From 4df3a48bf8e24c156dc04f38437cab23577c47e8 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 3 Mar 2025 15:02:03 +1030 Subject: [PATCH] mimecast: set event.kind:alert for appropriate events (#12835) --- packages/mimecast/changelog.yml | 5 + .../pipeline/test-cloud-integrated-logs.log | 1 + ...st-cloud-integrated-logs.log-expected.json | 92 ++++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 4 + .../_dev/test/pipeline/test-common-config.yml | 3 + .../_dev/test/pipeline/test-dlp-logs.log | 1 + .../pipeline/test-dlp-logs.log-expected.json | 38 +++++++- .../dlp_logs/agent/stream/cel.yml.hbs | 7 ++ .../dlp_logs/agent/stream/httpjson.yml.hbs | 7 ++ .../elasticsearch/ingest_pipeline/default.yml | 5 + .../data_stream/dlp_logs/manifest.yml | 17 ++++ .../test-release-logs.json-expected.json | 16 ++-- .../elasticsearch/ingest_pipeline/default.yml | 4 + .../test-siem-docs-logs.log-expected.json | 8 +- .../test-siem-v1-logs.log-expected.json | 5 +- .../test-siem-v2-logs.log-expected.json | 13 ++- .../ingest_pipeline/v1_pipeline.yml | 24 +++++ .../ingest_pipeline/v2_pipeline.yml | 24 +++++ .../test-ttp-ap-logs.log-expected.json | 7 +- .../elasticsearch/ingest_pipeline/default.yml | 4 + .../test-ttp-ip-logs.log-expected.json | 5 +- .../elasticsearch/ingest_pipeline/default.yml | 4 + .../test-ttp-url-logs.log-expected.json | 7 +- .../elasticsearch/ingest_pipeline/default.yml | 4 + packages/mimecast/manifest.yml | 2 +- 25 files changed, 290 insertions(+), 17 deletions(-) diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 8c46c7e0c1f..6c43fcec622 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.0" + changes: + - description: Set `event.kind:"alert"` for relevant events. + type: enhancement + link: https://github.com/elastic/integrations/pull/12835 - version: "2.5.2" changes: - description: Add missing ECS field mappings. diff --git a/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log b/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log index 6748648eafe..6f8b5a932ee 100644 --- a/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log +++ b/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log @@ -18,3 +18,4 @@ {"_offset":1815702,"_partition":53,"accountId":"AUS2474","aggregateId":"4Xxg1c71KpzFB8T-j9zj9y3f91byjes4ysqetgk19g_1732525893","authResults":[{"aligned":true,"result":"pass","type":"SPF"},{"aligned":false,"result":"none","type":"DKIM"},{"aligned":null,"result":"pass","type":"DMARC"}],"messageId":"<642fa314-514d-2b9b-d4c1-c713421fb4f3@demovation-ci.b41.one>","processingId":"821aff47dea6b57c6cb6bd262738eeabd28e2659f2ac0cb3ee490828d3a143f4_1732525893","subtype":null,"timestamp":1732525893398,"type":"mailflow"} {"_offset":1820908,"_partition":53,"accountId":"AUS2474","aggregateId":"4XyPl23Kn4z84ly-hnj5fgu9nbwnghx86mj18qp44b_1732630590","authResults":[{"aligned":true,"result":"pass","type":"SPF"},{"aligned":false,"result":"none","type":"DKIM"},{"aligned":null,"result":"pass","type":"DMARC"}],"messageId":"<2e165bc9-cae9-8e0d-3baa-03532f32fbb3@demovation-ci.b41.one>","processingId":"3125eb6ff78c055eb7449a47286a453dcb66e176d2c751a6236bba4232c6fe31_1732630590","subtype":null,"timestamp":1732630590705,"type":"mailflow"} {"_offset":1803841,"_partition":53,"accountId":"AUS2474","aggregateId":"4XvR1B4m7BzFB8L-qk59b4szrgayciaagczc977rzb_1732212206","authResults":[{"aligned":true,"result":"pass","type":"SPF"},{"aligned":false,"result":"none","type":"DKIM"},{"aligned":null,"result":"pass","type":"DMARC"}],"messageId":"<2ae37333-38e7-89ff-dc36-c8d48c6e3df3@demovation-ci.b41.one>","processingId":"c40337e6860db0301575d8d09362bff214c0b010d6c4d41da9d770759ff54d10_1732212206","subtype":null,"timestamp":1732212206960,"type":"mailflow"} +{"attachments":["tpsreport.xlsx"],"subject":"RE: Your archive mailbox is almost full.","senderEnvelope":"auser@mimecast.com","messageId":"messageId","threatState":"DELIVERED","senderHeader":"auser@mimecast.com","source":"OFFICE_365_MAIL","type":"entities","tags":["UNTRUSTWORTHY","SPAM"],"accountId":"C0A0","aggregateId":"aggregateId","processingId":"processingId","threatType":"POLICIES_DISABLED","recipients":["auser@testdomain.com"],"policiesApplied":[{"action":null,"mode":null,"name":"Default O365 Mail policy"},{"action":null,"mode":null,"name":"Default O365 Mail policy"}],"historicalMail":false,"subtype":"POLICIES_DISABLED","senderIp":"81.2.69.144","timestamp":1689685037899,"direction":"Inbound"} diff --git a/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log-expected.json b/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log-expected.json index 8eb7938009e..8cc0fc92ca6 100644 --- a/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log-expected.json +++ b/packages/mimecast/data_stream/cloud_integrated_logs/_dev/test/pipeline/test-cloud-integrated-logs.log-expected.json @@ -348,6 +348,7 @@ "email" ], "created": "2024-11-18T15:24:35.250Z", + "kind": "alert", "original": "{\"_offset\":1790506,\"_partition\":53,\"accountId\":\"AUS2474\",\"aggregateId\":\"4XsWdG63WDzFy33-kckoq8rx19ibc7iccjsjx6hsxd_1731943475\",\"attachments\":[\"Sandbox Test.xlsx\"],\"direction\":\"INBOUND\",\"historicalMail\":false,\"messageId\":\"<0bb5c112-9013-584b-eb87-e5376f49c9ac@demovation-ci.b41.one>\",\"policiesApplied\":[{\"action\":\"BLOCK\",\"mode\":\"ACTIVE\",\"name\":\"Default O365 Mail policy\"}],\"processingId\":\"66e03b099e150698fc62f354796f2baa94c2f625a34ac92a0c7e8eb4a2afb11c_1731943475\",\"recipients\":[\"steve.january@demovation-ci.b41.one\"],\"senderEnvelope\":\"announcements@demovation-ci.b41.one\",\"senderHeader\":\"\",\"senderIp\":\"81.2.69.144\",\"source\":\"OFFICE_365_MAIL\",\"subject\":\"Message from Node-RED\",\"subtype\":\"MALWARE\",\"tags\":[\"MALWARE\"],\"threatState\":\"BLOCKED\",\"threatType\":\"MALWARE\",\"timestamp\":1731943475250,\"type\":\"entities\"}" }, "mimecast": { @@ -1204,6 +1205,95 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2023-07-18T12:57:17.899Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "name": [ + "tpsreport.xlsx" + ] + } + } + ], + "direction": "inbound", + "from": { + "address": [ + "auser@mimecast.com" + ] + }, + "message_id": "messageId", + "subject": "RE: Your archive mailbox is almost full.", + "to": { + "address": [ + "auser@testdomain.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2023-07-18T12:57:17.899Z", + "kind": "alert", + "original": "{\"attachments\":[\"tpsreport.xlsx\"],\"subject\":\"RE: Your archive mailbox is almost full.\",\"senderEnvelope\":\"auser@mimecast.com\",\"messageId\":\"messageId\",\"threatState\":\"DELIVERED\",\"senderHeader\":\"auser@mimecast.com\",\"source\":\"OFFICE_365_MAIL\",\"type\":\"entities\",\"tags\":[\"UNTRUSTWORTHY\",\"SPAM\"],\"accountId\":\"C0A0\",\"aggregateId\":\"aggregateId\",\"processingId\":\"processingId\",\"threatType\":\"POLICIES_DISABLED\",\"recipients\":[\"auser@testdomain.com\"],\"policiesApplied\":[{\"action\":null,\"mode\":null,\"name\":\"Default O365 Mail policy\"},{\"action\":null,\"mode\":null,\"name\":\"Default O365 Mail policy\"}],\"historicalMail\":false,\"subtype\":\"POLICIES_DISABLED\",\"senderIp\":\"81.2.69.144\",\"timestamp\":1689685037899,\"direction\":\"Inbound\"}" + }, + "mimecast": { + "accountId": "C0A0", + "aggregateId": "aggregateId", + "historicalMail": false, + "log_type": "entities", + "policiesApplied": [ + { + "name": "Default O365 Mail policy" + }, + { + "name": "Default O365 Mail policy" + } + ], + "processingId": "processingId", + "senderHeader": "auser@mimecast.com", + "source": "OFFICE_365_MAIL", + "subtype": "POLICIES_DISABLED", + "tags": [ + "UNTRUSTWORTHY", + "SPAM" + ], + "threatState": "DELIVERED", + "threatType": "POLICIES_DISABLED" + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "auser@mimecast.com", + "auser@testdomain.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/cloud_integrated_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/cloud_integrated_logs/elasticsearch/ingest_pipeline/default.yml index 5064b4ac127..5427cd8b66d 100644 --- a/packages/mimecast/data_stream/cloud_integrated_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/cloud_integrated_logs/elasticsearch/ingest_pipeline/default.yml @@ -34,6 +34,10 @@ processors: field: event.created copy_from: '@timestamp' if: ctx['@timestamp'] != null + - set: + field: event.kind + value: alert + if: ctx.mimecast?.tags instanceof List && ctx.mimecast.tags.length != 0 ### NOTE LOG TYPE - rename: diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml index 4da22641654..88df615b191 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-common-config.yml @@ -1,3 +1,6 @@ fields: + _conf: + alerting: + - block tags: - preserve_original_event diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log index 26e079b7fde..d4bac68acba 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log @@ -13,4 +13,5 @@ {"senderAddress":"zimin.lu@demo-int.elastic.mime-api.com","recipientAddress":"vkaminski@demo-visionary.b41.one","subject":"Re","eventTime":"2024-11-17T20:57:30+0000","route":"outbound","policy":"Confidential","action":"hold","messageId":"<5f9f4f4f0e0afb06-147953@hapi.b41.one>"} {"senderAddress":"thomas.bentz@empirepartners.b41.one","recipientAddress":"thomas.bentz@demo-int.elastic.mime-api.com","subject":"FIRE DRILL","eventTime":"2024-11-17T20:16:02+0000","route":"inbound","policy":"Confidential","action":"hold","messageId":"<2a5df47e8f85f62a-216237@hapi.b41.one>"} {"senderAddress":"webmaster@empirepartners.b41.one","recipientAddress":"vkamins@demo-int.elastic.mime-api.com","subject":"New CERA.com Coming Soon! - CERA Alert","eventTime":"2024-11-17T19:47:39+0000","route":"inbound","policy":"Confidential","action":"hold","messageId":""} +{"senderAddress":"webmaster@empirepartners.b41.one","recipientAddress":"vkamins@demo-int.elastic.mime-api.com","subject":"New CERA.com Coming Soon! - CERA Alert","eventTime":"2024-11-17T19:47:39+0000","route":"inbound","policy":"Confidential","action":"block","messageId":""} {"meta":{"status":200,"pagination":{"pageSize":10,"totalCount":519,"next":"nextToken"}},"data":[],"fail":[]} diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index 6dbb98c137f..3b9fc5480a5 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -525,6 +525,42 @@ "preserve_original_event" ] }, + { + "@timestamp": "2024-11-17T19:47:39.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "webmaster@empirepartners.b41.one" + ] + }, + "message_id": "", + "subject": "New CERA.com Coming Soon! - CERA Alert", + "to": { + "address": [ + "vkamins@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "block", + "category": [ + "email" + ], + "created": "2024-11-17T19:47:39+0000", + "kind": "alert", + "original": "{\"senderAddress\":\"webmaster@empirepartners.b41.one\",\"recipientAddress\":\"vkamins@demo-int.elastic.mime-api.com\",\"subject\":\"New CERA.com Coming Soon! - CERA Alert\",\"eventTime\":\"2024-11-17T19:47:39+0000\",\"route\":\"inbound\",\"policy\":\"Confidential\",\"action\":\"block\",\"messageId\":\"\"}" + }, + "rule": { + "name": "Confidential" + }, + "tags": [ + "preserve_original_event" + ] + }, null ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/dlp_logs/agent/stream/cel.yml.hbs b/packages/mimecast/data_stream/dlp_logs/agent/stream/cel.yml.hbs index 96d4f70f83c..92a255b7bd7 100644 --- a/packages/mimecast/data_stream/dlp_logs/agent/stream/cel.yml.hbs +++ b/packages/mimecast/data_stream/dlp_logs/agent/stream/cel.yml.hbs @@ -155,6 +155,13 @@ program: | ) ) ) +{{#if alerting}} +_conf: + alerting: +{{#each alerting as |a|}} + - {{a}} +{{/each}} +{{/if}} tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/mimecast/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs b/packages/mimecast/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs index ed591c503aa..ca64acf25b4 100644 --- a/packages/mimecast/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs +++ b/packages/mimecast/data_stream/dlp_logs/agent/stream/httpjson.yml.hbs @@ -42,6 +42,13 @@ response.pagination: cursor: next_date: value: '[[.first_event.eventTime]]' +{{#if alerting}} +_conf: + alerting: +{{#each alerting as |a|}} + - {{a}} +{{/each}} +{{/if}} tags: {{#if preserve_original_event}} - preserve_original_event diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index df6903f7bd8..2f1c7f0e15a 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -26,6 +26,10 @@ processors: - set: field: event.category value: [email] + - set: + field: event.kind + value: alert + if: ctx._conf?.alerting instanceof List && ctx._conf.alerting.contains(ctx.mimecast?.action) - date: description: Use 'mimecast.eventTime' as the '@timestamp' @@ -90,6 +94,7 @@ processors: description: Cleanup of repeated/unwanted/temporary fields. field: - mimecast + - _conf ignore_missing: true # Error handling diff --git a/packages/mimecast/data_stream/dlp_logs/manifest.yml b/packages/mimecast/data_stream/dlp_logs/manifest.yml index 7aa4393ea8f..f7b930e23c9 100644 --- a/packages/mimecast/data_stream/dlp_logs/manifest.yml +++ b/packages/mimecast/data_stream/dlp_logs/manifest.yml @@ -14,6 +14,14 @@ streams: required: true show_user: false default: 5m + - name: alerting + type: text + title: Alert Actions + multi: true + required: true + show_user: true + default: + - block - name: tags type: text title: Tags @@ -78,6 +86,15 @@ streams: multi: false required: true show_user: false + - name: alerting + type: text + title: Alert Actions + description: The set of DLP actions that should be classified as an alert. Possible values are delete, hold, bouce, smart_folder, disable_smart_folder, content_expire, meta_expire, stationery, disable_stationery, gcc, secure_delivery, delivery_route, document_policy, disable_document_policy, secure_messaging, disable_secure_messaging_policy, attach_set_policy, remove_email, tag, link, block, none, and notification. + multi: true + required: true + show_user: true + default: + - block - name: tags type: text title: Tags diff --git a/packages/mimecast/data_stream/message_release_logs/_dev/test/pipeline/test-release-logs.json-expected.json b/packages/mimecast/data_stream/message_release_logs/_dev/test/pipeline/test-release-logs.json-expected.json index c0ae5d9d7ae..847d48d2402 100644 --- a/packages/mimecast/data_stream/message_release_logs/_dev/test/pipeline/test-release-logs.json-expected.json +++ b/packages/mimecast/data_stream/message_release_logs/_dev/test/pipeline/test-release-logs.json-expected.json @@ -26,7 +26,7 @@ "email" ], "id": "eNpVj21LhEAUhf_LfN2VnRl1RpclCN...", - "kind": "event", + "kind": "alert", "original": "{\"attachments\":true,\"detectionLevel\":\"moderate\",\"fromEnv\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"fromHdr\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"heldGroup\":\"IT Staff Global\",\"heldReason\":\"High-Confidence Impersonation Protection\",\"id\":\"eNpVj21LhEAUhf_LfN2VnRl1RpclCN...\",\"messageInfo\":\"Expired in queue - rejected by housekeeping\",\"operator\":\"admin@domain.tld\",\"policy\":\"Moderate Spam Detection\",\"rejectReason\":\"Message contains undesirable content\",\"released\":\"2015-11-25T14:49:18+00:00\",\"route\":\"inbound\",\"size\":5043,\"spamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"allow\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"greyEmail\":true,\"managedSender\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"allow\"},\"rbl\":{\"allow\":true,\"info\":\"allow\"},\"spamVerdict\":{\"categories\":[{\"name\":\"spam\",\"risk\":\"low\",\"subcategories\":[{\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}],\"name\":\"phishing\",\"risk\":\"low\"}]}],\"decision\":\"spam\",\"description\":\"\",\"risk\":\"low\"},\"spf\":{\"allow\":true,\"info\":\"allow\"}},\"spamScore\":12,\"status\":\"released\",\"subject\":\"Exclusive Offer - You don't want to miss this!\",\"to\":[{\"displayableName\":\"ToName LastName\",\"emailAddress\":\"to_user@to_domain.tld\"}]}", "reason": "Message contains undesirable content", "risk_score": 12, @@ -171,7 +171,7 @@ "email" ], "id": "eNpVj21LhEAUhf_LfN2VnRl1RpclCN...", - "kind": "event", + "kind": "alert", "original": "{\"attachments\":true,\"detectionLevel\":\"moderate\",\"fromEnv\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"fromHdr\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"heldGroup\":\"IT Staff Global\",\"heldReason\":\"High-Confidence Impersonation Protection\",\"id\":\"eNpVj21LhEAUhf_LfN2VnRl1RpclCN...\",\"messageInfo\":\"Expired in queue - rejected by housekeeping\",\"operator\":\"admin@domain.tld\",\"policy\":\"Moderate Spam Detection\",\"rejectReason\":\"Message contains undesirable content\",\"released\":\"2015-11-25T14:49:18+00:00\",\"route\":\"outbound\",\"size\":5043,\"spamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"allow\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"greyEmail\":true,\"managedSender\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"allow\"},\"rbl\":{\"allow\":true,\"info\":\"allow\"},\"spamVerdict\":{\"categories\":[{\"name\":\"spam\",\"risk\":\"low\",\"subcategories\":[{\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}],\"name\":\"phishing\",\"risk\":\"low\"}]}],\"decision\":\"spam\",\"description\":\"\",\"risk\":\"low\"},\"spf\":{\"allow\":true,\"info\":\"allow\"}},\"spamScore\":12,\"status\":\"released\",\"subject\":\"Exclusive Offer - You don't want to miss this!\",\"to\":[{\"displayableName\":\"ToName LastName\",\"emailAddress\":\"to_user@to_domain.tld\"}]}", "reason": "Message contains undesirable content", "risk_score": 12, @@ -316,7 +316,7 @@ "email" ], "id": "eNpVj21LhEAUhf_LfN2VnRl1RpclCN...", - "kind": "event", + "kind": "alert", "original": "{\"attachments\":true,\"detectionLevel\":\"moderate\",\"fromEnv\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"fromHdr\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"heldGroup\":\"IT Staff Global\",\"heldReason\":\"High-Confidence Impersonation Protection\",\"id\":\"eNpVj21LhEAUhf_LfN2VnRl1RpclCN...\",\"messageInfo\":\"Expired in queue - rejected by housekeeping\",\"operator\":\"admin@domain.tld\",\"policy\":\"Moderate Spam Detection\",\"rejectReason\":\"Message contains undesirable content\",\"released\":\"2015-11-25T14:49:18+00:00\",\"route\":\"inbound\",\"size\":5043,\"spamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"allow\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"greyEmail\":true,\"managedSender\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"allow\"},\"rbl\":{\"allow\":true,\"info\":\"allow\"},\"spamVerdict\":{\"categories\":[{\"name\":\"spam\",\"risk\":\"low\",\"subcategories\":[{\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}],\"name\":\"phishing\",\"risk\":\"low\"}]}],\"decision\":\"spam\",\"description\":\"\",\"risk\":\"low\"},\"spf\":{\"allow\":true,\"info\":\"allow\"}},\"spamScore\":12,\"status\":\"released\",\"subject\":\"Exclusive Offer - You don't want to miss this!\",\"to\":[{\"emailAddress\":\"to_user@to_domain.tld\"}]}", "reason": "Message contains undesirable content", "risk_score": 12, @@ -456,7 +456,7 @@ "email" ], "id": "eNpVj21LhEAUhf_LfN2VnRl1RpclCN...", - "kind": "event", + "kind": "alert", "original": "{\"attachments\":true,\"detectionLevel\":\"moderate\",\"fromEnv\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"fromHdr\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"heldGroup\":\"IT Staff Global\",\"heldReason\":\"High-Confidence Impersonation Protection\",\"id\":\"eNpVj21LhEAUhf_LfN2VnRl1RpclCN...\",\"messageInfo\":\"Expired in queue - rejected by housekeeping\",\"operator\":\"admin@domain.tld\",\"policy\":\"Moderate Spam Detection\",\"rejectReason\":\"Message contains undesirable content\",\"released\":\"2015-11-25T14:49:18+00:00\",\"route\":\"outbound\",\"size\":5043,\"spamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"allow\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"greyEmail\":true,\"managedSender\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"allow\"},\"rbl\":{\"allow\":true,\"info\":\"allow\"},\"spamVerdict\":{\"categories\":[{\"name\":\"spam\",\"risk\":\"low\",\"subcategories\":[{\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}],\"name\":\"phishing\",\"risk\":\"low\"}]}],\"decision\":\"spam\",\"description\":\"\",\"risk\":\"low\"},\"spf\":{\"allow\":true,\"info\":\"allow\"}},\"spamScore\":12,\"status\":\"released\",\"subject\":\"Exclusive Offer - You don't want to miss this!\",\"to\":[{\"emailAddress\":\"to_user@to_domain.tld\"}]}", "reason": "Message contains undesirable content", "risk_score": 12, @@ -598,7 +598,7 @@ "email" ], "id": "eNpVj21LhEAUhf_LfN2VnRl1RpclCN...", - "kind": "event", + "kind": "alert", "original": "{\"attachments\":true,\"detectionLevel\":\"moderate\",\"fromEnv\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"fromHdr\":{\"displayableName\":\"FromName LastName\",\"emailAddress\":\"from_user@from_domain.tld\"},\"heldGroup\":\"IT Staff Global\",\"heldReason\":\"High-Confidence Impersonation Protection\",\"id\":\"eNpVj21LhEAUhf_LfN2VnRl1RpclCN...\",\"messageInfo\":\"Expired in queue - rejected by housekeeping\",\"operator\":\"admin@domain.tld\",\"policy\":\"Moderate Spam Detection\",\"rejectReason\":\"Message contains undesirable content\",\"route\":\"outbound\",\"size\":5043,\"spamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"allow\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"greyEmail\":true,\"managedSender\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"allow\"},\"rbl\":{\"allow\":true,\"info\":\"allow\"},\"spamVerdict\":{\"categories\":[{\"name\":\"spam\",\"risk\":\"low\",\"subcategories\":[{\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}],\"name\":\"phishing\",\"risk\":\"low\"}]}],\"decision\":\"spam\",\"description\":\"\",\"risk\":\"low\"},\"spf\":{\"allow\":true,\"info\":\"allow\"}},\"spamScore\":12,\"status\":\"released\",\"subject\":\"Exclusive Offer - You don't want to miss this!\",\"to\":[{\"emailAddress\":\"to_user@to_domain.tld\"}]}", "reason": "Message contains undesirable content", "risk_score": 12, @@ -863,7 +863,7 @@ "email" ], "id": "eNoNjt0KgjAYQN9ltwlNMVZBF...", - "kind": "event", + "kind": "alert", "original": "{\"id\":\"eNoNjt0KgjAYQN9ltwlNMVZBF...\",\"status\":\"rejected\",\"rejectReason\":\"Message goes against email policies\",\"heldReason\":\"Default Spam Scanning Definition\",\"messageInfo\":\"Graymail\",\"released\":\"2024-10-28T14:16:51+0000\",\"operator\":{\"emailAddress\":\"monika.causholli@demo-int.elastic.mime-api.com\"},\"fromEnv\":{\"emailAddress\":\"yahoo-delivers@evaluation-fuzz.b41.one\"},\"fromHdr\":{\"emailAddress\":\"yahoo-delivers@evaluation-fuzz.b41.one\"},\"to\":[{\"emailAddress\":\"monika.causholli@demo-int.elastic.mime-api.com\"}],\"subject\":\"Yahoo! Newsletter, November 2001\",\"attachments\":true,\"route\":\"inbound\",\"size\":3670056,\"policy\":\"Default Spam Scanning Definition\",\"spamScore\":20,\"detectionLevel\":\"relaxed\",\"spamProcessingDetail\":{\"rbl\":{\"allow\":true,\"info\":\"\"},\"greyEmail\":false,\"spf\":{\"allow\":true,\"info\":\"allow\"},\"dkim\":{\"allow\":true,\"info\":\"unknown\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"none\"},\"managedSender\":{\"allow\":true,\"info\":\"unknown\"},\"verdict\":{\"decision\":\"spam\",\"description\":\"\",\"risk\":\"high\",\"categories\":[{\"name\":\"spam\",\"risk\":\"high\",\"subcategories\":[{\"name\":\"technology_feed\",\"risk\":\"high\",\"augmentations\":[]},{\"name\":\"content\",\"risk\":\"negligible\",\"augmentations\":[{\"name\":\"body\",\"risk\":\"negligible\"}]}]},{\"name\":\"graymail\",\"risk\":\"negligible\",\"subcategories\":[]}]}}}", "reason": "Message goes against email policies", "risk_score": 20, @@ -1003,7 +1003,7 @@ "email" ], "id": "eNoNjt0KgjAYQN9l10HTDCvow...", - "kind": "event", + "kind": "alert", "original": "{\"id\":\"eNoNjt0KgjAYQN9l10HTDCvow...\",\"status\":\"rejected\",\"rejectReason\":\"Message goes against email policies\",\"heldReason\":\"Default Spam Scanning Definition\",\"messageInfo\":\"Graymail\",\"released\":\"2024-10-28T14:18:43+0000\",\"operator\":{\"emailAddress\":\"vkamins@demo-int.elastic.mime-api.com\"},\"fromEnv\":{\"emailAddress\":\"erisk@pilot-meadow.b41.one\"},\"fromHdr\":{\"emailAddress\":\"erisk@pilot-meadow.b41.one\"},\"to\":[{\"emailAddress\":\"vkamins@demo-int.elastic.mime-api.com\"}],\"subject\":\"ERisk Essentials\",\"attachments\":false,\"route\":\"inbound\",\"size\":7473,\"policy\":\"Default Spam Scanning Definition\",\"spamScore\":9,\"detectionLevel\":\"relaxed\",\"spamProcessingDetail\":{\"rbl\":{\"allow\":true,\"info\":\"\"},\"greyEmail\":false,\"spf\":{\"allow\":true,\"info\":\"allow\"},\"dkim\":{\"allow\":true,\"info\":\"unknown\"},\"dmarc\":{\"allow\":true,\"info\":\"allow\"},\"permittedSender\":{\"allow\":true,\"info\":\"none\"},\"managedSender\":{\"allow\":true,\"info\":\"unknown\"},\"verdict\":{\"decision\":\"spam\",\"description\":\"\",\"risk\":\"medium\",\"categories\":[{\"name\":\"spam\",\"risk\":\"medium\",\"subcategories\":[{\"name\":\"technology_feed\",\"risk\":\"medium\",\"augmentations\":[]}]},{\"name\":\"graymail\",\"risk\":\"negligible\",\"subcategories\":[]}]}}}", "reason": "Message goes against email policies", "risk_score": 9, @@ -1232,4 +1232,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/message_release_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/message_release_logs/elasticsearch/ingest_pipeline/default.yml index e6355ac8ed3..c91c540c635 100644 --- a/packages/mimecast/data_stream/message_release_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/message_release_logs/elasticsearch/ingest_pipeline/default.yml @@ -190,6 +190,10 @@ processors: - set: field: event.kind value: event + - set: + field: event.kind + value: alert + if: ctx.mimecast?.rejectReason != null && ctx.mimecast.rejectReason != '' - set: field: event.reason copy_from: mimecast.rejectReason diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json index 04c8f4af79b..7c872d4a5b5 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-docs-logs.log-expected.json @@ -157,6 +157,7 @@ "email" ], "created": "2017-05-26T19:24:18+0100", + "kind": "alert", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":\"\",\"AttSize\":0,\"Hld\":\"Spm\",\"IPInternalName\":\"false\",\"IPNewDomain\":\"false\",\"IPReplyMismatch\":\"false\",\"IPSimilarDomain\":\"false\",\"IPThreadDict\":\"false\",\"MsgId\":\"messageId@mssageId\",\"MsgSize\":56442,\"aCode\":\"015vTYvNN-Wn30v7M5MzNw\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:24:18+0100\"}", "outcome": "unknown", "reason": "Spm" @@ -281,6 +282,7 @@ "email" ], "created": "2021-03-05T16:25:17+0000", + "kind": "alert", "original": "{\"CustomerIP\":\"true\",\"IP\":\"0.0.0.0\",\"MimecastIP\":\"false\",\"MsgId\":\"<85485.121030516250700527@mta.uk.somewhere.tld>\",\"Recipient\":\"recipient@recipientdomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"8jy0xzfjymioyjfjrajc@senderdomain.tld\",\"SenderDomain\":\"senderdomain.tld\",\"SenderDomainInternal\":\"false\",\"Size\":1648832,\"Subject\":\"Invoice Attached for payment\",\"Virus\":\"Anomali:Phishing\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T16:25:17+0000\",\"fileExt\":\"xlsm\",\"fileMime\":\"application/vnd.ms-excel.sheet.macroEnabled.12\",\"fileName\":\"Invoice Attached for payment\",\"md5\":\"4dbe9dbfb53438d9ce410535355cd973\",\"sha1\":\"816b013c8be6e5708690645964b5d442c085041e\",\"sha256\":\"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\"}", "outcome": "unknown" }, @@ -328,6 +330,7 @@ "email" ], "created": "2021-03-05T18:18:39+0000", + "kind": "alert", "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@adomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain.tld\",\"SenderDomain\":\"bdomain.tld\",\"SourceIP\":\"0.0.0.0\",\"Subject\":\"Opportunity to become VP\",\"aCode\":\"azYwczFKNga_v1sYBuJOvA\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T18:18:39+0000\",\"headerFrom\":\"sender@adomain\"}", "outcome": "unknown" }, @@ -370,6 +373,7 @@ "email" ], "created": "2021-03-04T21:31:08+0000", + "kind": "alert", "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@domain.tld\",\"Route\":\"Internal\",\"ScanResultInfo\":\"Blocked URL Category\",\"Sender\":\"sender@domain.tld\",\"Subject\":\"Coffee Briefing\",\"URL\":\"https://domain.com/login/\",\"UrlCategory\":\"Phishing & Fraud\",\"aCode\":\"vit87EEXMPaEyl22Lrb92A\",\"acc\":\"C46A75\",\"datetime\":\"2021-03-04T21:31:08+0000\"}", "outcome": "unknown" }, @@ -414,6 +418,7 @@ "email" ], "created": "2020-07-27T00:39:59+0100", + "kind": "alert", "original": "{\"Action\":\"Hold\",\"CustomName\":\"false\",\"CustomThreatDictionary\":\"false\",\"Definition\":\"Default Impersonation Definition\",\"Hits\":\"1\",\"IP\":\"0.0.0.0\",\"InternalName\":\"true\",\"MsgId\":\"\",\"NewDomain\":\"false\",\"Recipient\":\"recipient@domain\",\"ReplyMismatch\":\"false\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain\",\"SimilarCustomExternalDomain\":\"false\",\"SimilarInternalDomain\":\"false\",\"SimilarMimecastExternalDomain\":\"false\",\"Subject\":\"Opportunity to become VP\",\"TaggedExternal\":\"false\",\"TaggedMalicious\":\"true\",\"ThreatDictionary\":\"false\",\"aCode\":\"q4qBpkoTOt-iStR7G44w3g\",\"acc\":\"C0A0\",\"datetime\":\"2020-07-27T00:39:59+0100\"}", "outcome": "unknown" }, @@ -535,6 +540,7 @@ "email" ], "created": "2017-05-23T21:45:21+0100", + "kind": "alert", "original": "{\"IP\":\"81.2.69.144\",\"Recipient\":\"auser@mimecast.com\",\"Route\":\"Inbound\",\"Sender\":\"from@domain.com\",\"SenderDomain\":\"domain.com\",\"Size\":378368,\"acc\":\"C1A1\",\"datetime\":\"2017-05-23T21:45:21+0100\",\"fileExt\":\"doc\",\"fileMime\":\"application/vnd.ms-office\",\"fileName\":\"1XCOLUMN.PVC\",\"md5\":\"7b52770644da336a9a59141c80807f37\",\"sha1\":\"a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2\",\"sha256\":\"8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83\"}", "outcome": "unknown" }, @@ -565,4 +571,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json index 47cc9fbfaa2..0ca5b57616e 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json @@ -26,6 +26,7 @@ "email" ], "created": "2021-10-18T09:02:43+0100", + "kind": "alert", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", "outcome": "unknown", "reason": "Spm" @@ -73,6 +74,7 @@ "email" ], "created": "2021-10-19T07:06:40+0100", + "kind": "alert", "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"<>\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "failure", "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]" @@ -248,6 +250,7 @@ "email" ], "created": "2021-10-19T07:04:56+0100", + "kind": "alert", "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "failure", "reason": "5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]" @@ -508,4 +511,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json index b136699e534..e58164c12fa 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json @@ -25,6 +25,7 @@ "email" ], "created": "2024-11-13T11:57:39.314Z", + "kind": "alert", "original": "{\"_offset\":71203,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"ycS8ZuP_MPunTsp6ErzBSA_1731499054\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"WGY_DvwBSSkQgHEEGRzoLfwigWn9mwWIGqiLvVrPqKc_1731499054\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731499059314,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -70,6 +71,7 @@ "email" ], "created": "2024-11-14T22:04:26.023Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"aZDCqoMHYF9FcjJQ869Lbra7mJvvQIa-VaegH2O8C0g_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866023,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -115,6 +117,7 @@ "email" ], "created": "2024-11-15T21:19:20.321Z", + "kind": "alert", "original": "{\"_offset\":73861,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"k3KcYRO6P7qYd0rHc1QFNw_1731705555\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"WwGkv-47IJizhgFwoSrDx4e3e72fFIFdyKh3xcIJaik_1731705555\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731705560321,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -160,6 +163,7 @@ "email" ], "created": "2024-11-14T22:04:26.000Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"b3vNsa7MZl72FJW_mbEr0ZX-iohNRCrOQ-BimNV1q9Q_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866000,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -205,6 +209,7 @@ "email" ], "created": "2024-11-14T22:04:26.024Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"mLgUT0pGSr_N7iwZQw_rR_JZltfI6rd_ntlmS6_ERBo_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866024,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -250,6 +255,7 @@ "email" ], "created": "2024-11-14T22:04:26.000Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"6czskzJMohlaUKVhot_uqpWCnSxbrpxHOmIbcab2cz8_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866000,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -295,6 +301,7 @@ "email" ], "created": "2024-11-14T22:04:26.002Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"MyaowWrjsmqCAoLpEyL5HV1AZ8jx5ktpfR1F-y8u49k_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866002,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -340,6 +347,7 @@ "email" ], "created": "2024-11-14T22:04:26.010Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"A1JuZjnL7y-1hP0ArmGTNUqqex9NU62N18z_QlPirAY_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866010,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -385,6 +393,7 @@ "email" ], "created": "2024-11-14T22:04:26.018Z", + "kind": "alert", "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"G0_0M5x6QhE_UvSS0Wv0HzUDdWlgNBONhtSHHsrKznA_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866018,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -430,6 +439,7 @@ "email" ], "created": "2024-11-13T12:28:01.660Z", + "kind": "alert", "original": "{\"_offset\":71219,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"auzof_uINcO0Z8DvryMngw_1731500878\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"0fD129nTUvY0qRAuLALbD7HpiV_4kWYEvyJjldHOOaU_1731500878\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731500881660,\"type\":\"attachment protect\"}", "outcome": "unknown" }, @@ -2229,6 +2239,7 @@ "email" ], "created": "2024-11-12T23:36:45.992Z", + "kind": "alert", "original": "{\"_offset\":70936,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Rej\",\"aggregateId\":\"lf7BP8oVOue0keIDXck0Ww_1731454604\",\"direction\":\"Inbound\",\"messageId\":null,\"numberAttachments\":\"0\",\"processingId\":\"Ycqry21vB3utdjgPfIFYpj9wQK6HMNkmX_1vFlph1UM_1731454604\",\"recipients\":\"truorange@demo-int.elastic.mime-api.com\",\"rejectionCode\":\"550\",\"rejectionInfo\":\"Envelope blocked - User Entry\",\"rejectionType\":\"Manual Envelope Rejection\",\"senderEnvelope\":\"truorange@creative-omega.b41.one\",\"senderHeader\":null,\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":null,\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":null,\"subject\":null,\"subtype\":\"Rej\",\"timestamp\":1731454605992,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", "outcome": "unknown", "reason": "Envelope blocked - User Entry" @@ -3482,4 +3493,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml index 070f9e9f6fa..53f1799e7a3 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml @@ -239,6 +239,10 @@ processors: field: mimecast.RejInfo target_field: event.reason ignore_missing: true + - set: + field: event.kind + value: alert + if: ctx.mimecast?.RejType != null && ctx.mimecast.RejType != '' - rename: field: mimecast.RejType target_field: error.type @@ -266,6 +270,10 @@ processors: field: mimecast.AttNames target_field: email.attachments.file.name ignore_missing: true + - set: + field: event.kind + value: alert + if: ctx.mimecast?.Hld != null && ctx.mimecast.Hld != '' - rename: field: mimecast.Hld target_field: event.reason @@ -290,6 +298,10 @@ processors: if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "no"' ### AV LOGS + - set: + field: event.kind + value: alert + if: ctx.mimecast?.fileExt != null && ctx.mimecast.fileExt != '' - rename: field: mimecast.fileExt target_field: email.attachments.file.extension @@ -329,18 +341,30 @@ processors: ignore_missing: true ### SPAM EVENT THREAD LOGS + - set: + field: event.kind + value: alert + if: ctx.mimecast?.SourceIP != null && ctx.mimecast.SourceIP != '' - rename: field: mimecast.SourceIP target_field: source.ip ignore_missing: true ### SIEM Email Protect Logs + - set: + field: event.kind + value: alert + if: ctx.mimecast?.URL != null && ctx.mimecast.URL != '' - rename: field: mimecast.URL target_field: url.full ignore_missing: true ### SIEM Impersonation logs + - set: + field: event.kind + value: alert + if: ctx.mimecast?.TaggedMalicious == true || ctx.mimecast?.TaggedMalicious == 'true' - rename: field: mimecast.Action target_field: event.action diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml index 269d731a9ce..d053c47147a 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml @@ -105,6 +105,10 @@ processors: field: mimecast.rejectionInfo target_field: event.reason ignore_missing: true + - set: + field: event.kind + value: alert + if: ctx.mimecast?.rejectionType != null && ctx.mimecast.rejectionType != '' - rename: field: mimecast.rejectionType target_field: error.type @@ -140,6 +144,10 @@ processors: field: mimecast.attachments target_field: email.attachments.file.name ignore_missing: true + - set: + field: event.kind + value: alert + if: ctx.mimecast?.Hld != null && ctx.mimecast.Hld != '' - rename: field: mimecast.holdReason target_field: event.reason @@ -168,6 +176,10 @@ processors: if: ctx.tls?.established instanceof String && ctx.tls.established.equalsIgnoreCase('no') ### AV LOGS + - set: + field: event.kind + value: alert + if: ctx.mimecast?.fileExtension != null && ctx.mimecast.fileExtension != '' - rename: field: mimecast.fileExtension target_field: email.attachments.file.extension @@ -194,18 +206,30 @@ processors: ignore_missing: true ### SPAM EVENT THREAD LOGS + - set: + field: event.kind + value: alert + if: ctx.mimecast?.senderIp != null && ctx.mimecast.senderIp != '' - rename: field: mimecast.senderIp target_field: source.ip ignore_missing: true ### SIEM Email Protect Logs + - set: + field: event.kind + value: alert + if: ctx.mimecast?.url != null && ctx.mimecast.url != '' - rename: field: mimecast.url target_field: url.full ignore_missing: true ### SIEM Impersonation logs + - set: + field: event.kind + value: alert + if: ctx.mimecast?.taggedMalicious == true || ctx.mimecast?.taggedMalicious == 'true' - rename: field: mimecast.action target_field: event.action diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index 6ed5a692071..7b0b9e01d53 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -361,6 +361,7 @@ "email" ], "created": "2024-11-17T00:52:30+0000", + "kind": "alert", "original": "{\"actionTriggered\":\"none\",\"date\":\"2024-11-17T00:52:30+0000\",\"definition\":\"Default Internal Attachment Protect Definition\",\"details\":\"Malicious \\r\\nTime taken: 0 hrs, 0 min, 1 sec\",\"fileHash\":\"168dde02cf41aed3bf31ad831b75d8ee0b738304baa6957c40e29b2487f15116\",\"fileName\":\"Sandbox Test.xlsx\",\"fileType\":\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\"messageId\":\"\\u003c675ddc8ccedda6a7-363046@hapi.b41.one\\u003e\",\"recipientAddress\":\"charles.weldon@demo-int.elastic.mime-api.com\",\"result\":\"malicious\",\"route\":\"internal\",\"senderAddress\":\"eric.boyt@demo-int.elastic.mime-api.com\",\"subject\":\"RE\"}" }, "mimecast": { @@ -415,6 +416,7 @@ "email" ], "created": "2024-11-17T00:52:30+0000", + "kind": "alert", "original": "{\"actionTriggered\":\"none\",\"date\":\"2024-11-17T00:52:30+0000\",\"definition\":\"Default Internal Attachment Protect Definition\",\"details\":\"Malicious \\r\\nTime taken: 0 hrs, 0 min, 1 sec\",\"fileHash\":\"168dde02cf41aed3bf31ad831b75d8ee0b738304baa6957c40e29b2487f15116\",\"fileName\":\"Sandbox Test.xlsx\",\"fileType\":\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet\",\"messageId\":\"\\u003c675ddc8ccedda6a7-363046@hapi.b41.one\\u003e\",\"recipientAddress\":\"nathan.creech@demo-int.elastic.mime-api.com\",\"result\":\"malicious\",\"route\":\"internal\",\"senderAddress\":\"eric.boyt@demo-int.elastic.mime-api.com\",\"subject\":\"RE\"}" }, "mimecast": { @@ -469,6 +471,7 @@ "email" ], "created": "2024-11-16T18:37:47+0000", + "kind": "alert", "original": "{\"actionTriggered\":\"none\",\"date\":\"2024-11-16T18:37:47+0000\",\"definition\":\"Default Internal Attachment Protect Definition\",\"details\":\"[MALICIOUS_ACTIVITY: Exploit: Attempting to exploit CVE-2010-1240\\r\\nTime taken: 0 hrs, 0 min, 1 sec]\",\"fileHash\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"fileName\":\"zero-day.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c52b1654770446898-195170@hapi.b41.one\\u003e\",\"recipientAddress\":\"cindy.olson@demo-int.elastic.mime-api.com\",\"result\":\"malicious\",\"route\":\"internal\",\"senderAddress\":\"hardie.davis@demo-int.elastic.mime-api.com\",\"subject\":\"FW\"}" }, "mimecast": { @@ -523,6 +526,7 @@ "email" ], "created": "2024-11-16T18:37:47+0000", + "kind": "alert", "original": "{\"actionTriggered\":\"none\",\"date\":\"2024-11-16T18:37:47+0000\",\"definition\":\"Default Internal Attachment Protect Definition\",\"details\":\"[MALICIOUS_ACTIVITY: Exploit: Attempting to exploit CVE-2010-1240\\r\\nTime taken: 0 hrs, 0 min, 1 sec]\",\"fileHash\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"fileName\":\"zero-day.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c52b1654770446898-195170@hapi.b41.one\\u003e\",\"recipientAddress\":\"jennifer.milligan@demo-int.elastic.mime-api.com\",\"result\":\"malicious\",\"route\":\"internal\",\"senderAddress\":\"hardie.davis@demo-int.elastic.mime-api.com\",\"subject\":\"FW\"}" }, "mimecast": { @@ -577,6 +581,7 @@ "email" ], "created": "2024-11-16T18:37:47+0000", + "kind": "alert", "original": "{\"actionTriggered\":\"none\",\"date\":\"2024-11-16T18:37:47+0000\",\"definition\":\"Default Internal Attachment Protect Definition\",\"details\":\"[MALICIOUS_ACTIVITY: Exploit: Attempting to exploit CVE-2010-1240\\r\\nTime taken: 0 hrs, 0 min, 1 sec]\",\"fileHash\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"fileName\":\"zero-day.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c52b1654770446898-195170@hapi.b41.one\\u003e\",\"recipientAddress\":\"misha.siegel@demo-int.elastic.mime-api.com\",\"result\":\"malicious\",\"route\":\"internal\",\"senderAddress\":\"hardie.davis@demo-int.elastic.mime-api.com\",\"subject\":\"FW\"}" }, "mimecast": { @@ -596,4 +601,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index 60978d0f3f2..c6cc060ecb2 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -25,6 +25,10 @@ processors: - set: field: event.category value: [email] + - set: + field: event.kind + value: alert + if: ctx.mimecast?.result == 'malicious' - date: description: Use 'mimecast.date' as the '@timestamp' diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index 407d0e53d2a..79d1f231193 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -26,6 +26,7 @@ ], "created": "2021-10-15T17:10:46+0000", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", + "kind": "alert", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\"}" }, "mimecast": { @@ -85,6 +86,7 @@ ], "created": "2021-10-15T06:16:34+0000", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs", + "kind": "alert", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzszAx0VEqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGShEhs\",\"senderAddress\":\"johndoe@gmail.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Fwd: Here ya go\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-15T06:16:34+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \",\"stringSimilarToDomain\":\"John Doe\",\"checkerResult\":\"hit\"}],\"messageId\":\"\"}" }, "mimecast": { @@ -144,6 +146,7 @@ ], "created": "2021-10-13T16:12:07+0000", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc", + "kind": "alert", "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjUzMDMz01EqSy0qzszPU7Iy1FEqyQMrNDAwVaoFAGQhEhc\",\"senderAddress\":\"johndoe@mimecast.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"RE: MSP Sales of Managed E2E\",\"definition\":\"IP - 2 hits (Hold for Review \\/ User Hold)\",\"hits\":2,\"identifiers\":[\"targeted_threat_dictionary\",\"internal_user_name\"],\"action\":\"hold\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"67.43.156.15\",\"eventTime\":\"2021-10-13T16:12:07+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"Emily Doe \",\"stringSimilarToDomain\":\"Emily Doe\",\"checkerResult\":\"hit\"},{\"impersonationDomainSource\":\"targeted_threat_dictionary\",\"stringSimilarToDomain\":\"who\"}],\"messageId\":\"\"}" }, "mimecast": { @@ -183,4 +186,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index c663b0b82b5..7ac5fbe5d1f 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -31,6 +31,10 @@ processors: - set: field: event.category value: [email] + - set: + field: event.kind + value: alert + if: ctx.mimecast?.taggedMalicious == true ### - rename: diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index fbf9392d8f2..7002c058892 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -239,6 +239,7 @@ "email" ], "created": "2023-01-04T10:32:12+0000", + "kind": "alert", "original": "{\"action\":\"warn\",\"actions\":\"None\",\"adminOverride\":\"N/A\",\"category\":\"Dangerous file extension\",\"creationMethod\":\"Entry Scan\",\"date\":\"2023-01-04T10:32:12+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"user.name@example.com\",\"messageId\":\"\\\\u003eedfg345pf45=gskjlgteriugdfbvjserlekjgiov89@mail.gmail.com\\\\u003e\",\"route\":\"internal\",\"scanResult\":\"malicious\",\"sendingIp\":\"Internal IP\",\"subject\":\"Re: totally not a scam email\",\"ttpDefinition\":\"Default Internal URL Protect Definition\",\"url\":\"https://updates.example.com/\",\"userAwarenessAction\":\"NA\",\"userEmailAddress\":\"other.user@this.company.com\",\"userOverride\":\"None\"}" }, "mimecast": { @@ -304,6 +305,7 @@ "email" ], "created": "2024-11-17T17:02:30+0000", + "kind": "alert", "original": "{\"userEmailAddress\":\"dl-ga-all_enron_worldwide1@demo-int.elastic.mime-api.com\",\"fromUserEmailAddress\":\"coo.jeff@demo-int.elastic.mime-api.com\",\"url\":\"http://www.enron.com/corp/pressroom/releases/2002/ene/012902Release.html\",\"ttpDefinition\":\"Default Internal URL Protect Definition\",\"subject\":\"Management Changes\",\"action\":\"warn\",\"adminOverride\":\"N/A\",\"userOverride\":\"None\",\"scanResult\":\"malicious\",\"category\":\"Compromised\",\"sendingIp\":\"Internal IP\",\"userAwarenessAction\":\"N/A\",\"date\":\"2024-11-17T17:02:30+0000\",\"actions\":\"None\",\"route\":\"internal\",\"creationMethod\":\"Entry Scan\",\"emailPartsDescription\":[\"Body\"],\"messageId\":\"<871dda3d6bf5107e-360815@hapi.b41.one>\",\"tagMap\":{\"UrlReputationScan\":{\"Status\":[\"CustomerAll\",\"VerdictBlock\"],\"Type\":[\"Compromised\"],\"UrlBlock\":[\"ORIGINAL:http://www.enron.com/corp/pressroom/releases/2002/ene/012902Release.html (Blocked as COMPROMISED)\"],\"Url\":[\"http://www.enron.com/corp/pressroom/releases/2002/ene/012902Release.html\"]}}}" }, "mimecast": { @@ -387,6 +389,7 @@ "email" ], "created": "2024-11-14T19:44:02+0000", + "kind": "alert", "original": "{\"userEmailAddress\":\"jhartso@demo-int.elastic.mime-api.com\",\"fromUserEmailAddress\":\"terrym@concept-variety.b41.one\",\"url\":\"https://oneclient.sfx.ms/Win/Preview/OneDriveSetup.exe\",\"ttpDefinition\":\"Default Inbound URL Protect Definition\",\"subject\":\"WP-02 Data Response\",\"action\":\"warn\",\"adminOverride\":\"N/A\",\"userOverride\":\"None\",\"scanResult\":\"malicious\",\"category\":\"Dangerous file extension\",\"sendingIp\":\"81.2.69.144\",\"userAwarenessAction\":\"N/A\",\"date\":\"2024-11-14T19:44:02+0000\",\"actions\":\"Block\",\"route\":\"inbound\",\"creationMethod\":\"Entry Scan\",\"emailPartsDescription\":[\"Attachment\"],\"messageId\":\"<29b951d7ab596678-115297@hapi.b41.one>\",\"tagMap\":{\"DangerousFileExt\":{\"Status\":[\"CustomerSpecific\",\"VerdictBlock\"],\"Inspect:FileExts\":[\"[exe]\"],\"Inspect:MimeTypes\":[\"[]\"],\"ContentCheck:DangerousMimetypesUrlFileDownload\":[\"application/x-msdownload\"],\"ContentCheck:ContentScannersBlocked\":[\".exe\"],\"ContentCheck:DangerousExtsUrlFileDownload\":[\"dll\"]}}}" }, "mimecast": { @@ -481,6 +484,7 @@ "email" ], "created": "2024-11-13T13:05:03+0000", + "kind": "alert", "original": "{\"userEmailAddress\":\"vince.j.kaminski@demo-int.elastic.mime-api.com\",\"fromUserEmailAddress\":\"gregoryhunt@thejunglegroup.b41.one\",\"url\":\"https://oneclient.sfx.ms/Win/Preview/OneDriveSetup.exe\",\"ttpDefinition\":\"Default Inbound URL Protect Definition\",\"subject\":\"Re\",\"action\":\"warn\",\"adminOverride\":\"N/A\",\"userOverride\":\"None\",\"scanResult\":\"malicious\",\"category\":\"Dangerous file extension\",\"sendingIp\":\"81.2.69.144\",\"userAwarenessAction\":\"N/A\",\"date\":\"2024-11-13T13:05:03+0000\",\"actions\":\"Block\",\"route\":\"inbound\",\"creationMethod\":\"Entry Scan\",\"emailPartsDescription\":[\"Attachment\"],\"messageId\":\"\",\"tagMap\":{\"DangerousFileExt\":{\"Status\":[\"CustomerSpecific\",\"VerdictBlock\"],\"Inspect:FileExts\":[\"[exe]\"],\"Inspect:MimeTypes\":[\"[]\"],\"ContentCheck:DangerousMimetypesUrlFileDownload\":[\"application/x-msdownload\"],\"ContentCheck:DangerousExtsUrlFileDownload\":[\"dll\"],\"ContentCheck:ContentScannersBlocked\":[\".exe\"]}}}" }, "mimecast": { @@ -575,6 +579,7 @@ "email" ], "created": "2024-11-13T13:03:11+0000", + "kind": "alert", "original": "{\"userEmailAddress\":\"mike.a.roberts@demo-int.elastic.mime-api.com\",\"fromUserEmailAddress\":\"gregoryhunt@thejunglegroup.b41.one\",\"url\":\"https://oneclient.sfx.ms/Win/Preview/OneDriveSetup.exe\",\"ttpDefinition\":\"Default Inbound URL Protect Definition\",\"subject\":\"Re\",\"action\":\"warn\",\"adminOverride\":\"N/A\",\"userOverride\":\"None\",\"scanResult\":\"malicious\",\"category\":\"Dangerous file extension\",\"sendingIp\":\"81.2.69.144\",\"userAwarenessAction\":\"N/A\",\"date\":\"2024-11-13T13:03:11+0000\",\"actions\":\"Block\",\"route\":\"inbound\",\"creationMethod\":\"Entry Scan\",\"emailPartsDescription\":[\"Attachment\"],\"messageId\":\"\",\"tagMap\":{\"DangerousFileExt\":{\"Status\":[\"CustomerSpecific\",\"VerdictBlock\"],\"Inspect:FileExts\":[\"[exe]\"],\"Inspect:MimeTypes\":[\"[]\"],\"ContentCheck:DangerousMimetypesUrlFileDownload\":[\"application/x-msdownload\"],\"ContentCheck:DangerousExtsUrlFileDownload\":[\"dll\"],\"ContentCheck:ContentScannersBlocked\":[\".exe\"]}}}" }, "mimecast": { @@ -644,4 +649,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index a210b158a82..de1f6e628af 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -31,6 +31,10 @@ processors: - set: field: event.category value: [email] + - set: + field: event.kind + value: alert + if: ctx.mimecast?.scanResult == 'malicious' ### - rename: diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index e87ef0af111..db2cf410991 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "2.5.2" +version: "2.6.0" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"]