,"sha256":"sha256"},{"fileNameOrURL":"url1","fileSize":0,"fileType":"","index":4,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url2","fileSize":0,"fileType":"","index":5,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url3","fileSize":0,"fileType":"","index":6,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url4","fileSize":0,"fileType":"","index":7,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url5","fileSize":0,"fileType":"","index":8,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url6","fileSize":0,"fileType":"","index":9,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"url7","fileSize":0,"fileType":"","index":10,"linkSource":"BASIC_EMAIL_INFO","md5":null,"nodeType":"LINK_INCLUDED","parentIndex":3,"sha256":null},{"fileNameOrURL":"file1","fileSize":5459,"fileType":"Email/HeaderPart","index":2,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":1,"sha256":"sha256"},{"fileNameOrURL":"SMTP Envelope (0)","fileSize":3284,"fileType":"Email/Header","index":1,"linkSource":"BASIC_EMAIL_INFO","md5":"md5","nodeType":"FILE_INCLUDED","parentIndex":0,"sha256":"sha256"}],"headerFrom":"email@signingserver","headerReplyTo":"","headerTo":["emailto"],"isOutbound":false,"longMsgRef":"sendingserver","mailProcessingStartTime":1682524813,"messageId":"messageid","messageSize":8743,"senderIp":"10.10.10.10","senderMailserver":"mailserver","subject":"emailsubject {project_id=proj, function_name=funct, region=reg}","xMsgRef":"msgref"},"incidents":null}

Sample Parsing

about.file.md5 = "md5"
about.file.mime_type = "text/html"
about.file.names = "message.htm"
about.file.sha256 = "sha256"
about.file.size = "5336"
about.url = "url1"
about.url = "url2"
about.url = "url3"
about.url = "url4"
about.url = "url5"
about.url = "url6"
about.url = "url7"
about.file.md5 = "md5"
about.file.mime_type = "Email/HeaderPart"
about.file.names = "file1"
about.file.sha256 = "sha256"
about.file.size = "5459"
about.file.md5 = "md5"
about.file.mime_type = "Email/Header"
about.file.names = "SMTP Envelope (0)"
about.file.sha256 = "sha256"
about.file.size = "3284"
additional.fields["longMsgRef"] = "sendingserver"
additional.fields["messageSize"] = "8743"
metadata.event_timestamp.seconds = 1682524813
metadata.event_timestamp.nanos = 0
metadata.event_type = "EMAIL_TRANSACTION"
metadata.log_type = "SYMANTEC_MAIL"
metadata.product_log_id = "penid"
metadata.product_name = "Broadcom Messaging Gateway"
metadata.vendor_name = "Broadcom"
network.direction = "INBOUND"
network.email.from = "email@signingserver"
network.email.mail_id = "messageid"
network.email.subject = "emailsubject {project_id=proj, function_name=funct, region=reg}"
network.email.to = "emailto"
network.session_id = "msgref"
network.smtp.helo = "mailserver"
principal.hostname = "mailserver"
principal.ip = "10.10.10.10"
principal.user.email_addresses = "user@signingserver"
security_result.detection_fields.key = "dkim"
security_result.detection_fields.value = "DKIM_PASS"
security_result.detection_fields.key = "dkim_signing_domain"
security_result.detection_fields.value = "signingserver"
security_result.detection_fields.key = "dmarc"
security_result.detection_fields.value = "DMARC_PASS"
security_result.detection_fields.key = "dmarc_override_action"
security_result.detection_fields.key = "dmarc_policy"
security_result.detection_fields.value = "DMARC_POLICY_REJECT"
security_result.detection_fields.key = "raw_header"
security_result.detection_fields.value = "Authentication-Results: authserver; spf=pass (sendingserver: domain of signingserver designates 10.10.10.10 as permitted sender) smtp.mailfrom=signingserver; dkim=pass (good signature) header.i=@signingserver header.s=20221208; dmarc=pass (p=reject adkim=r aspf=r) header.from=signingserver"
security_result.detection_fields.key = "spf"
security_result.detection_fields.value = "SPF_PASS"
target.user.email_addresses = "emailto"

Rules

Coming Soon