Tessian Platform¶
About¶
A behavioral based approach to preventing advanced threats and protecting against data loss on email.
Product Details¶
Vendor URL: Tessian Platform
Product Type: Email Gateway
Product Tier: Tier II
Integration Method: Custom
Integration URL: Tessian Platform Integrations
Log Guide: N/A
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90%
Data Label: TESSIAN_PLATFORM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| anomalousrecipients | security_result.about.user.email_addresses |
| architect_details.final_outcome | security_result.summary |
| attachments | security_result.about.file.full_path |
| defender_details.burst_attack_id | security_result.threat_id |
| defender_details.confidence | security_result.confidence_details |
| defender_details.impersonated_domain | security_result.about.administrative_domain |
| defender_details.impersonation_type | security_result.category_details |
| Email Gateway | metadata.product_name |
| emailtoall | network.email.to |
| emailtoall | target.user.email_addresses |
| guardian_details.final_outcome | security_result.summary |
| guardian_details.type | security_result.category_details |
| id | metadata.product_log_id |
| inbound_email_details.attachments.bytes | security_result.about.file.size |
| inbound_email_details.from | network.email.subject |
| inbound_email_details.from | principal.user.email_addresses |
| inbound_email_details.message_id | network.email.from |
| inbound_email_details.subject | network.email.from |
| inbound_email_details.tessian_action | security_result.action_details |
| intenttypes | security_result.category_details |
| logictypes | security_result.category_details |
| outbound_email_details.attachments.bytes | security_result.about.file.size |
| outbound_email_details.from | network.email.mail_id |
| outbound_email_details.message_id | principal.user.email_addresses |
| outbound_email_details.subject | network.email.subject |
| outbound_email_details.tessian_action | security_result.action_details |
| portal_link | metadata.url_back_to_product |
| replyto | network.email.reply_to |
| ruleid | security_result.rule_id |
| rulename | security_result.rule_name |
| security_action | security_result.action |
| Tessian | metadata.vendor_name |
| threatsignaltypes | security_result.category_details |
| threattypes | security_result.category_details |
| type | metadata.product_event_type |
| urls | security_result.about.url |
Product Event Types¶
| All | UDM Event Classification |
|---|---|
| all events | EMAIL_TRANSACTION |
Log Sample¶
{"created_at":"2022-12-07T10:36:31.995944Z","defender_details":{"burst_attack_id":"burst-171517","confidence":"HIGH","dkim_result":"PASSED","dmarc_result":"PASSED","impersonated_address":"useremail","impersonated_domain":null,"impersonation_type":"INTERNAL","intent_types":[],"number_protected_users":1,"sender_location":null,"spf_result":"PASSED","threat_signal_types":["FIRST_TIME_RECEIVED_FROM_SENDER","INTERNAL_DISPLAY_NAME_SPOOF"],"threat_types":["LOOKALIKE_IMPERSONATION"],"users_responded":{"deleted":0,"malicious":0,"safe":0,"unsure":0}},"id":"defender::inbound-s02l1ss","inbound_email_details":{"attachments":{"bytes":0,"count":0,"names":[]},"from":"useremail","message_id":"\messageid\u003e","received_time":"2022-12-07T10:08:19Z","recipients":{"all":["useremail1"],"bcc":[],"cc":[],"count":1,"to":["useremail1"]},"reply_to":[],"subject":"emailsubject","tessian_id":"\messageid\u003e","transmitter":"useremail","urls":["website"]},"portal_link":"portallink","type":"defender","updated_at":"2022-12-07T10:36:32.059285Z"}
Sample Parsing¶
metadata.product_log_id = "defender::inbound-s02l1ss"
metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "Tessian"
metadata.product_name = "Email Gateway"
metadata.product_event_type = "defender"
metadata.url_back_to_product = "h"
principal.user.email_addresses = "useremail"
target.user.email_addresses = "useremail1"
security_result.about.url = "website"
security_result.about.administrative_domain = "defender_details.impersonated_domain"
security_result.category_details = "INTERNAL"
security_result.category_details = "FIRST_TIME_RECEIVED_FROM_SENDER"
security_result.category_details = "INTERNAL_DISPLAY_NAME_SPOOF"
security_result.category_details = "LOOKALIKE_IMPERSONATION"
security_result.confidence_details = "HIGH"
security_result.threat_id = "burst-171517"
network.email.from = "useremail"
network.email.to = "useremail1"
network.email.mail_id = "<messageid>"
network.email.subject = "emailsubject"
Parser Alerting¶
This product currently does not have any Parser-based Alerting.
Rules¶
Coming Soon