From d19f5c237d9ed1fc26c3e74efedddf5ec1db93f4 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 9 Dec 2024 20:27:35 +1030 Subject: [PATCH] mimecast: implement siem_logs v2 agent (#11801) Tested against a real endpoint. Pipeline test cases obtained from a test instance. Up to 10 examples of each available type are included. Not all types are represented. --- .../_dev/deploy/docker/files/config.yml | 133 + .../mimecast/_dev/deploy/docker/files/iep.gz | Bin 0 -> 424 bytes .../mimecast/_dev/deploy/docker/files/rec0.gz | Bin 0 -> 511 bytes .../mimecast/_dev/deploy/docker/files/rec1.gz | Bin 0 -> 572 bytes packages/mimecast/changelog.yml | 5 + .../test-siem-docs-logs.log-expected.json | 33 + ...st-siem-logs.log => test-siem-v1-logs.log} | 0 ...on => test-siem-v1-logs.log-expected.json} | 27 + .../_dev/test/pipeline/test-siem-v2-logs.log | 61 + .../test-siem-v2-logs.log-expected.json | 3485 +++++++++++++++++ ...-default-config.yml => test-v1-config.yml} | 0 .../_dev/test/system/test-v2-config.yml | 17 + .../siem_logs/agent/stream/cel.yml.hbs | 173 + .../elasticsearch/ingest_pipeline/default.yml | 511 +-- .../ingest_pipeline/v1_pipeline.yml | 497 +++ .../ingest_pipeline/v2_pipeline.yml | 418 ++ .../data_stream/siem_logs/fields/field.yml | 343 +- .../data_stream/siem_logs/manifest.yml | 81 + .../data_stream/siem_logs/sample_event.json | 66 +- packages/mimecast/docs/README.md | 143 +- packages/mimecast/manifest.yml | 4 +- 21 files changed, 5450 insertions(+), 547 deletions(-) create mode 100644 packages/mimecast/_dev/deploy/docker/files/iep.gz create mode 100644 packages/mimecast/_dev/deploy/docker/files/rec0.gz create mode 100644 packages/mimecast/_dev/deploy/docker/files/rec1.gz rename packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/{test-siem-logs.log => test-siem-v1-logs.log} (100%) rename packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/{test-siem-logs.log-expected.json => test-siem-v1-logs.log-expected.json} (96%) create mode 100644 packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log create mode 100644 packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json rename packages/mimecast/data_stream/siem_logs/_dev/test/system/{test-default-config.yml => test-v1-config.yml} (100%) create mode 100644 packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v2-config.yml create mode 100644 packages/mimecast/data_stream/siem_logs/agent/stream/cel.yml.hbs create mode 100644 packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml create mode 100644 packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml diff --git a/packages/mimecast/_dev/deploy/docker/files/config.yml b/packages/mimecast/_dev/deploy/docker/files/config.yml index 450ab825152..dc217f31b5f 100644 --- a/packages/mimecast/_dev/deploy/docker/files/config.yml +++ b/packages/mimecast/_dev/deploy/docker/files/config.yml @@ -377,6 +377,139 @@ rules: } `}} + - path: /siem/v1/batch/events/cg + methods: ["GET"] + query_params: + type: "internal email protect" + nextPage: null + request_headers: + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: | + { + "value": [ + { + "url": "http://svc-mimecast:8080/siemblob/iep", + "expiry": "2024-11-19T02:14:04.839Z", + "size": 424 + } + ], + "@nextPage": "nexttoken", + "isCaughtUp": false + } + - path: /siemblob/iep + methods: ["GET"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: '{{file "/files/iep.gz"}}' + - path: /siem/v1/batch/events/cg + methods: ["GET"] + query_params: + type: "internal email protect" + nextPage: "nexttoken" + request_headers: + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: | + { + "value": [], + "@nextPage": "String", + "isCaughtUp": true + } + - path: /siem/v1/batch/events/cg + methods: ["GET"] + query_params: + type: "receipt" + nextPage: null + request_headers: + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: | + { + "value": [ + { + "url": "http://svc-mimecast:8080/siemblob/rec0", + "expiry": "2024-11-19T02:14:04.839Z", + "size": 511 + } + ], + "@nextPage": "nexttoken", + "isCaughtUp": false + } + - path: /siemblob/rec0 + methods: ["GET"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: '{{file "/files/rec0.gz"}}' + - path: /siem/v1/batch/events/cg + methods: ["GET"] + query_params: + type: "receipt" + nextPage: "nexttoken" + request_headers: + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: | + { + "value": [ + { + "url": "http://svc-mimecast:8080/siemblob/rec1", + "expiry": "2024-11-19T02:14:04.839Z", + "size": 572 + } + ], + "@nextPage": "lasttoken", + "isCaughtUp": false + } + - path: /siemblob/rec1 + methods: ["GET"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: '{{file "/files/rec1.gz"}}' + - path: /siem/v1/batch/events/cg + methods: ["GET"] + query_params: + type: "receipt" + nextPage: "lasttoken" + request_headers: + authorization: ["Bearer topsecretaccesstokenthatshouldnotbeleakedforabit"] + responses: + - status_code: 200 + headers: + Content-Type: + - "application/octet-stream" + body: | + { + "value": [], + "@nextPage": "String", + "isCaughtUp": true + } + - path: /api/ttp/threat-intel/get-feed methods: ["POST"] request_body: /"feedType":"malware_customer","fileType":"stix","start":/ diff --git a/packages/mimecast/_dev/deploy/docker/files/iep.gz b/packages/mimecast/_dev/deploy/docker/files/iep.gz new file mode 100644 index 0000000000000000000000000000000000000000..167b41a66970226d0033824abe84f3f90503c20f GIT binary patch literal 424 zcmV;Z0ayMXiwFP!00000|AmlIZ`v>vh2QrpP@bD8fsll%n%dH7D;n#70UIyK*f++V z?Hkz+6`J#y8^~TFZ`t_-t{g^k$EI)l*9Hsfb z$>qNs#yPe&^pNR#b)Vl2%beyx8SsIbCc1vpkJIsFaus>70^A3C0*wujjUy({P}jEt z493ca1T^zO@x%}$W{pZX8e$UBGkLl3rYbWb*hmzIdYq*t#G@juvhnS)(;xCIK@0E6 z;8u?EUgZ1+B;ID;(U>mwN9&G?;neOgIs{%R@4``UO zD{LJniEXtes4_}3cUip+!?|x%{b3A%mU=)@LRUdw#zk_G@3F2uP&Z|s7ejhC%moz` S60k^rzk3DKy19D|!FaVWOVQ-r-5dFSiG4Xjp0YiXlnv!N&n=Ne@(XE-L z2^n(%H(*oSL_^d5`wj?b`#1?B`Q6>S_wM}5qIs?$rv|o}b!ELc1=&64>fT$Vj(bxc z=GSesPn>`_9tnJxSZ}OaNd{VTk@qEs;9)Oo89G6r+H>&f@O1dun)IYkP> zU{ITpY0|z$kCyM*E?L-4*d4E@>UyBl$F{R2nzH;0T+3_%Gp=Bq2?|Pao*5E|rbR2e?ZdNKd~>JP}jT#q^f0055I B{?h;e literal 0 HcmV?d00001 diff --git a/packages/mimecast/_dev/deploy/docker/files/rec1.gz b/packages/mimecast/_dev/deploy/docker/files/rec1.gz new file mode 100644 index 0000000000000000000000000000000000000000..fea8323afe2d07f4637eda5599a4acd99d98aeea GIT binary patch literal 572 zcmV-C0>k|uiwFoI{5)p>19D|!F#zpT-*1~R5PsiZG4Z^hfFXoxno85G$(C-N(w~|p zWXwUFfbH2PYE|uj-vJ5Q9;ZHSnuL-3-Q9QJ-T9s!T9z70YGIi>C(d_oLsr{Te+nj< z=U-I!fYvr5_{*gz}y%zS8xVs(ZIOkAgn>-R!MEaJ5`i% zw2zn+43s@G4ceDjqZ0!-FX(Nxth;7sNNm~#!so}i!%`=5JPNRtxdm-{1=p+f-gDd0B0S@2(`7+4P3G&= z4=3rx>@r<164I4v6s>zM=j*q_{c3ny=U^$Xj(PT6H|Bj;-T`U7*Gy_S)`oYC=_RfJ z-vk=`X+Ig@%FeZx+6=\",\"Rcpt\":\"auser@mimecast.com\",\"Sender\":\"from@mimecast.com\",\"SpamInfo\":\"[]\",\"SpamLimit\":0,\"SpamProcessingDetail\":{\"spf\":{\"info\":\"SPF_FAIL\",\"allow\":true},\"dkim\":{\"info\":\"DKIM_UNKNOWN\",\"allow\":true}},\"SpamScore\":1,\"Subject\":\"message subject\",\"TlsVer\":\"TLSv1\",\"aCode\":\"7O7I7MvGP1mj8plHRDuHEA\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T16:47:41+0100\",\"headerFrom\":\"from@mimecast.com\"}", "outcome": "unknown" @@ -84,6 +87,9 @@ }, "event": { "action": "Acc", + "category": [ + "email" + ], "created": "2017-05-26T19:36:48+0100", "original": "{\"Act\":\"Acc\",\"AttCnt\":2,\"AttNames\":\"\\\"filename.docx\\\", \\\"filename2.xlsx\\\"\",\"AttSize\":1267,\"MsgId\":\"messageId@mssageId\",\"MsgSize\":2116,\"aCode\":\"BY81J52RPjSmp7MrubnlZg\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:36:48+0100\"}", "outcome": "unknown" @@ -114,6 +120,9 @@ }, "event": { "action": "Acc", + "category": [ + "email" + ], "created": "2017-05-26T19:36:48+0100", "original": "{\"Act\":\"Acc\",\"AttCnt\":0,\"AttNames\":\"\",\"AttSize\":0,\"MsgId\":\"messageId@mssageId\",\"MsgSize\":2116,\"aCode\":\"BY81J52RPjSmp7MrubnlZg\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:36:48+0100\"}", "outcome": "unknown" @@ -144,6 +153,9 @@ }, "event": { "action": "Hld", + "category": [ + "email" + ], "created": "2017-05-26T19:24:18+0100", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":\"\",\"AttSize\":0,\"Hld\":\"Spm\",\"IPInternalName\":\"false\",\"IPNewDomain\":\"false\",\"IPReplyMismatch\":\"false\",\"IPSimilarDomain\":\"false\",\"IPThreadDict\":\"false\",\"MsgId\":\"messageId@mssageId\",\"MsgSize\":56442,\"aCode\":\"015vTYvNN-Wn30v7M5MzNw\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:24:18+0100\"}", "outcome": "unknown", @@ -191,6 +203,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2017-05-26T19:40:33+0100", "original": "{\"AttCnt\":0,\"AttSize\":0,\"Attempt\":1,\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\"Delivered\":true,\"Dir\":\"Inbound\",\"IP\":\"81.2.69.144\",\"Latency\":5618,\"MsgId\":\"messageId@mssageId\",\"Rcpt\":\"auser@mimecast.com\",\"ReceiptAck\":\"250 2.6.0 messageId@mssageId [InternalId=25473608] Queued mail for delivery\",\"Route\":\"Mimecast Exchange Rout\",\"Sender\":\"from@domain.com\",\"Snt\":28237,\"Subject\":\"Auto Reply\",\"TlsVer\":\"TLSv1\",\"UseTls\":\"Yes\",\"aCode\":\"9q_HeIHHPYejZTBsnipWmQ\",\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:40:33+0100\"}", "outcome": "success" @@ -262,6 +277,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2021-03-05T16:25:17+0000", "original": "{\"CustomerIP\":\"true\",\"IP\":\"0.0.0.0\",\"MimecastIP\":\"false\",\"MsgId\":\"<85485.121030516250700527@mta.uk.somewhere.tld>\",\"Recipient\":\"recipient@recipientdomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"8jy0xzfjymioyjfjrajc@senderdomain.tld\",\"SenderDomain\":\"senderdomain.tld\",\"SenderDomainInternal\":\"false\",\"Size\":1648832,\"Subject\":\"Invoice Attached for payment\",\"Virus\":\"Anomali:Phishing\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T16:25:17+0000\",\"fileExt\":\"xlsm\",\"fileMime\":\"application/vnd.ms-excel.sheet.macroEnabled.12\",\"fileName\":\"Invoice Attached for payment\",\"md5\":\"4dbe9dbfb53438d9ce410535355cd973\",\"sha1\":\"816b013c8be6e5708690645964b5d442c085041e\",\"sha256\":\"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\"}", "outcome": "unknown" @@ -306,6 +324,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2021-03-05T18:18:39+0000", "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@adomain.tld\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain.tld\",\"SenderDomain\":\"bdomain.tld\",\"SourceIP\":\"0.0.0.0\",\"Subject\":\"Opportunity to become VP\",\"aCode\":\"azYwczFKNga_v1sYBuJOvA\",\"acc\":\"C0A0\",\"datetime\":\"2021-03-05T18:18:39+0000\",\"headerFrom\":\"sender@adomain\"}", "outcome": "unknown" @@ -345,6 +366,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2021-03-04T21:31:08+0000", "original": "{\"MsgId\":\"\",\"Recipient\":\"recipient@domain.tld\",\"Route\":\"Internal\",\"ScanResultInfo\":\"Blocked URL Category\",\"Sender\":\"sender@domain.tld\",\"Subject\":\"Coffee Briefing\",\"URL\":\"https://domain.com/login/\",\"UrlCategory\":\"Phishing & Fraud\",\"aCode\":\"vit87EEXMPaEyl22Lrb92A\",\"acc\":\"C46A75\",\"datetime\":\"2021-03-04T21:31:08+0000\"}", "outcome": "unknown" @@ -386,6 +410,9 @@ }, "event": { "action": "Hold", + "category": [ + "email" + ], "created": "2020-07-27T00:39:59+0100", "original": "{\"Action\":\"Hold\",\"CustomName\":\"false\",\"CustomThreatDictionary\":\"false\",\"Definition\":\"Default Impersonation Definition\",\"Hits\":\"1\",\"IP\":\"0.0.0.0\",\"InternalName\":\"true\",\"MsgId\":\"\",\"NewDomain\":\"false\",\"Recipient\":\"recipient@domain\",\"ReplyMismatch\":\"false\",\"Route\":\"Inbound\",\"Sender\":\"sender@domain\",\"SimilarCustomExternalDomain\":\"false\",\"SimilarInternalDomain\":\"false\",\"SimilarMimecastExternalDomain\":\"false\",\"Subject\":\"Opportunity to become VP\",\"TaggedExternal\":\"false\",\"TaggedMalicious\":\"true\",\"ThreatDictionary\":\"false\",\"aCode\":\"q4qBpkoTOt-iStR7G44w3g\",\"acc\":\"C0A0\",\"datetime\":\"2020-07-27T00:39:59+0100\"}", "outcome": "unknown" @@ -437,6 +464,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2017-05-26T19:22:37+0100", "original": "{\"acc\":\"C0A0\",\"datetime\":\"2017-05-26T19:22:37+0100\",\"reason\":\"malicious\",\"recipient\":\"auser@mimecast.com\",\"route\":\"inbound\",\"sender\":\"from@domain.com\",\"senderDomain\":\"domain.com\",\"sourceIp\":\"81.2.69.144\",\"url\":\"http://bgmtechnology.com.au\",\"urlCategory\":\"Blocked\"}", "outcome": "unknown", @@ -501,6 +531,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2017-05-23T21:45:21+0100", "original": "{\"IP\":\"81.2.69.144\",\"Recipient\":\"auser@mimecast.com\",\"Route\":\"Inbound\",\"Sender\":\"from@domain.com\",\"SenderDomain\":\"domain.com\",\"Size\":378368,\"acc\":\"C1A1\",\"datetime\":\"2017-05-23T21:45:21+0100\",\"fileExt\":\"doc\",\"fileMime\":\"application/vnd.ms-office\",\"fileName\":\"1XCOLUMN.PVC\",\"md5\":\"7b52770644da336a9a59141c80807f37\",\"sha1\":\"a27850da9e7adfc8e1a94dabf2509fc9d65ee7e2\",\"sha256\":\"8746bb4b31ab6f03eb0a3b2c62ab7497658f0f85c8e7e82f042f9af0bb876d83\"}", "outcome": "unknown" diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log similarity index 100% rename from packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log rename to packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json similarity index 96% rename from packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json rename to packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json index 004bfec9880..47cc9fbfaa2 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v1-logs.log-expected.json @@ -22,6 +22,9 @@ }, "event": { "action": "Hld", + "category": [ + "email" + ], "created": "2021-10-18T09:02:43+0100", "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", "outcome": "unknown", @@ -66,6 +69,9 @@ "type": "Recipient email address is possibly incorrect" }, "event": { + "category": [ + "email" + ], "created": "2021-10-19T07:06:40+0100", "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Inbound\",\"ReceiptAck\":null,\"MsgId\":null,\"Subject\":null,\"Latency\":505,\"Sender\":\"<>\",\"datetime\":\"2021-10-19T07:06:40+0100\",\"Rcpt\":\"johndoe@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [LO2GBR01FT037.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":125,\"aCode\":\"29be076e-44cd-354d-a7c2-083d4a312371\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "failure", @@ -126,6 +132,9 @@ }, "event": { "action": "Acc", + "category": [ + "email" + ], "created": "2021-10-19T07:04:55+0100", "original": "{\"acc\":\"ABC123\",\"Sender\":\"postmaster@twotoeight.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Act\":\"Acc\",\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"AttCnt\":0,\"AttNames\":null,\"MsgSize\":49025,\"MsgId\":\"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>\",\"Subject\":\"You have new held messages\"}", "outcome": "unknown" @@ -166,6 +175,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2021-10-19T07:04:55+0100", "original": "{\"acc\":\"ABC123\",\"Delivered\":true,\"IP\":\"67.43.156.15\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":\"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]\",\"MsgId\":\"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>\",\"Subject\":null,\"Latency\":1090,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:55+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"Snt\":51666,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"No\", \"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "success" @@ -232,6 +244,9 @@ "type": "Recipient email address is possibly incorrect" }, "event": { + "category": [ + "email" + ], "created": "2021-10-19T07:04:56+0100", "original": "{\"acc\":\"ABC123\",\"Delivered\":false,\"IP\":\"67.43.156.15\",\"RejType\":\"Recipient email address is possibly incorrect\",\"RejCode\":\"550\",\"AttCnt\":0,\"Dir\":\"Internal\",\"ReceiptAck\":null,\"MsgId\":\"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>\",\"Subject\":\"You have new held messages\",\"Latency\":1534,\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-10-19T07:04:56+0100\",\"Rcpt\":\"johndoejr@example.com\",\"AttSize\":0,\"Attempt\":1,\"RejInfo\":\"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]\",\"TlsVer\":\"TLSv1.2\",\"Cphr\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"Snt\":147,\"aCode\":\"61dfe7da-4c6d-34e1-9667-69b04f0d564f\",\"UseTls\":\"Yes\",\"Route\":\"Office365\",\"Content-Disposition\":\"attachment; filename=\\\"delivery_20211018093329655.json\\\"\"}", "outcome": "failure", @@ -290,6 +305,9 @@ } }, "event": { + "category": [ + "email" + ], "created": "2021-11-08T12:09:18+0000", "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:09:18+0000\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"aCode\":\"CYSuuaBUMjOpk3k1Xhvy_Q\",\"Dir\":\"Internal\",\"RcptHdrType\":\"Unknown\", \"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\"}", "outcome": "unknown" @@ -327,6 +345,9 @@ }, "event": { "action": "Acc", + "category": [ + "email" + ], "created": "2021-11-08T12:10:19+0000", "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"67.43.156.15\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", "outcome": "unknown" @@ -375,6 +396,9 @@ }, "event": { "action": "Block", + "category": [ + "email" + ], "created": "2021-11-29T15:13:58+0000", "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"67.43.156.15\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing & Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", "outcome": "unknown", @@ -432,6 +456,9 @@ }, "event": { "action": "Acc", + "category": [ + "email" + ], "created": "2023-02-14T18:18:51+0500", "original": "{\"Act\":\"Acc\",\"Content-Disposition\":\"attachment; filename=\\\"a7bebfbb-f4fd-4247-912e-820ace186108.zip\\\"\",\"Cphr\":\"TLS_AES_128_GCM_SHA256\",\"Dir\":\"Inbound\",\"IP\":\"67.43.156.15\",\"MsgId\":\"\\u003c8182967832.4@biz.net\\u003e\",\"Rcpt\":\"big.wig@biz.com\",\"Sender\":\"lion_8182967832.4@biz.net\",\"SpamInfo\":\"[]\",\"SpamLimit\":5,\"SpamProcessingDetail\":{\"dkim\":{\"allow\":true,\"info\":\"ALLOW\"},\"dmarc\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"spf\":{\"allow\":true,\"info\":\"ALLOW\"}},\"SpamScore\":1,\"Subject\":\"Totally not a scam! (Honest)\",\"TlsVer\":\"TLSv1.3\",\"aCode\":\"RjZDNjlEQkQtOUZGQS00N0\",\"acc\":\"MRK435457623\",\"datetime\":\"2023-02-14T18:18:51+0500\",\"headerFrom\":\"info@biz.org\"}", "outcome": "unknown" diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log new file mode 100644 index 00000000000..c0bc55eb5b4 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log @@ -0,0 +1,61 @@ +{"_offset":71203,"_partition":60,"accountId":"CUSB4A274","aggregateId":"ycS8ZuP_MPunTsp6ErzBSA_1731499054","fileExtension":"pdf","fileName":"zero-day.pdf","md5":"66f03bf072a74bb19db16c952ba3dc47","processingId":"WGY_DvwBSSkQgHEEGRzoLfwigWn9mwWIGqiLvVrPqKc_1731499054","sha1":"ce87cd86f9d9d3ed4c1138530ef259ce83638593","sha256":"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0","subtype":null,"timestamp":1731499059314,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"aZDCqoMHYF9FcjJQ869Lbra7mJvvQIa-VaegH2O8C0g_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866023,"type":"attachment protect"} +{"_offset":73861,"_partition":60,"accountId":"CUSB4A274","aggregateId":"k3KcYRO6P7qYd0rHc1QFNw_1731705555","fileExtension":"pdf","fileName":"zero-day.pdf","md5":"66f03bf072a74bb19db16c952ba3dc47","processingId":"WwGkv-47IJizhgFwoSrDx4e3e72fFIFdyKh3xcIJaik_1731705555","sha1":"ce87cd86f9d9d3ed4c1138530ef259ce83638593","sha256":"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0","subtype":null,"timestamp":1731705560321,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"b3vNsa7MZl72FJW_mbEr0ZX-iohNRCrOQ-BimNV1q9Q_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866000,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"mLgUT0pGSr_N7iwZQw_rR_JZltfI6rd_ntlmS6_ERBo_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866024,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"6czskzJMohlaUKVhot_uqpWCnSxbrpxHOmIbcab2cz8_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866000,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"MyaowWrjsmqCAoLpEyL5HV1AZ8jx5ktpfR1F-y8u49k_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866002,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"A1JuZjnL7y-1hP0ArmGTNUqqex9NU62N18z_QlPirAY_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866010,"type":"attachment protect"} +{"_offset":72919,"_partition":60,"accountId":"CUSB4A274","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","fileExtension":"zip","fileName":"WinZip Attachments.zip","md5":"baab79394970762f6ccefff87e0884ac","processingId":"G0_0M5x6QhE_UvSS0Wv0HzUDdWlgNBONhtSHHsrKznA_1731621818","sha1":"08a3037782976df0defbc4f0650d647b8696e18c","sha256":"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32","subtype":null,"timestamp":1731621866018,"type":"attachment protect"} +{"_offset":71219,"_partition":60,"accountId":"CUSB4A274","aggregateId":"auzof_uINcO0Z8DvryMngw_1731500878","fileExtension":"pdf","fileName":"zero-day.pdf","md5":"66f03bf072a74bb19db16c952ba3dc47","processingId":"0fD129nTUvY0qRAuLALbD7HpiV_4kWYEvyJjldHOOaU_1731500878","sha1":"ce87cd86f9d9d3ed4c1138530ef259ce83638593","sha256":"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0","subtype":null,"timestamp":1731500881660,"type":"attachment protect"} +{"Hostname":"ha.hamilton321.net","_offset":70901,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1633","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856769-1731451446596@usb-mta-24.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451448010,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70911,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1120","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856818-1731451550340@usb-mta-10.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451551351,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70909,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1103","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856880-1731451542362@usb-mta-26.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451543357,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70910,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1074","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856845-1731451550567@usb-mta-40.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451551563,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70900,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1268","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856888-1731451457644@usb-mta-40.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451458746,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70910,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1109","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856806-1731451560812@usb-mta-26.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451561805,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70998,"_partition":60,"accountId":"CUSB4A274","aggregateId":"aa3dEs_GMim451MhiRrJ9w_1731450139","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"10362852","destinationIp":"81.2.69.144","direction":"Inbound","emailSize":"4031","messageId":"<0f94646af53b06e4-170077@hapi.b41.one>","numberAttachments":"0","processingId":"7Yn6wtD2mT-o3y2anz4Z28snYYvG6yePYw6n50e9VBo_1731450139","recipients":"richard.costigan@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"richard.costigan@arcadia-group.b41.one","subject":"Energy Briefing paper for Monday, May 21st","subtype":"true","timestamp":1731460502392,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70901,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1338","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856767-1731451446559@usb-mta-24.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451447715,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70900,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1305","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856817-1731451449648@usb-mta-22.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451450737,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"Hostname":"ha.hamilton321.net","_offset":70902,"_partition":60,"accountId":"CUSB4A274","aggregateId":"x0J66B7HOZCFDsdRtjBrdg","delivered":"true","deliveryAttempts":"1","deliveryErrors":null,"deliveryTime":"1195","destinationIp":"81.2.69.144","direction":"Internal","emailSize":"31363","messageId":"<27856894-1731451457506@usb-mta-26.usb.mimecast.lan>","numberAttachments":"0","processingId":"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk","recipients":"veronica.espinoza@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"route":"Accept and drop messages","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"We found suspicious files in a message","subtype":"true","timestamp":1731451458547,"tlsCipher":null,"tlsUsed":"No","tlsVersion":null,"totalSizeAttachments":"0","type":"delivery"} +{"_offset":74462,"_partition":60,"accountId":"CUSB4A274","aggregateId":"RyZVTDvJMWi-Z68ZSU9WiA_1731862947","messageId":"<871dda3d6bf5107e-360815@hapi.b41.one>","monitoredDomainSource":null,"processingId":"JOsQ81iW842NHWl0bfVsgQ0PO7JYMph14vGQhgmXV4g_1731862947","recipients":"dl-ga-all_enron_worldwide1@demo-int.elastic.mime-api.com","route":"Internal","scanResults":"Blocked URL Category","senderEnvelope":"coo.jeff@demo-int.elastic.mime-api.com","similarDomain":null,"subject":"Management Changes","subtype":null,"timestamp":1731862950599,"type":"internal email protect","urlCategory":"Compromised"} +{"_offset":73595,"_partition":60,"accountId":"CUSB4A274","aggregateId":"0iHRSrQ4PseuWDdA6ANgWg_1731698572","direction":"Internal","processingId":"55pOFYRDuAV-PV8mGTczqke6e1QfNVKZRbn7h7YSjYE_1731698572","recipients":"maria.valdes@demo-int.elastic.mime-api.com","senderEnvelope":"rhonda.denton@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731698575076,"type":"journal"} +{"_offset":71249,"_partition":60,"accountId":"CUSB4A274","aggregateId":"Y7wwxNEWPQ23PptVXfrUUg_1731503569","direction":"Internal","processingId":"kYay9GYnPC0hU5PR_jl1VlGp4tcEuhcDWAN83CBWn2Q_1731503569","recipients":"_david.port@demo-int.elastic.mime-api.com","senderEnvelope":"david.forster@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731503575426,"type":"journal"} +{"_offset":71192,"_partition":60,"accountId":"CUSB4A274","aggregateId":"mlj3VuNCMh-GNsUhmPt9Rg_1731496947","direction":"Internal","processingId":"WYD3Y9s3EMu6D9CKmgT1kzmrSiywCe_em_lXf_5HUws_1731496947","recipients":"_michelle.lokay@demo-int.elastic.mime-api.com","senderEnvelope":"lorna.brennan@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731496960379,"type":"journal"} +{"_offset":70927,"_partition":60,"accountId":"CUSB4A274","aggregateId":"95dsLgPDMoWy0Bk0Y1LSDw_1731452248","direction":"Internal","processingId":"Pd0OCuNL88QUcTMmMDg40I18qawNIFCzdGxqvhNOH9Y_1731452248","recipients":"andrea.ring@demo-int.elastic.mime-api.com","senderEnvelope":"bob.ambrocik@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731452254138,"type":"journal"} +{"_offset":74592,"_partition":60,"accountId":"CUSB4A274","aggregateId":"PgLIFM6aONixnnxAu2yBCQ_1731874647","direction":"Internal","processingId":"ViHEEq9if4nYTOUxQSqXsgUcnbs7Of0bGeFhEu223ls_1731874647","recipients":"chad.starnes@demo-int.elastic.mime-api.com","senderEnvelope":"tamara.black@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731874650052,"type":"journal"} +{"_offset":71853,"_partition":60,"accountId":"CUSB4A274","aggregateId":"wm8XylfgMXaY8DkuPe5C6g_1731534809","direction":"Internal","processingId":"qqjnpyH6z5KaeWSeaP3_FomSjmKudYT94G36_a6PYhU_1731534809","recipients":"_hal.mckinney@demo-int.elastic.mime-api.com","senderEnvelope":"melissa.videtto@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731534813729,"type":"journal"} +{"_offset":72107,"_partition":60,"accountId":"CUSB4A274","aggregateId":"44MUo-sSOaemmYCtIWoCDQ_1731555745","direction":"Internal","processingId":"f2CHdHbAHhLuWxAdnrkvikX7p99qLDSp8vov0IN2VuE_1731555745","recipients":"_john.suarez@demo-int.elastic.mime-api.com","senderEnvelope":"rhonda.denton@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731555748578,"type":"journal"} +{"_offset":72539,"_partition":60,"accountId":"CUSB4A274","aggregateId":"5lkyib_sMEys4HHIS_BfnA_1731607398","direction":"Internal","processingId":"NTURKsdD8cexyo31Pcs68lEJJMGjyOBtykAvjo4-hDM_1731607398","recipients":"william.freije@demo-int.elastic.mime-api.com","senderEnvelope":"jae.black@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731607405621,"type":"journal"} +{"_offset":75079,"_partition":60,"accountId":"CUSB4A274","aggregateId":"giIl5RfnMaaOzcpePknYCQ","direction":"Internal","processingId":"L-Cjc_if2_eznTO-c4SsELfEptLUJouzF02Kgogaaok_1731956544","recipients":"tammie.schoppe@demo-int.elastic.mime-api.com","senderEnvelope":"julie.clyatt@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731956547365,"type":"journal"} +{"_offset":70818,"_partition":60,"accountId":"CUSB4A274","aggregateId":"ftPbPD1vMxa7beIN-pCWbA_1731444430","direction":"Internal","processingId":"KN0HzWFvGXS8Gu1gNid_150nlAPfOVzuimpDTbAGz1k_1731444430","recipients":"tahnee.stall@demo-int.elastic.mime-api.com","senderEnvelope":"mbx_iscinfra@demo-int.elastic.mime-api.com","subtype":null,"timestamp":1731444432914,"type":"journal"} +{"_offset":73606,"_partition":60,"accountId":"CUSB4A274","action":"Hld","aggregateId":"8TCFD0OlO06323_aNlbxVA_1731700047","attachments":null,"emailSize":"4170","holdReason":"Spm","messageId":"<4de314882ebce407-15188@hapi.b41.one>","numberAttachments":"0","processingId":"f9LiY_x-_ogdIWrf6wkiSVnAHqf_t43V7fXksSco27o_1731700047","senderEnvelope":"oasissupport@demo-visionary.b41.one","subject":"Entergy's new OASIS node is now available","subtype":"Hld","timestamp":1731700055957,"totalSizeAttachments":"0","type":"process"} +{"_offset":71171,"_partition":60,"accountId":"CUSB4A274","action":"Sdbx","aggregateId":"aGeQjuWoOVGkrat_ga1Vew_1731494602","attachments":null,"emailSize":"0","holdReason":null,"messageId":"<439b91e3140b2aa6-75725@hapi.b41.one>","numberAttachments":"1","processingId":"XoJ1lIN_Fxb9ImfSO2K24HpiMiRNKQXqe6UfEC5_aP0_1731494602","senderEnvelope":"mjones7@pilot-meadow.b41.one","subject":"HPL Nom for January 25, 2001","subtype":"Sdbx","timestamp":1731494618314,"totalSizeAttachments":"1153","type":"process"} +{"_offset":75292,"_partition":60,"accountId":"CUSB4A274","action":"Hld","aggregateId":"TLfmiIfVPSO0GI3oJJdWHg","attachments":null,"emailSize":"5668","holdReason":"Spm","messageId":"<6d8f3206ebd72298-284580@hapi.b41.one>","numberAttachments":"0","processingId":"RP4HUIIujRhQzLMrGkeTNhfdRQ_JTzEtU1nYU7oBF6Y_1731970088","senderEnvelope":"ebay.54422217.3801.0@pilot-meadow.b41.one","subject":"Welcome, dvd_express!","subtype":"Hld","timestamp":1731970093024,"totalSizeAttachments":"0","type":"process"} +{"_offset":73837,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"Oy_S3Lc9PUyDRbsnf0mr6w_1731702540","attachments":"\"attach-c567a248-467f-415f-b1ca-da6fde82347a.pdf\"","emailSize":"17236","holdReason":null,"messageId":"<46b1119b6b6a1cce-34862@hapi.b41.one>","numberAttachments":"1","processingId":"HP7ykR1aQLQjT0JuuuBzaIITSLHDrLDARlkEm5Nzf_k_1731702540","senderEnvelope":"owner-nyiso_tech_exchange@innovation-asylum.b41.one","subject":"RE","subtype":"Acc","timestamp":1731702739427,"totalSizeAttachments":"1153","type":"process"} +{"_offset":74698,"_partition":60,"accountId":"CUSB4A274","action":"Hld","aggregateId":"oSy4xi7sNgWjMLPrth0xKw_1731914255","attachments":null,"emailSize":"10181","holdReason":"Spm","messageId":"<705cf5946f3b8cd9-127894@hapi.b41.one>","numberAttachments":"0","processingId":"TIjslaTpNx-wdlF6Gt2htnTTu5Li_VkloVU6ccC8bb8_1731914255","senderEnvelope":"tina_leavy@concept-variety.b41.one","subject":"Fw","subtype":"Hld","timestamp":1731914265305,"totalSizeAttachments":"0","type":"process"} +{"_offset":72599,"_partition":60,"accountId":"CUSB4A274","action":"Hld","aggregateId":"FnAhxmOxN26l3b9wdnI64w_1731612764","attachments":null,"emailSize":"9628","holdReason":"Spm","messageId":"<3f1fd5633ebc342e-355801@hapi.b41.one>","numberAttachments":"0","processingId":"TKG1WthCWaNTmKhC1mEeH8w4J2Nb9uIz1XcC2pgBlxM_1731612764","senderEnvelope":"wgphou.customernotices@concept-variety.b41.one","subject":"Third Revised Terrebonne PVR % for October 2001","subtype":"Hld","timestamp":1731612778420,"totalSizeAttachments":"0","type":"process"} +{"_offset":74954,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"MF66JhdrMzeeqjFGrjuS7g","attachments":null,"emailSize":"6103","holdReason":null,"messageId":"<8b857900ca3f647e-11913@hapi.b41.one>","numberAttachments":"0","processingId":"WePW42EkaOVqv2HazYrvjJ9Ko2V8Fsj6yLUkUdKcU60_1731944561","senderEnvelope":"eric.bass@demo-int.elastic.mime-api.com","subject":"FW","subtype":"Acc","timestamp":1731944567019,"totalSizeAttachments":"0","type":"process"} +{"_offset":71324,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"e102e547-4a15-374c-b71d-66e2133bf1d2_1731510369","attachments":null,"emailSize":"49308","holdReason":null,"messageId":"<27887510-1731510369436@usb-mta-4.usb.mimecast.lan>","numberAttachments":"0","processingId":"n8Uu7Gt79ZJVAh9Skma7E9P2M4HBk8Q__d8DB24Y9Aw_1731510369","senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","subject":"You have new held messages","subtype":"Acc","timestamp":1731510371281,"totalSizeAttachments":"0","type":"process"} +{"_offset":73333,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"OhBKaw3SM3i2coMq0NYnWA_1731680003","attachments":null,"emailSize":"4165","holdReason":null,"messageId":"<326fb0335d17b3c0-314775@hapi.b41.one>","numberAttachments":"0","processingId":"JGkhz1r5Si2J3Aj1cIT4pfkKIJRyKk9PHOLFdWBenMs_1731680003","senderEnvelope":"sgovenar@innovation-asylum.b41.one","subject":"SBX 6","subtype":"Acc","timestamp":1731680016753,"totalSizeAttachments":"0","type":"process"} +{"_offset":71824,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"RkaLU-cyNTa3VvuNCEFL0g_1731533285","attachments":null,"emailSize":"4689","holdReason":null,"messageId":"","numberAttachments":"0","processingId":"ZGDUcMyg7xWfwuJMwQRyVK7_XOZwCdHZDkhj2-iNxi8_1731533285","senderEnvelope":"john.arnold@demo-int.elastic.mime-api.com","subject":"wv love story","subtype":"Acc","timestamp":1731533289383,"totalSizeAttachments":"0","type":"process"} +{"_offset":70936,"_partition":60,"accountId":"CUSB4A274","action":"Rej","aggregateId":"lf7BP8oVOue0keIDXck0Ww_1731454604","direction":"Inbound","messageId":null,"numberAttachments":"0","processingId":"Ycqry21vB3utdjgPfIFYpj9wQK6HMNkmX_1vFlph1UM_1731454604","recipients":"truorange@demo-int.elastic.mime-api.com","rejectionCode":"550","rejectionInfo":"Envelope blocked - User Entry","rejectionType":"Manual Envelope Rejection","senderEnvelope":"truorange@creative-omega.b41.one","senderHeader":null,"senderIp":"81.2.69.144","spamDetectionLevel":null,"spamInfo":null,"spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":null,"subject":null,"subtype":"Rej","timestamp":1731454605992,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":72920,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"pZrAa9HUN-WmL2AK6cWduw_1731621818","direction":"Inbound","messageId":"","numberAttachments":"1","processingId":"faqqVpJ4FYKsCgeaEEy23oZYXjIg0lM-UfluCEvSRUs_1731621818","receiptErrors":null,"recipients":"boucard.john@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"manintan@evaluation-fuzz.b41.one","senderHeader":"manintan@evaluation-fuzz.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"21","subject":"new information","subtype":"Acc","timestamp":1731621865697,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":71492,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"DxdW7AQ0MlWbr7_ujIQaxw_1731516810","direction":"Inbound","messageId":"","numberAttachments":"1","processingId":"MRFVwlim0CdyNJzmrIZFSHmViwZ7hOLQTNEqxRaK2Vs_1731516810","receiptErrors":null,"recipients":"tom.fitzgibbon@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"my-prs@pilot-meadow.b41.one","senderHeader":"my-prs@pilot-meadow.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"9","subject":"Translation - Nihon Keizai 5/16 (Enron Mention)","subtype":"Acc","timestamp":1731516818291,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":73360,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"4d2c1696-8d78-3d7b-aac9-78d630c5950b_1731682986","direction":"Internal","messageId":"<28099804-1731682986606@usb-mta-47.usb.mimecast.lan>","numberAttachments":"0","processingId":"ceRW9S1H-n0jhKkIEH85IxRNSZ9NRZnFJQLeRF42rC0_1731682986","receiptErrors":null,"recipients":"_suecor.williams@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","senderHeader":"postmaster@demo-int.elastic.mime-api.com","senderIp":"10.108.135.241","spamDetectionLevel":"28","spamInfo":"[]","spamProcessingDetail":null,"spamScore":"0","subject":"You have new held messages","subtype":"Acc","timestamp":1731682988404,"tlsCipher":null,"tlsVersion":null,"type":"receipt","virusFound":null} +{"_offset":75007,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"5VeDMXKCPsS36abM4FlQeQ","direction":"Inbound","messageId":"","numberAttachments":"0","processingId":"ZGSmLrbybOduBkJx6T6cs4OgZU0AeG9Hq6qfGlnU7kg_1731948770","receiptErrors":null,"recipients":"sara.shackleton@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"sshackl@creative-omega.b41.one","senderHeader":"sshackl@creative-omega.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"20","subject":"FW","subtype":"Acc","timestamp":1731948772533,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":71244,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"0Moj0dzfOMqFDmdRAPECmA_1731503258","direction":"Inbound","messageId":"<94b67c90515afcf1-169468@hapi.b41.one>","numberAttachments":"1","processingId":"mGnheqkR5T0rDjTmXSUQv0Bfrjq-ZkcKhnutHhf7Euk_1731503258","receiptErrors":null,"recipients":"rfrank@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"sgovenar@demo-visionary.b41.one","senderHeader":"sgovenar@demo-visionary.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":null,"spamInfo":null,"spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":null,"subject":"Edison MOU","subtype":"Acc","timestamp":1731503267346,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":74483,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"6ihbgt-UOrKODApypGlzXQ_1731868943","direction":"Inbound","messageId":"","numberAttachments":"0","processingId":"v4VvNARgVG4rpLNl4Ejnfh79j_d0m9XVKK5pAwzUt8s_1731868943","receiptErrors":null,"recipients":"_john.odell@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"sgentry@empirepartners.b41.one","senderHeader":"sgentry@empirepartners.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"11","subject":"FW","subtype":"Acc","timestamp":1731868950257,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":71289,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"OAXKAyanO6SqyvwQ1eKC4g_1731508647","direction":"Inbound","messageId":"","numberAttachments":"0","processingId":"YON72Gz9BYznKeJ0LSfRtVX4D0JDEmod68dD9ze1hHA_1731508647","receiptErrors":null,"recipients":"ebass@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"eblastoff@evaluation-fuzz.b41.one","senderHeader":"eblastoff@evaluation-fuzz.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"10","subject":"Inside The Rockets - January 7, 2002","subtype":"Acc","timestamp":1731508650643,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":71966,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"891c3d4c-0aa7-320b-bfd2-732bcd7c5adf_1731546285","direction":"Internal","messageId":"<27945005-1731546285334@usb-mta-6.usb.mimecast.lan>","numberAttachments":"0","processingId":"d6-ofzBp4GuHX3ZhDQTbnfwdr7VvRIpDrkqooDRU7SM_1731546285","receiptErrors":null,"recipients":"ford@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"postmaster@demo-int.elastic.mime-api.com","senderHeader":"postmaster@demo-int.elastic.mime-api.com","senderIp":"10.104.113.241","spamDetectionLevel":"28","spamInfo":"[]","spamProcessingDetail":null,"spamScore":"0","subject":"You have new held messages","subtype":"Acc","timestamp":1731546286658,"tlsCipher":null,"tlsVersion":null,"type":"receipt","virusFound":null} +{"_offset":71831,"_partition":60,"accountId":"CUSB4A274","action":"Acc","aggregateId":"YGkCYMyQNt6bgEuSqC3SVw_1731533364","direction":"Inbound","messageId":"<17043d206c4f4dbe-131959@hapi.b41.one>","numberAttachments":"1","processingId":"8-6EpAp9tIjIcQutkjBGvWfU5gkRdT5y0XAd_q6_uVQ_1731533364","receiptErrors":null,"recipients":"taylor@demo-int.elastic.mime-api.com","rejectionCode":null,"rejectionInfo":null,"rejectionType":null,"senderEnvelope":"cfishkin@empirepartners.b41.one","senderHeader":"cfishkin@empirepartners.b41.one","senderIp":"81.2.69.144","spamDetectionLevel":"7","spamInfo":"[]","spamProcessingDetail":"{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}","spamScore":"10","subject":"RE","subtype":"Acc","timestamp":1731533369688,"tlsCipher":"TLS_AES_256_GCM_SHA384","tlsVersion":"TLSv1.3","type":"receipt","virusFound":null} +{"_offset":70644,"_partition":60,"accountId":"CUSB4A274","aggregateId":"Ql_iJvRDMdC_d469VGp4kQ_1731441482","messageId":"<024f423ba0c5f5cb-101202@hapi.b41.one>","processingId":"5EWkv9kTMt8sxAO41F7DZqeOTf2vsdVGKOLYRuZ0i8Y_1731441482","recipients":"dgiron@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"concept-variety.b41.one","senderEnvelope":"auto-confirm@concept-variety.b41.one","senderHeader":"auto-confirm@concept-variety.b41.one","senderIp":"81.2.69.144","subject":"Your Order with Amazon.com (#102-9280639-7011323)","subtype":null,"timestamp":1731441484433,"type":"spam"} +{"_offset":70888,"_partition":60,"accountId":"CUSB4A274","aggregateId":"r1jMzKmBNwOqFqDYi5Le0A_1731451019","messageId":"<62f0f191f1b2bfb8-202018@hapi.b41.one>","processingId":"t8HTSvcRL51riYw2Q_yM654nb8R2KtBO4vjsB1p-1rA_1731451019","recipients":"alewis@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"concept-variety.b41.one","senderEnvelope":"clickz.today.txt@concept-variety.b41.one","senderHeader":"clickz.today.txt@concept-variety.b41.one","senderIp":"81.2.69.144","subject":"Tests Only an Internet Marketer Could Love","subtype":null,"timestamp":1731451020249,"type":"spam"} +{"_offset":74166,"_partition":60,"accountId":"CUSB4A274","aggregateId":"Vhz8WEBPMFyb3pF2BJ2wrQ_1731766647","messageId":"<918952fe9b2b691c-132413@hapi.b41.one>","processingId":"0MCtz4Ju8r8zy_Fh3z2qGmwtmSMJC79xC1rw4ZvVxHs_1731766647","recipients":"tana.jones@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"creative-omega.b41.one","senderEnvelope":"fishkinc@creative-omega.b41.one","senderHeader":"fishkinc@creative-omega.b41.one","senderIp":"81.2.69.144","subject":null,"subtype":null,"timestamp":1731766649212,"type":"spam"} +{"_offset":73474,"_partition":60,"accountId":"CUSB4A274","aggregateId":"c7hobrZoOmy2Jue6uTkTZA_1731685378","messageId":"<688d972bc653918d-370521@hapi.b41.one>","processingId":"Pf8VEM40WVSFJhipnSh6S-izYx-BOH2dw64CPcFknzo_1731685378","recipients":"cole.jim@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"arcadia-group.b41.one","senderEnvelope":"kathy@arcadia-group.b41.one","senderHeader":"kathy@arcadia-group.b41.one","senderIp":"81.2.69.144","subject":"Reception for COGA Annual Meeting Keynote Bill Walker","subtype":null,"timestamp":1731685384647,"type":"spam"} +{"_offset":74481,"_partition":60,"accountId":"CUSB4A274","aggregateId":"6ihbgt-UOrKODApypGlzXQ_1731868943","messageId":"","processingId":"qR4K63J1r-NOxyrUpaPkU5iYS5bvw2-fEMB-JYcf0cE_1731868943","recipients":"_trey.greaney@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"empirepartners.b41.one","senderEnvelope":"sgentry@empirepartners.b41.one","senderHeader":"sgentry@empirepartners.b41.one","senderIp":"81.2.69.144","subject":"FW","subtype":null,"timestamp":1731868948919,"type":"spam"} +{"_offset":74481,"_partition":60,"accountId":"CUSB4A274","aggregateId":"6ihbgt-UOrKODApypGlzXQ_1731868943","messageId":"","processingId":"iYxxMaLBNEKPWSTEp9CH4B2464AGHhsvAPaf31Mc0tc_1731868943","recipients":"jeff.eatherton@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"empirepartners.b41.one","senderEnvelope":"sgentry@empirepartners.b41.one","senderHeader":"sgentry@empirepartners.b41.one","senderIp":"81.2.69.144","subject":"FW","subtype":null,"timestamp":1731868948918,"type":"spam"} +{"_offset":75325,"_partition":60,"accountId":"CUSB4A274","aggregateId":"-n86qAQfOTWA4Efdk2N-FA","messageId":"","processingId":"FIoA2LSY-MzFJzNY98Fwgzu1MD530-3K_kNs6b-GHQA_1731977871","recipients":"ryang@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"creative-omega.b41.one","senderEnvelope":"douglass@creative-omega.b41.one","senderHeader":"douglass@creative-omega.b41.one","senderIp":"81.2.69.144","subject":"Re","subtype":null,"timestamp":1731977873269,"type":"spam"} +{"_offset":72869,"_partition":60,"accountId":"CUSB4A274","aggregateId":"5I6WzskaO0anMqefgzUxMQ_1731617561","messageId":"","processingId":"44x8Ss3UswVtAAZEys6AvV2YDHgvX68PHyHjte7bw_w_1731617561","recipients":"jonathan.mckay@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"pilot-meadow.b41.one","senderEnvelope":"gmille@pilot-meadow.b41.one","senderHeader":"gmille@pilot-meadow.b41.one","senderIp":"81.2.69.144","subject":null,"subtype":null,"timestamp":1731617562340,"type":"spam"} +{"_offset":72407,"_partition":60,"accountId":"CUSB4A274","aggregateId":"nNsYsZo5PsiS7tsPPMhScw_1731597441","messageId":"<3a5a32b949bc68d5-44894@hapi.b41.one>","processingId":"Ju7DcVaik3AmIzS7u9rY8klrnT3r33IyQUYVFC__byk_1731597441","recipients":"jeff.dasovich@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"pilot-meadow.b41.one","senderEnvelope":"courtney_abernathy@pilot-meadow.b41.one","senderHeader":"courtney_abernathy@pilot-meadow.b41.one","senderIp":"81.2.69.144","subject":"Stranger","subtype":null,"timestamp":1731597442889,"type":"spam"} +{"_offset":74368,"_partition":60,"accountId":"CUSB4A274","aggregateId":"Zyc2YQp5NiebreJzicSY0g_1731827848","messageId":"<69b360ac6c02441e-173968@hapi.b41.one>","processingId":"rdbUbf7dO9buFz-hm-jV4eMdfFO2Qnu6iZy__ONwPng_1731827848","recipients":"max.yzaguirre@demo-int.elastic.mime-api.com","route":"Inbound","senderDomain":"arcadia-group.b41.one","senderEnvelope":"nikep@arcadia-group.b41.one","senderHeader":"nikep@arcadia-group.b41.one","senderIp":"81.2.69.144","subject":"Weekly Report","subtype":null,"timestamp":1731827851036,"type":"spam"} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json new file mode 100644 index 00000000000..b136699e534 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-v2-logs.log-expected.json @@ -0,0 +1,3485 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-13T11:57:39.314Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "pdf", + "hash": { + "md5": "66f03bf072a74bb19db16c952ba3dc47", + "sha1": "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "sha256": "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0" + }, + "name": "zero-day.pdf" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T11:57:39.314Z", + "original": "{\"_offset\":71203,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"ycS8ZuP_MPunTsp6ErzBSA_1731499054\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"WGY_DvwBSSkQgHEEGRzoLfwigWn9mwWIGqiLvVrPqKc_1731499054\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731499059314,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "ycS8ZuP_MPunTsp6ErzBSA_1731499054", + "log_type": "attachment-protect", + "processingId": "WGY_DvwBSSkQgHEEGRzoLfwigWn9mwWIGqiLvVrPqKc_1731499054" + }, + "related": { + "hash": [ + "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0", + "66f03bf072a74bb19db16c952ba3dc47" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.023Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.023Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"aZDCqoMHYF9FcjJQ869Lbra7mJvvQIa-VaegH2O8C0g_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866023,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "aZDCqoMHYF9FcjJQ869Lbra7mJvvQIa-VaegH2O8C0g_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T21:19:20.321Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "pdf", + "hash": { + "md5": "66f03bf072a74bb19db16c952ba3dc47", + "sha1": "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "sha256": "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0" + }, + "name": "zero-day.pdf" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-15T21:19:20.321Z", + "original": "{\"_offset\":73861,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"k3KcYRO6P7qYd0rHc1QFNw_1731705555\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"WwGkv-47IJizhgFwoSrDx4e3e72fFIFdyKh3xcIJaik_1731705555\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731705560321,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "k3KcYRO6P7qYd0rHc1QFNw_1731705555", + "log_type": "attachment-protect", + "processingId": "WwGkv-47IJizhgFwoSrDx4e3e72fFIFdyKh3xcIJaik_1731705555" + }, + "related": { + "hash": [ + "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0", + "66f03bf072a74bb19db16c952ba3dc47" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.000Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"b3vNsa7MZl72FJW_mbEr0ZX-iohNRCrOQ-BimNV1q9Q_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866000,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "b3vNsa7MZl72FJW_mbEr0ZX-iohNRCrOQ-BimNV1q9Q_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.024Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.024Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"mLgUT0pGSr_N7iwZQw_rR_JZltfI6rd_ntlmS6_ERBo_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866024,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "mLgUT0pGSr_N7iwZQw_rR_JZltfI6rd_ntlmS6_ERBo_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.000Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.000Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"6czskzJMohlaUKVhot_uqpWCnSxbrpxHOmIbcab2cz8_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866000,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "6czskzJMohlaUKVhot_uqpWCnSxbrpxHOmIbcab2cz8_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.002Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.002Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"MyaowWrjsmqCAoLpEyL5HV1AZ8jx5ktpfR1F-y8u49k_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866002,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "MyaowWrjsmqCAoLpEyL5HV1AZ8jx5ktpfR1F-y8u49k_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.010Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.010Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"A1JuZjnL7y-1hP0ArmGTNUqqex9NU62N18z_QlPirAY_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866010,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "A1JuZjnL7y-1hP0ArmGTNUqqex9NU62N18z_QlPirAY_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T22:04:26.018Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "zip", + "hash": { + "md5": "baab79394970762f6ccefff87e0884ac", + "sha1": "08a3037782976df0defbc4f0650d647b8696e18c", + "sha256": "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32" + }, + "name": "WinZip Attachments.zip" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T22:04:26.018Z", + "original": "{\"_offset\":72919,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"fileExtension\":\"zip\",\"fileName\":\"WinZip Attachments.zip\",\"md5\":\"baab79394970762f6ccefff87e0884ac\",\"processingId\":\"G0_0M5x6QhE_UvSS0Wv0HzUDdWlgNBONhtSHHsrKznA_1731621818\",\"sha1\":\"08a3037782976df0defbc4f0650d647b8696e18c\",\"sha256\":\"2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32\",\"subtype\":null,\"timestamp\":1731621866018,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "attachment-protect", + "processingId": "G0_0M5x6QhE_UvSS0Wv0HzUDdWlgNBONhtSHHsrKznA_1731621818" + }, + "related": { + "hash": [ + "08a3037782976df0defbc4f0650d647b8696e18c", + "2184a906a8f705269be0ed65b25c0ecde9cd3bbe0bdadbe1e86492a7ce073c32", + "baab79394970762f6ccefff87e0884ac" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T12:28:01.660Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "extension": "pdf", + "hash": { + "md5": "66f03bf072a74bb19db16c952ba3dc47", + "sha1": "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "sha256": "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0" + }, + "name": "zero-day.pdf" + } + } + ] + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T12:28:01.660Z", + "original": "{\"_offset\":71219,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"auzof_uINcO0Z8DvryMngw_1731500878\",\"fileExtension\":\"pdf\",\"fileName\":\"zero-day.pdf\",\"md5\":\"66f03bf072a74bb19db16c952ba3dc47\",\"processingId\":\"0fD129nTUvY0qRAuLALbD7HpiV_4kWYEvyJjldHOOaU_1731500878\",\"sha1\":\"ce87cd86f9d9d3ed4c1138530ef259ce83638593\",\"sha256\":\"22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0\",\"subtype\":null,\"timestamp\":1731500881660,\"type\":\"attachment protect\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "auzof_uINcO0Z8DvryMngw_1731500878", + "log_type": "attachment-protect", + "processingId": "0fD129nTUvY0qRAuLALbD7HpiV_4kWYEvyJjldHOOaU_1731500878" + }, + "related": { + "hash": [ + "ce87cd86f9d9d3ed4c1138530ef259ce83638593", + "22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98bab0", + "66f03bf072a74bb19db16c952ba3dc47" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-12T22:44:08.010Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856769-1731451446596@usb-mta-24.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:44:08.010Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70901,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1633\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856769-1731451446596@usb-mta-24.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451448010,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1633", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:45:51.351Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856818-1731451550340@usb-mta-10.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:45:51.351Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70911,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1120\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856818-1731451550340@usb-mta-10.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451551351,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1120", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:45:43.357Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856880-1731451542362@usb-mta-26.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:45:43.357Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70909,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1103\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856880-1731451542362@usb-mta-26.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451543357,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1103", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:45:51.563Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856845-1731451550567@usb-mta-40.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:45:51.563Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70910,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1074\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856845-1731451550567@usb-mta-40.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451551563,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1074", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:44:18.746Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856888-1731451457644@usb-mta-40.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:44:18.746Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70900,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1268\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856888-1731451457644@usb-mta-40.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451458746,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1268", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:46:01.805Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856806-1731451560812@usb-mta-26.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:46:01.805Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70910,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1109\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856806-1731451560812@usb-mta-26.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451561805,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1109", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-13T01:15:02.392Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "inbound", + "from": { + "address": [ + "richard.costigan@arcadia-group.b41.one" + ] + }, + "message_id": "<0f94646af53b06e4-170077@hapi.b41.one>", + "subject": "Energy Briefing paper for Monday, May 21st", + "to": { + "address": [ + "richard.costigan@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T01:15:02.392Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70998,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"aa3dEs_GMim451MhiRrJ9w_1731450139\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"10362852\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Inbound\",\"emailSize\":\"4031\",\"messageId\":\"<0f94646af53b06e4-170077@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"7Yn6wtD2mT-o3y2anz4Z28snYYvG6yePYw6n50e9VBo_1731450139\",\"recipients\":\"richard.costigan@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"richard.costigan@arcadia-group.b41.one\",\"subject\":\"Energy Briefing paper for Monday, May 21st\",\"subtype\":\"true\",\"timestamp\":1731460502392,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "aa3dEs_GMim451MhiRrJ9w_1731450139", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "10362852", + "emailSize": "4031", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "7Yn6wtD2mT-o3y2anz4Z28snYYvG6yePYw6n50e9VBo_1731450139", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "richard.costigan@arcadia-group.b41.one", + "richard.costigan@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:44:07.715Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856767-1731451446559@usb-mta-24.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:44:07.715Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70901,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1338\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856767-1731451446559@usb-mta-24.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451447715,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1338", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:44:10.737Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856817-1731451449648@usb-mta-22.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:44:10.737Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70900,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1305\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856817-1731451449648@usb-mta-22.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451450737,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1305", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-12T22:44:18.547Z", + "destination": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27856894-1731451457506@usb-mta-26.usb.mimecast.lan>", + "subject": "We found suspicious files in a message", + "to": { + "address": [ + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:44:18.547Z", + "original": "{\"Hostname\":\"ha.hamilton321.net\",\"_offset\":70902,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"x0J66B7HOZCFDsdRtjBrdg\",\"delivered\":\"true\",\"deliveryAttempts\":\"1\",\"deliveryErrors\":null,\"deliveryTime\":\"1195\",\"destinationIp\":\"81.2.69.144\",\"direction\":\"Internal\",\"emailSize\":\"31363\",\"messageId\":\"<27856894-1731451457506@usb-mta-26.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk\",\"recipients\":\"veronica.espinoza@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"route\":\"Accept and drop messages\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"We found suspicious files in a message\",\"subtype\":\"true\",\"timestamp\":1731451458547,\"tlsCipher\":null,\"tlsUsed\":\"No\",\"tlsVersion\":null,\"totalSizeAttachments\":\"0\",\"type\":\"delivery\"}", + "outcome": "unknown" + }, + "mimecast": { + "Hostname": "ha.hamilton321.net", + "accountId": "CUSB4A274", + "aggregateId": "x0J66B7HOZCFDsdRtjBrdg", + "delivered": "true", + "deliveryAttempts": "1", + "deliveryTime": "1195", + "emailSize": "31363", + "log_type": "delivery", + "numberAttachments": "0", + "processingId": "LcoZUvowTgh0_A1V-OdChmPWPlyI1gOurfQRUFoRMZk", + "route": "Accept and drop messages", + "subtype": "true" + }, + "related": { + "hosts": [ + "ha.hamilton321.net" + ], + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "veronica.espinoza@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "established": false + } + }, + { + "@timestamp": "2024-11-17T17:02:30.599Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "coo.jeff@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<871dda3d6bf5107e-360815@hapi.b41.one>", + "subject": "Management Changes", + "to": { + "address": [ + "dl-ga-all_enron_worldwide1@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-17T17:02:30.599Z", + "original": "{\"_offset\":74462,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"RyZVTDvJMWi-Z68ZSU9WiA_1731862947\",\"messageId\":\"<871dda3d6bf5107e-360815@hapi.b41.one>\",\"monitoredDomainSource\":null,\"processingId\":\"JOsQ81iW842NHWl0bfVsgQ0PO7JYMph14vGQhgmXV4g_1731862947\",\"recipients\":\"dl-ga-all_enron_worldwide1@demo-int.elastic.mime-api.com\",\"route\":\"Internal\",\"scanResults\":\"Blocked URL Category\",\"senderEnvelope\":\"coo.jeff@demo-int.elastic.mime-api.com\",\"similarDomain\":null,\"subject\":\"Management Changes\",\"subtype\":null,\"timestamp\":1731862950599,\"type\":\"internal email protect\",\"urlCategory\":\"Compromised\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "RyZVTDvJMWi-Z68ZSU9WiA_1731862947", + "log_type": "internal-email-protect", + "processingId": "JOsQ81iW842NHWl0bfVsgQ0PO7JYMph14vGQhgmXV4g_1731862947", + "scanResults": "Blocked URL Category", + "urlCategory": "Compromised" + }, + "related": { + "user": [ + "coo.jeff@demo-int.elastic.mime-api.com", + "dl-ga-all_enron_worldwide1@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T19:22:55.076Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "rhonda.denton@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "maria.valdes@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-15T19:22:55.076Z", + "original": "{\"_offset\":73595,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"0iHRSrQ4PseuWDdA6ANgWg_1731698572\",\"direction\":\"Internal\",\"processingId\":\"55pOFYRDuAV-PV8mGTczqke6e1QfNVKZRbn7h7YSjYE_1731698572\",\"recipients\":\"maria.valdes@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"rhonda.denton@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731698575076,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "0iHRSrQ4PseuWDdA6ANgWg_1731698572", + "log_type": "jrnl", + "processingId": "55pOFYRDuAV-PV8mGTczqke6e1QfNVKZRbn7h7YSjYE_1731698572" + }, + "related": { + "user": [ + "rhonda.denton@demo-int.elastic.mime-api.com", + "maria.valdes@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T13:12:55.426Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "david.forster@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "_david.port@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T13:12:55.426Z", + "original": "{\"_offset\":71249,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"Y7wwxNEWPQ23PptVXfrUUg_1731503569\",\"direction\":\"Internal\",\"processingId\":\"kYay9GYnPC0hU5PR_jl1VlGp4tcEuhcDWAN83CBWn2Q_1731503569\",\"recipients\":\"_david.port@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"david.forster@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731503575426,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "Y7wwxNEWPQ23PptVXfrUUg_1731503569", + "log_type": "jrnl", + "processingId": "kYay9GYnPC0hU5PR_jl1VlGp4tcEuhcDWAN83CBWn2Q_1731503569" + }, + "related": { + "user": [ + "david.forster@demo-int.elastic.mime-api.com", + "_david.port@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T11:22:40.379Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "lorna.brennan@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "_michelle.lokay@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T11:22:40.379Z", + "original": "{\"_offset\":71192,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"mlj3VuNCMh-GNsUhmPt9Rg_1731496947\",\"direction\":\"Internal\",\"processingId\":\"WYD3Y9s3EMu6D9CKmgT1kzmrSiywCe_em_lXf_5HUws_1731496947\",\"recipients\":\"_michelle.lokay@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"lorna.brennan@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731496960379,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "mlj3VuNCMh-GNsUhmPt9Rg_1731496947", + "log_type": "jrnl", + "processingId": "WYD3Y9s3EMu6D9CKmgT1kzmrSiywCe_em_lXf_5HUws_1731496947" + }, + "related": { + "user": [ + "lorna.brennan@demo-int.elastic.mime-api.com", + "_michelle.lokay@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-12T22:57:34.138Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "bob.ambrocik@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "andrea.ring@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:57:34.138Z", + "original": "{\"_offset\":70927,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"95dsLgPDMoWy0Bk0Y1LSDw_1731452248\",\"direction\":\"Internal\",\"processingId\":\"Pd0OCuNL88QUcTMmMDg40I18qawNIFCzdGxqvhNOH9Y_1731452248\",\"recipients\":\"andrea.ring@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"bob.ambrocik@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731452254138,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "95dsLgPDMoWy0Bk0Y1LSDw_1731452248", + "log_type": "jrnl", + "processingId": "Pd0OCuNL88QUcTMmMDg40I18qawNIFCzdGxqvhNOH9Y_1731452248" + }, + "related": { + "user": [ + "bob.ambrocik@demo-int.elastic.mime-api.com", + "andrea.ring@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-17T20:17:30.052Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "tamara.black@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "chad.starnes@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-17T20:17:30.052Z", + "original": "{\"_offset\":74592,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"PgLIFM6aONixnnxAu2yBCQ_1731874647\",\"direction\":\"Internal\",\"processingId\":\"ViHEEq9if4nYTOUxQSqXsgUcnbs7Of0bGeFhEu223ls_1731874647\",\"recipients\":\"chad.starnes@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"tamara.black@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731874650052,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "PgLIFM6aONixnnxAu2yBCQ_1731874647", + "log_type": "jrnl", + "processingId": "ViHEEq9if4nYTOUxQSqXsgUcnbs7Of0bGeFhEu223ls_1731874647" + }, + "related": { + "user": [ + "tamara.black@demo-int.elastic.mime-api.com", + "chad.starnes@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T21:53:33.729Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "melissa.videtto@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "_hal.mckinney@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-13T21:53:33.729Z", + "original": "{\"_offset\":71853,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"wm8XylfgMXaY8DkuPe5C6g_1731534809\",\"direction\":\"Internal\",\"processingId\":\"qqjnpyH6z5KaeWSeaP3_FomSjmKudYT94G36_a6PYhU_1731534809\",\"recipients\":\"_hal.mckinney@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"melissa.videtto@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731534813729,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "wm8XylfgMXaY8DkuPe5C6g_1731534809", + "log_type": "jrnl", + "processingId": "qqjnpyH6z5KaeWSeaP3_FomSjmKudYT94G36_a6PYhU_1731534809" + }, + "related": { + "user": [ + "melissa.videtto@demo-int.elastic.mime-api.com", + "_hal.mckinney@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T03:42:28.578Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "rhonda.denton@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "_john.suarez@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T03:42:28.578Z", + "original": "{\"_offset\":72107,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"44MUo-sSOaemmYCtIWoCDQ_1731555745\",\"direction\":\"Internal\",\"processingId\":\"f2CHdHbAHhLuWxAdnrkvikX7p99qLDSp8vov0IN2VuE_1731555745\",\"recipients\":\"_john.suarez@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"rhonda.denton@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731555748578,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "44MUo-sSOaemmYCtIWoCDQ_1731555745", + "log_type": "jrnl", + "processingId": "f2CHdHbAHhLuWxAdnrkvikX7p99qLDSp8vov0IN2VuE_1731555745" + }, + "related": { + "user": [ + "rhonda.denton@demo-int.elastic.mime-api.com", + "_john.suarez@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T18:03:25.621Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "jae.black@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "william.freije@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T18:03:25.621Z", + "original": "{\"_offset\":72539,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"5lkyib_sMEys4HHIS_BfnA_1731607398\",\"direction\":\"Internal\",\"processingId\":\"NTURKsdD8cexyo31Pcs68lEJJMGjyOBtykAvjo4-hDM_1731607398\",\"recipients\":\"william.freije@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"jae.black@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731607405621,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "5lkyib_sMEys4HHIS_BfnA_1731607398", + "log_type": "jrnl", + "processingId": "NTURKsdD8cexyo31Pcs68lEJJMGjyOBtykAvjo4-hDM_1731607398" + }, + "related": { + "user": [ + "jae.black@demo-int.elastic.mime-api.com", + "william.freije@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-18T19:02:27.365Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "julie.clyatt@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "tammie.schoppe@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-18T19:02:27.365Z", + "original": "{\"_offset\":75079,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"giIl5RfnMaaOzcpePknYCQ\",\"direction\":\"Internal\",\"processingId\":\"L-Cjc_if2_eznTO-c4SsELfEptLUJouzF02Kgogaaok_1731956544\",\"recipients\":\"tammie.schoppe@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"julie.clyatt@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731956547365,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "giIl5RfnMaaOzcpePknYCQ", + "log_type": "jrnl", + "processingId": "L-Cjc_if2_eznTO-c4SsELfEptLUJouzF02Kgogaaok_1731956544" + }, + "related": { + "user": [ + "julie.clyatt@demo-int.elastic.mime-api.com", + "tammie.schoppe@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-12T20:47:12.914Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "mbx_iscinfra@demo-int.elastic.mime-api.com" + ] + }, + "to": { + "address": [ + "tahnee.stall@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T20:47:12.914Z", + "original": "{\"_offset\":70818,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"ftPbPD1vMxa7beIN-pCWbA_1731444430\",\"direction\":\"Internal\",\"processingId\":\"KN0HzWFvGXS8Gu1gNid_150nlAPfOVzuimpDTbAGz1k_1731444430\",\"recipients\":\"tahnee.stall@demo-int.elastic.mime-api.com\",\"senderEnvelope\":\"mbx_iscinfra@demo-int.elastic.mime-api.com\",\"subtype\":null,\"timestamp\":1731444432914,\"type\":\"journal\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "ftPbPD1vMxa7beIN-pCWbA_1731444430", + "log_type": "jrnl", + "processingId": "KN0HzWFvGXS8Gu1gNid_150nlAPfOVzuimpDTbAGz1k_1731444430" + }, + "related": { + "user": [ + "mbx_iscinfra@demo-int.elastic.mime-api.com", + "tahnee.stall@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T19:47:35.957Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "oasissupport@demo-visionary.b41.one" + ] + }, + "message_id": "<4de314882ebce407-15188@hapi.b41.one>", + "subject": "Entergy's new OASIS node is now available" + }, + "event": { + "action": "Hld", + "category": [ + "email" + ], + "created": "2024-11-15T19:47:35.957Z", + "original": "{\"_offset\":73606,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Hld\",\"aggregateId\":\"8TCFD0OlO06323_aNlbxVA_1731700047\",\"attachments\":null,\"emailSize\":\"4170\",\"holdReason\":\"Spm\",\"messageId\":\"<4de314882ebce407-15188@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"f9LiY_x-_ogdIWrf6wkiSVnAHqf_t43V7fXksSco27o_1731700047\",\"senderEnvelope\":\"oasissupport@demo-visionary.b41.one\",\"subject\":\"Entergy's new OASIS node is now available\",\"subtype\":\"Hld\",\"timestamp\":1731700055957,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown", + "reason": "Spm" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "8TCFD0OlO06323_aNlbxVA_1731700047", + "emailSize": "4170", + "log_type": "process", + "numberAttachments": "0", + "processingId": "f9LiY_x-_ogdIWrf6wkiSVnAHqf_t43V7fXksSco27o_1731700047", + "subtype": "Hld" + }, + "related": { + "user": [ + "oasissupport@demo-visionary.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T10:43:38.314Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 1153 + } + } + ], + "from": { + "address": [ + "mjones7@pilot-meadow.b41.one" + ] + }, + "message_id": "<439b91e3140b2aa6-75725@hapi.b41.one>", + "subject": "HPL Nom for January 25, 2001" + }, + "event": { + "action": "Sdbx", + "category": [ + "email" + ], + "created": "2024-11-13T10:43:38.314Z", + "original": "{\"_offset\":71171,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Sdbx\",\"aggregateId\":\"aGeQjuWoOVGkrat_ga1Vew_1731494602\",\"attachments\":null,\"emailSize\":\"0\",\"holdReason\":null,\"messageId\":\"<439b91e3140b2aa6-75725@hapi.b41.one>\",\"numberAttachments\":\"1\",\"processingId\":\"XoJ1lIN_Fxb9ImfSO2K24HpiMiRNKQXqe6UfEC5_aP0_1731494602\",\"senderEnvelope\":\"mjones7@pilot-meadow.b41.one\",\"subject\":\"HPL Nom for January 25, 2001\",\"subtype\":\"Sdbx\",\"timestamp\":1731494618314,\"totalSizeAttachments\":\"1153\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "aGeQjuWoOVGkrat_ga1Vew_1731494602", + "emailSize": "0", + "log_type": "process", + "numberAttachments": "1", + "processingId": "XoJ1lIN_Fxb9ImfSO2K24HpiMiRNKQXqe6UfEC5_aP0_1731494602", + "subtype": "Sdbx" + }, + "related": { + "user": [ + "mjones7@pilot-meadow.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-18T22:48:13.024Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "ebay.54422217.3801.0@pilot-meadow.b41.one" + ] + }, + "message_id": "<6d8f3206ebd72298-284580@hapi.b41.one>", + "subject": "Welcome, dvd_express!" + }, + "event": { + "action": "Hld", + "category": [ + "email" + ], + "created": "2024-11-18T22:48:13.024Z", + "original": "{\"_offset\":75292,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Hld\",\"aggregateId\":\"TLfmiIfVPSO0GI3oJJdWHg\",\"attachments\":null,\"emailSize\":\"5668\",\"holdReason\":\"Spm\",\"messageId\":\"<6d8f3206ebd72298-284580@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"RP4HUIIujRhQzLMrGkeTNhfdRQ_JTzEtU1nYU7oBF6Y_1731970088\",\"senderEnvelope\":\"ebay.54422217.3801.0@pilot-meadow.b41.one\",\"subject\":\"Welcome, dvd_express!\",\"subtype\":\"Hld\",\"timestamp\":1731970093024,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown", + "reason": "Spm" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "TLfmiIfVPSO0GI3oJJdWHg", + "emailSize": "5668", + "log_type": "process", + "numberAttachments": "0", + "processingId": "RP4HUIIujRhQzLMrGkeTNhfdRQ_JTzEtU1nYU7oBF6Y_1731970088", + "subtype": "Hld" + }, + "related": { + "user": [ + "ebay.54422217.3801.0@pilot-meadow.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T20:32:19.427Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "name": "\"attach-c567a248-467f-415f-b1ca-da6fde82347a.pdf\"", + "size": 1153 + } + } + ], + "from": { + "address": [ + "owner-nyiso_tech_exchange@innovation-asylum.b41.one" + ] + }, + "message_id": "<46b1119b6b6a1cce-34862@hapi.b41.one>", + "subject": "RE" + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-15T20:32:19.427Z", + "original": "{\"_offset\":73837,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"Oy_S3Lc9PUyDRbsnf0mr6w_1731702540\",\"attachments\":\"\\\"attach-c567a248-467f-415f-b1ca-da6fde82347a.pdf\\\"\",\"emailSize\":\"17236\",\"holdReason\":null,\"messageId\":\"<46b1119b6b6a1cce-34862@hapi.b41.one>\",\"numberAttachments\":\"1\",\"processingId\":\"HP7ykR1aQLQjT0JuuuBzaIITSLHDrLDARlkEm5Nzf_k_1731702540\",\"senderEnvelope\":\"owner-nyiso_tech_exchange@innovation-asylum.b41.one\",\"subject\":\"RE\",\"subtype\":\"Acc\",\"timestamp\":1731702739427,\"totalSizeAttachments\":\"1153\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "Oy_S3Lc9PUyDRbsnf0mr6w_1731702540", + "emailSize": "17236", + "log_type": "process", + "numberAttachments": "1", + "processingId": "HP7ykR1aQLQjT0JuuuBzaIITSLHDrLDARlkEm5Nzf_k_1731702540", + "subtype": "Acc" + }, + "related": { + "user": [ + "owner-nyiso_tech_exchange@innovation-asylum.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-18T07:17:45.305Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "tina_leavy@concept-variety.b41.one" + ] + }, + "message_id": "<705cf5946f3b8cd9-127894@hapi.b41.one>", + "subject": "Fw" + }, + "event": { + "action": "Hld", + "category": [ + "email" + ], + "created": "2024-11-18T07:17:45.305Z", + "original": "{\"_offset\":74698,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Hld\",\"aggregateId\":\"oSy4xi7sNgWjMLPrth0xKw_1731914255\",\"attachments\":null,\"emailSize\":\"10181\",\"holdReason\":\"Spm\",\"messageId\":\"<705cf5946f3b8cd9-127894@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"TIjslaTpNx-wdlF6Gt2htnTTu5Li_VkloVU6ccC8bb8_1731914255\",\"senderEnvelope\":\"tina_leavy@concept-variety.b41.one\",\"subject\":\"Fw\",\"subtype\":\"Hld\",\"timestamp\":1731914265305,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown", + "reason": "Spm" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "oSy4xi7sNgWjMLPrth0xKw_1731914255", + "emailSize": "10181", + "log_type": "process", + "numberAttachments": "0", + "processingId": "TIjslaTpNx-wdlF6Gt2htnTTu5Li_VkloVU6ccC8bb8_1731914255", + "subtype": "Hld" + }, + "related": { + "user": [ + "tina_leavy@concept-variety.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T19:32:58.420Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "wgphou.customernotices@concept-variety.b41.one" + ] + }, + "message_id": "<3f1fd5633ebc342e-355801@hapi.b41.one>", + "subject": "Third Revised Terrebonne PVR % for October 2001" + }, + "event": { + "action": "Hld", + "category": [ + "email" + ], + "created": "2024-11-14T19:32:58.420Z", + "original": "{\"_offset\":72599,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Hld\",\"aggregateId\":\"FnAhxmOxN26l3b9wdnI64w_1731612764\",\"attachments\":null,\"emailSize\":\"9628\",\"holdReason\":\"Spm\",\"messageId\":\"<3f1fd5633ebc342e-355801@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"TKG1WthCWaNTmKhC1mEeH8w4J2Nb9uIz1XcC2pgBlxM_1731612764\",\"senderEnvelope\":\"wgphou.customernotices@concept-variety.b41.one\",\"subject\":\"Third Revised Terrebonne PVR % for October 2001\",\"subtype\":\"Hld\",\"timestamp\":1731612778420,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown", + "reason": "Spm" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "FnAhxmOxN26l3b9wdnI64w_1731612764", + "emailSize": "9628", + "log_type": "process", + "numberAttachments": "0", + "processingId": "TKG1WthCWaNTmKhC1mEeH8w4J2Nb9uIz1XcC2pgBlxM_1731612764", + "subtype": "Hld" + }, + "related": { + "user": [ + "wgphou.customernotices@concept-variety.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-18T15:42:47.019Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "eric.bass@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<8b857900ca3f647e-11913@hapi.b41.one>", + "subject": "FW" + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-18T15:42:47.019Z", + "original": "{\"_offset\":74954,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"MF66JhdrMzeeqjFGrjuS7g\",\"attachments\":null,\"emailSize\":\"6103\",\"holdReason\":null,\"messageId\":\"<8b857900ca3f647e-11913@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"WePW42EkaOVqv2HazYrvjJ9Ko2V8Fsj6yLUkUdKcU60_1731944561\",\"senderEnvelope\":\"eric.bass@demo-int.elastic.mime-api.com\",\"subject\":\"FW\",\"subtype\":\"Acc\",\"timestamp\":1731944567019,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "MF66JhdrMzeeqjFGrjuS7g", + "emailSize": "6103", + "log_type": "process", + "numberAttachments": "0", + "processingId": "WePW42EkaOVqv2HazYrvjJ9Ko2V8Fsj6yLUkUdKcU60_1731944561", + "subtype": "Acc" + }, + "related": { + "user": [ + "eric.bass@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T15:06:11.281Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27887510-1731510369436@usb-mta-4.usb.mimecast.lan>", + "subject": "You have new held messages" + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T15:06:11.281Z", + "original": "{\"_offset\":71324,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"e102e547-4a15-374c-b71d-66e2133bf1d2_1731510369\",\"attachments\":null,\"emailSize\":\"49308\",\"holdReason\":null,\"messageId\":\"<27887510-1731510369436@usb-mta-4.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"n8Uu7Gt79ZJVAh9Skma7E9P2M4HBk8Q__d8DB24Y9Aw_1731510369\",\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"subject\":\"You have new held messages\",\"subtype\":\"Acc\",\"timestamp\":1731510371281,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "e102e547-4a15-374c-b71d-66e2133bf1d2_1731510369", + "emailSize": "49308", + "log_type": "process", + "numberAttachments": "0", + "processingId": "n8Uu7Gt79ZJVAh9Skma7E9P2M4HBk8Q__d8DB24Y9Aw_1731510369", + "subtype": "Acc" + }, + "related": { + "user": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T14:13:36.753Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "sgovenar@innovation-asylum.b41.one" + ] + }, + "message_id": "<326fb0335d17b3c0-314775@hapi.b41.one>", + "subject": "SBX 6" + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-15T14:13:36.753Z", + "original": "{\"_offset\":73333,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"OhBKaw3SM3i2coMq0NYnWA_1731680003\",\"attachments\":null,\"emailSize\":\"4165\",\"holdReason\":null,\"messageId\":\"<326fb0335d17b3c0-314775@hapi.b41.one>\",\"numberAttachments\":\"0\",\"processingId\":\"JGkhz1r5Si2J3Aj1cIT4pfkKIJRyKk9PHOLFdWBenMs_1731680003\",\"senderEnvelope\":\"sgovenar@innovation-asylum.b41.one\",\"subject\":\"SBX 6\",\"subtype\":\"Acc\",\"timestamp\":1731680016753,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "OhBKaw3SM3i2coMq0NYnWA_1731680003", + "emailSize": "4165", + "log_type": "process", + "numberAttachments": "0", + "processingId": "JGkhz1r5Si2J3Aj1cIT4pfkKIJRyKk9PHOLFdWBenMs_1731680003", + "subtype": "Acc" + }, + "related": { + "user": [ + "sgovenar@innovation-asylum.b41.one" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T21:28:09.383Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "attachments": [ + { + "file": { + "size": 0 + } + } + ], + "from": { + "address": [ + "john.arnold@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "", + "subject": "wv love story" + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T21:28:09.383Z", + "original": "{\"_offset\":71824,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"RkaLU-cyNTa3VvuNCEFL0g_1731533285\",\"attachments\":null,\"emailSize\":\"4689\",\"holdReason\":null,\"messageId\":\"\",\"numberAttachments\":\"0\",\"processingId\":\"ZGDUcMyg7xWfwuJMwQRyVK7_XOZwCdHZDkhj2-iNxi8_1731533285\",\"senderEnvelope\":\"john.arnold@demo-int.elastic.mime-api.com\",\"subject\":\"wv love story\",\"subtype\":\"Acc\",\"timestamp\":1731533289383,\"totalSizeAttachments\":\"0\",\"type\":\"process\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "RkaLU-cyNTa3VvuNCEFL0g_1731533285", + "emailSize": "4689", + "log_type": "process", + "numberAttachments": "0", + "processingId": "ZGDUcMyg7xWfwuJMwQRyVK7_XOZwCdHZDkhj2-iNxi8_1731533285", + "subtype": "Acc" + }, + "related": { + "user": [ + "john.arnold@demo-int.elastic.mime-api.com" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-12T23:36:45.992Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "truorange@creative-omega.b41.one" + ] + }, + "to": { + "address": [ + "truorange@demo-int.elastic.mime-api.com" + ] + } + }, + "error": { + "code": "550", + "type": "Manual Envelope Rejection" + }, + "event": { + "action": "Rej", + "category": [ + "email" + ], + "created": "2024-11-12T23:36:45.992Z", + "original": "{\"_offset\":70936,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Rej\",\"aggregateId\":\"lf7BP8oVOue0keIDXck0Ww_1731454604\",\"direction\":\"Inbound\",\"messageId\":null,\"numberAttachments\":\"0\",\"processingId\":\"Ycqry21vB3utdjgPfIFYpj9wQK6HMNkmX_1vFlph1UM_1731454604\",\"recipients\":\"truorange@demo-int.elastic.mime-api.com\",\"rejectionCode\":\"550\",\"rejectionInfo\":\"Envelope blocked - User Entry\",\"rejectionType\":\"Manual Envelope Rejection\",\"senderEnvelope\":\"truorange@creative-omega.b41.one\",\"senderHeader\":null,\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":null,\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":null,\"subject\":null,\"subtype\":\"Rej\",\"timestamp\":1731454605992,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown", + "reason": "Envelope blocked - User Entry" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "lf7BP8oVOue0keIDXck0Ww_1731454604", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "Ycqry21vB3utdjgPfIFYpj9wQK6HMNkmX_1vFlph1UM_1731454604", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "subtype": "Rej", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "truorange@creative-omega.b41.one", + "truorange@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-14T22:04:25.697Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "manintan@evaluation-fuzz.b41.one" + ] + }, + "message_id": "", + "subject": "new information", + "to": { + "address": [ + "boucard.john@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-14T22:04:25.697Z", + "original": "{\"_offset\":72920,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"pZrAa9HUN-WmL2AK6cWduw_1731621818\",\"direction\":\"Inbound\",\"messageId\":\"\",\"numberAttachments\":\"1\",\"processingId\":\"faqqVpJ4FYKsCgeaEEy23oZYXjIg0lM-UfluCEvSRUs_1731621818\",\"receiptErrors\":null,\"recipients\":\"boucard.john@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"manintan@evaluation-fuzz.b41.one\",\"senderHeader\":\"manintan@evaluation-fuzz.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"21\",\"subject\":\"new information\",\"subtype\":\"Acc\",\"timestamp\":1731621865697,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "pZrAa9HUN-WmL2AK6cWduw_1731621818", + "log_type": "receipt", + "numberAttachments": "1", + "processingId": "faqqVpJ4FYKsCgeaEEy23oZYXjIg0lM-UfluCEvSRUs_1731621818", + "senderHeader": "manintan@evaluation-fuzz.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "21", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "manintan@evaluation-fuzz.b41.one", + "boucard.john@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-13T16:53:38.291Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "my-prs@pilot-meadow.b41.one" + ] + }, + "message_id": "", + "subject": "Translation - Nihon Keizai 5/16 (Enron Mention)", + "to": { + "address": [ + "tom.fitzgibbon@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T16:53:38.291Z", + "original": "{\"_offset\":71492,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"DxdW7AQ0MlWbr7_ujIQaxw_1731516810\",\"direction\":\"Inbound\",\"messageId\":\"\",\"numberAttachments\":\"1\",\"processingId\":\"MRFVwlim0CdyNJzmrIZFSHmViwZ7hOLQTNEqxRaK2Vs_1731516810\",\"receiptErrors\":null,\"recipients\":\"tom.fitzgibbon@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"my-prs@pilot-meadow.b41.one\",\"senderHeader\":\"my-prs@pilot-meadow.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"9\",\"subject\":\"Translation - Nihon Keizai 5/16 (Enron Mention)\",\"subtype\":\"Acc\",\"timestamp\":1731516818291,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "DxdW7AQ0MlWbr7_ujIQaxw_1731516810", + "log_type": "receipt", + "numberAttachments": "1", + "processingId": "MRFVwlim0CdyNJzmrIZFSHmViwZ7hOLQTNEqxRaK2Vs_1731516810", + "senderHeader": "my-prs@pilot-meadow.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "9", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "my-prs@pilot-meadow.b41.one", + "tom.fitzgibbon@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-15T15:03:08.404Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<28099804-1731682986606@usb-mta-47.usb.mimecast.lan>", + "subject": "You have new held messages", + "to": { + "address": [ + "_suecor.williams@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-15T15:03:08.404Z", + "original": "{\"_offset\":73360,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"4d2c1696-8d78-3d7b-aac9-78d630c5950b_1731682986\",\"direction\":\"Internal\",\"messageId\":\"<28099804-1731682986606@usb-mta-47.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"ceRW9S1H-n0jhKkIEH85IxRNSZ9NRZnFJQLeRF42rC0_1731682986\",\"receiptErrors\":null,\"recipients\":\"_suecor.williams@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"senderHeader\":\"postmaster@demo-int.elastic.mime-api.com\",\"senderIp\":\"10.108.135.241\",\"spamDetectionLevel\":\"28\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":null,\"spamScore\":\"0\",\"subject\":\"You have new held messages\",\"subtype\":\"Acc\",\"timestamp\":1731682988404,\"tlsCipher\":null,\"tlsVersion\":null,\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "4d2c1696-8d78-3d7b-aac9-78d630c5950b_1731682986", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "ceRW9S1H-n0jhKkIEH85IxRNSZ9NRZnFJQLeRF42rC0_1731682986", + "senderHeader": "postmaster@demo-int.elastic.mime-api.com", + "spamDetectionLevel": "28", + "spamInfo": "[]", + "spamScore": "0", + "subtype": "Acc" + }, + "related": { + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "_suecor.williams@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "ip": "10.108.135.241" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-18T16:52:52.533Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "sshackl@creative-omega.b41.one" + ] + }, + "message_id": "", + "subject": "FW", + "to": { + "address": [ + "sara.shackleton@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-18T16:52:52.533Z", + "original": "{\"_offset\":75007,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"5VeDMXKCPsS36abM4FlQeQ\",\"direction\":\"Inbound\",\"messageId\":\"\",\"numberAttachments\":\"0\",\"processingId\":\"ZGSmLrbybOduBkJx6T6cs4OgZU0AeG9Hq6qfGlnU7kg_1731948770\",\"receiptErrors\":null,\"recipients\":\"sara.shackleton@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"sshackl@creative-omega.b41.one\",\"senderHeader\":\"sshackl@creative-omega.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"20\",\"subject\":\"FW\",\"subtype\":\"Acc\",\"timestamp\":1731948772533,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "5VeDMXKCPsS36abM4FlQeQ", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "ZGSmLrbybOduBkJx6T6cs4OgZU0AeG9Hq6qfGlnU7kg_1731948770", + "senderHeader": "sshackl@creative-omega.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "20", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "sshackl@creative-omega.b41.one", + "sara.shackleton@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-13T13:07:47.346Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "sgovenar@demo-visionary.b41.one" + ] + }, + "message_id": "<94b67c90515afcf1-169468@hapi.b41.one>", + "subject": "Edison MOU", + "to": { + "address": [ + "rfrank@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T13:07:47.346Z", + "original": "{\"_offset\":71244,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"0Moj0dzfOMqFDmdRAPECmA_1731503258\",\"direction\":\"Inbound\",\"messageId\":\"<94b67c90515afcf1-169468@hapi.b41.one>\",\"numberAttachments\":\"1\",\"processingId\":\"mGnheqkR5T0rDjTmXSUQv0Bfrjq-ZkcKhnutHhf7Euk_1731503258\",\"receiptErrors\":null,\"recipients\":\"rfrank@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"sgovenar@demo-visionary.b41.one\",\"senderHeader\":\"sgovenar@demo-visionary.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":null,\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":null,\"subject\":\"Edison MOU\",\"subtype\":\"Acc\",\"timestamp\":1731503267346,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "0Moj0dzfOMqFDmdRAPECmA_1731503258", + "log_type": "receipt", + "numberAttachments": "1", + "processingId": "mGnheqkR5T0rDjTmXSUQv0Bfrjq-ZkcKhnutHhf7Euk_1731503258", + "senderHeader": "sgovenar@demo-visionary.b41.one", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "sgovenar@demo-visionary.b41.one", + "rfrank@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-17T18:42:30.257Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "sgentry@empirepartners.b41.one" + ] + }, + "message_id": "", + "subject": "FW", + "to": { + "address": [ + "_john.odell@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-17T18:42:30.257Z", + "original": "{\"_offset\":74483,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"6ihbgt-UOrKODApypGlzXQ_1731868943\",\"direction\":\"Inbound\",\"messageId\":\"\",\"numberAttachments\":\"0\",\"processingId\":\"v4VvNARgVG4rpLNl4Ejnfh79j_d0m9XVKK5pAwzUt8s_1731868943\",\"receiptErrors\":null,\"recipients\":\"_john.odell@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"sgentry@empirepartners.b41.one\",\"senderHeader\":\"sgentry@empirepartners.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"11\",\"subject\":\"FW\",\"subtype\":\"Acc\",\"timestamp\":1731868950257,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "6ihbgt-UOrKODApypGlzXQ_1731868943", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "v4VvNARgVG4rpLNl4Ejnfh79j_d0m9XVKK5pAwzUt8s_1731868943", + "senderHeader": "sgentry@empirepartners.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "11", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "sgentry@empirepartners.b41.one", + "_john.odell@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-13T14:37:30.643Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "eblastoff@evaluation-fuzz.b41.one" + ] + }, + "message_id": "", + "subject": "Inside The Rockets - January 7, 2002", + "to": { + "address": [ + "ebass@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T14:37:30.643Z", + "original": "{\"_offset\":71289,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"OAXKAyanO6SqyvwQ1eKC4g_1731508647\",\"direction\":\"Inbound\",\"messageId\":\"\",\"numberAttachments\":\"0\",\"processingId\":\"YON72Gz9BYznKeJ0LSfRtVX4D0JDEmod68dD9ze1hHA_1731508647\",\"receiptErrors\":null,\"recipients\":\"ebass@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"eblastoff@evaluation-fuzz.b41.one\",\"senderHeader\":\"eblastoff@evaluation-fuzz.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"10\",\"subject\":\"Inside The Rockets - January 7, 2002\",\"subtype\":\"Acc\",\"timestamp\":1731508650643,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "OAXKAyanO6SqyvwQ1eKC4g_1731508647", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "YON72Gz9BYznKeJ0LSfRtVX4D0JDEmod68dD9ze1hHA_1731508647", + "senderHeader": "eblastoff@evaluation-fuzz.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "10", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "eblastoff@evaluation-fuzz.b41.one", + "ebass@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-14T01:04:46.658Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "internal", + "from": { + "address": [ + "postmaster@demo-int.elastic.mime-api.com" + ] + }, + "message_id": "<27945005-1731546285334@usb-mta-6.usb.mimecast.lan>", + "subject": "You have new held messages", + "to": { + "address": [ + "ford@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-14T01:04:46.658Z", + "original": "{\"_offset\":71966,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"891c3d4c-0aa7-320b-bfd2-732bcd7c5adf_1731546285\",\"direction\":\"Internal\",\"messageId\":\"<27945005-1731546285334@usb-mta-6.usb.mimecast.lan>\",\"numberAttachments\":\"0\",\"processingId\":\"d6-ofzBp4GuHX3ZhDQTbnfwdr7VvRIpDrkqooDRU7SM_1731546285\",\"receiptErrors\":null,\"recipients\":\"ford@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"postmaster@demo-int.elastic.mime-api.com\",\"senderHeader\":\"postmaster@demo-int.elastic.mime-api.com\",\"senderIp\":\"10.104.113.241\",\"spamDetectionLevel\":\"28\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":null,\"spamScore\":\"0\",\"subject\":\"You have new held messages\",\"subtype\":\"Acc\",\"timestamp\":1731546286658,\"tlsCipher\":null,\"tlsVersion\":null,\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "891c3d4c-0aa7-320b-bfd2-732bcd7c5adf_1731546285", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "d6-ofzBp4GuHX3ZhDQTbnfwdr7VvRIpDrkqooDRU7SM_1731546285", + "senderHeader": "postmaster@demo-int.elastic.mime-api.com", + "spamDetectionLevel": "28", + "spamInfo": "[]", + "spamScore": "0", + "subtype": "Acc" + }, + "related": { + "user": [ + "postmaster@demo-int.elastic.mime-api.com", + "ford@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "ip": "10.104.113.241" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-13T21:29:29.688Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "cfishkin@empirepartners.b41.one" + ] + }, + "message_id": "<17043d206c4f4dbe-131959@hapi.b41.one>", + "subject": "RE", + "to": { + "address": [ + "taylor@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "action": "Acc", + "category": [ + "email" + ], + "created": "2024-11-13T21:29:29.688Z", + "original": "{\"_offset\":71831,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"YGkCYMyQNt6bgEuSqC3SVw_1731533364\",\"direction\":\"Inbound\",\"messageId\":\"<17043d206c4f4dbe-131959@hapi.b41.one>\",\"numberAttachments\":\"1\",\"processingId\":\"8-6EpAp9tIjIcQutkjBGvWfU5gkRdT5y0XAd_q6_uVQ_1731533364\",\"receiptErrors\":null,\"recipients\":\"taylor@demo-int.elastic.mime-api.com\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"cfishkin@empirepartners.b41.one\",\"senderHeader\":\"cfishkin@empirepartners.b41.one\",\"senderIp\":\"81.2.69.144\",\"spamDetectionLevel\":\"7\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"},\\\"dkim\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"UNKNOWN\\\"},\\\"dmarc\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"spamScore\":\"10\",\"subject\":\"RE\",\"subtype\":\"Acc\",\"timestamp\":1731533369688,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "YGkCYMyQNt6bgEuSqC3SVw_1731533364", + "log_type": "receipt", + "numberAttachments": "1", + "processingId": "8-6EpAp9tIjIcQutkjBGvWfU5gkRdT5y0XAd_q6_uVQ_1731533364", + "senderHeader": "cfishkin@empirepartners.b41.one", + "spamDetectionLevel": "7", + "spamInfo": "[]", + "spamProcessingDetail": "{\"spf\":{\"allow\":true,\"info\":\"ALLOW\"},\"dkim\":{\"allow\":true,\"info\":\"UNKNOWN\"},\"dmarc\":{\"allow\":true,\"info\":\"ALLOW\"}}", + "spamScore": "10", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "cfishkin@empirepartners.b41.one", + "taylor@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } + }, + { + "@timestamp": "2024-11-12T19:58:04.433Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "auto-confirm@concept-variety.b41.one" + ] + }, + "message_id": "<024f423ba0c5f5cb-101202@hapi.b41.one>", + "subject": "Your Order with Amazon.com (#102-9280639-7011323)", + "to": { + "address": [ + "dgiron@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T19:58:04.433Z", + "original": "{\"_offset\":70644,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"Ql_iJvRDMdC_d469VGp4kQ_1731441482\",\"messageId\":\"<024f423ba0c5f5cb-101202@hapi.b41.one>\",\"processingId\":\"5EWkv9kTMt8sxAO41F7DZqeOTf2vsdVGKOLYRuZ0i8Y_1731441482\",\"recipients\":\"dgiron@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"concept-variety.b41.one\",\"senderEnvelope\":\"auto-confirm@concept-variety.b41.one\",\"senderHeader\":\"auto-confirm@concept-variety.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Your Order with Amazon.com (#102-9280639-7011323)\",\"subtype\":null,\"timestamp\":1731441484433,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "Ql_iJvRDMdC_d469VGp4kQ_1731441482", + "log_type": "spam", + "processingId": "5EWkv9kTMt8sxAO41F7DZqeOTf2vsdVGKOLYRuZ0i8Y_1731441482", + "senderHeader": "auto-confirm@concept-variety.b41.one" + }, + "related": { + "user": [ + "auto-confirm@concept-variety.b41.one", + "dgiron@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "concept-variety.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-12T22:37:00.249Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "clickz.today.txt@concept-variety.b41.one" + ] + }, + "message_id": "<62f0f191f1b2bfb8-202018@hapi.b41.one>", + "subject": "Tests Only an Internet Marketer Could Love", + "to": { + "address": [ + "alewis@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-12T22:37:00.249Z", + "original": "{\"_offset\":70888,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"r1jMzKmBNwOqFqDYi5Le0A_1731451019\",\"messageId\":\"<62f0f191f1b2bfb8-202018@hapi.b41.one>\",\"processingId\":\"t8HTSvcRL51riYw2Q_yM654nb8R2KtBO4vjsB1p-1rA_1731451019\",\"recipients\":\"alewis@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"concept-variety.b41.one\",\"senderEnvelope\":\"clickz.today.txt@concept-variety.b41.one\",\"senderHeader\":\"clickz.today.txt@concept-variety.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Tests Only an Internet Marketer Could Love\",\"subtype\":null,\"timestamp\":1731451020249,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "r1jMzKmBNwOqFqDYi5Le0A_1731451019", + "log_type": "spam", + "processingId": "t8HTSvcRL51riYw2Q_yM654nb8R2KtBO4vjsB1p-1rA_1731451019", + "senderHeader": "clickz.today.txt@concept-variety.b41.one" + }, + "related": { + "user": [ + "clickz.today.txt@concept-variety.b41.one", + "alewis@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "concept-variety.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-16T14:17:29.212Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "fishkinc@creative-omega.b41.one" + ] + }, + "message_id": "<918952fe9b2b691c-132413@hapi.b41.one>", + "to": { + "address": [ + "tana.jones@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-16T14:17:29.212Z", + "original": "{\"_offset\":74166,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"Vhz8WEBPMFyb3pF2BJ2wrQ_1731766647\",\"messageId\":\"<918952fe9b2b691c-132413@hapi.b41.one>\",\"processingId\":\"0MCtz4Ju8r8zy_Fh3z2qGmwtmSMJC79xC1rw4ZvVxHs_1731766647\",\"recipients\":\"tana.jones@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"creative-omega.b41.one\",\"senderEnvelope\":\"fishkinc@creative-omega.b41.one\",\"senderHeader\":\"fishkinc@creative-omega.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":null,\"subtype\":null,\"timestamp\":1731766649212,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "Vhz8WEBPMFyb3pF2BJ2wrQ_1731766647", + "log_type": "spam", + "processingId": "0MCtz4Ju8r8zy_Fh3z2qGmwtmSMJC79xC1rw4ZvVxHs_1731766647", + "senderHeader": "fishkinc@creative-omega.b41.one" + }, + "related": { + "user": [ + "fishkinc@creative-omega.b41.one", + "tana.jones@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "creative-omega.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-15T15:43:04.647Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "kathy@arcadia-group.b41.one" + ] + }, + "message_id": "<688d972bc653918d-370521@hapi.b41.one>", + "subject": "Reception for COGA Annual Meeting Keynote Bill Walker", + "to": { + "address": [ + "cole.jim@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-15T15:43:04.647Z", + "original": "{\"_offset\":73474,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"c7hobrZoOmy2Jue6uTkTZA_1731685378\",\"messageId\":\"<688d972bc653918d-370521@hapi.b41.one>\",\"processingId\":\"Pf8VEM40WVSFJhipnSh6S-izYx-BOH2dw64CPcFknzo_1731685378\",\"recipients\":\"cole.jim@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"arcadia-group.b41.one\",\"senderEnvelope\":\"kathy@arcadia-group.b41.one\",\"senderHeader\":\"kathy@arcadia-group.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Reception for COGA Annual Meeting Keynote Bill Walker\",\"subtype\":null,\"timestamp\":1731685384647,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "c7hobrZoOmy2Jue6uTkTZA_1731685378", + "log_type": "spam", + "processingId": "Pf8VEM40WVSFJhipnSh6S-izYx-BOH2dw64CPcFknzo_1731685378", + "senderHeader": "kathy@arcadia-group.b41.one" + }, + "related": { + "user": [ + "kathy@arcadia-group.b41.one", + "cole.jim@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "arcadia-group.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-17T18:42:28.919Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "sgentry@empirepartners.b41.one" + ] + }, + "message_id": "", + "subject": "FW", + "to": { + "address": [ + "_trey.greaney@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-17T18:42:28.919Z", + "original": "{\"_offset\":74481,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"6ihbgt-UOrKODApypGlzXQ_1731868943\",\"messageId\":\"\",\"processingId\":\"qR4K63J1r-NOxyrUpaPkU5iYS5bvw2-fEMB-JYcf0cE_1731868943\",\"recipients\":\"_trey.greaney@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"empirepartners.b41.one\",\"senderEnvelope\":\"sgentry@empirepartners.b41.one\",\"senderHeader\":\"sgentry@empirepartners.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"FW\",\"subtype\":null,\"timestamp\":1731868948919,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "6ihbgt-UOrKODApypGlzXQ_1731868943", + "log_type": "spam", + "processingId": "qR4K63J1r-NOxyrUpaPkU5iYS5bvw2-fEMB-JYcf0cE_1731868943", + "senderHeader": "sgentry@empirepartners.b41.one" + }, + "related": { + "user": [ + "sgentry@empirepartners.b41.one", + "_trey.greaney@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "empirepartners.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-17T18:42:28.918Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "sgentry@empirepartners.b41.one" + ] + }, + "message_id": "", + "subject": "FW", + "to": { + "address": [ + "jeff.eatherton@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-17T18:42:28.918Z", + "original": "{\"_offset\":74481,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"6ihbgt-UOrKODApypGlzXQ_1731868943\",\"messageId\":\"\",\"processingId\":\"iYxxMaLBNEKPWSTEp9CH4B2464AGHhsvAPaf31Mc0tc_1731868943\",\"recipients\":\"jeff.eatherton@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"empirepartners.b41.one\",\"senderEnvelope\":\"sgentry@empirepartners.b41.one\",\"senderHeader\":\"sgentry@empirepartners.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"FW\",\"subtype\":null,\"timestamp\":1731868948918,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "6ihbgt-UOrKODApypGlzXQ_1731868943", + "log_type": "spam", + "processingId": "iYxxMaLBNEKPWSTEp9CH4B2464AGHhsvAPaf31Mc0tc_1731868943", + "senderHeader": "sgentry@empirepartners.b41.one" + }, + "related": { + "user": [ + "sgentry@empirepartners.b41.one", + "jeff.eatherton@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "empirepartners.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-19T00:57:53.269Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "douglass@creative-omega.b41.one" + ] + }, + "message_id": "", + "subject": "Re", + "to": { + "address": [ + "ryang@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-19T00:57:53.269Z", + "original": "{\"_offset\":75325,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"-n86qAQfOTWA4Efdk2N-FA\",\"messageId\":\"\",\"processingId\":\"FIoA2LSY-MzFJzNY98Fwgzu1MD530-3K_kNs6b-GHQA_1731977871\",\"recipients\":\"ryang@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"creative-omega.b41.one\",\"senderEnvelope\":\"douglass@creative-omega.b41.one\",\"senderHeader\":\"douglass@creative-omega.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Re\",\"subtype\":null,\"timestamp\":1731977873269,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "-n86qAQfOTWA4Efdk2N-FA", + "log_type": "spam", + "processingId": "FIoA2LSY-MzFJzNY98Fwgzu1MD530-3K_kNs6b-GHQA_1731977871", + "senderHeader": "douglass@creative-omega.b41.one" + }, + "related": { + "user": [ + "douglass@creative-omega.b41.one", + "ryang@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "creative-omega.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T20:52:42.340Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "gmille@pilot-meadow.b41.one" + ] + }, + "message_id": "", + "to": { + "address": [ + "jonathan.mckay@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T20:52:42.340Z", + "original": "{\"_offset\":72869,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"5I6WzskaO0anMqefgzUxMQ_1731617561\",\"messageId\":\"\",\"processingId\":\"44x8Ss3UswVtAAZEys6AvV2YDHgvX68PHyHjte7bw_w_1731617561\",\"recipients\":\"jonathan.mckay@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"pilot-meadow.b41.one\",\"senderEnvelope\":\"gmille@pilot-meadow.b41.one\",\"senderHeader\":\"gmille@pilot-meadow.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":null,\"subtype\":null,\"timestamp\":1731617562340,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "5I6WzskaO0anMqefgzUxMQ_1731617561", + "log_type": "spam", + "processingId": "44x8Ss3UswVtAAZEys6AvV2YDHgvX68PHyHjte7bw_w_1731617561", + "senderHeader": "gmille@pilot-meadow.b41.one" + }, + "related": { + "user": [ + "gmille@pilot-meadow.b41.one", + "jonathan.mckay@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "pilot-meadow.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-14T15:17:22.889Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "courtney_abernathy@pilot-meadow.b41.one" + ] + }, + "message_id": "<3a5a32b949bc68d5-44894@hapi.b41.one>", + "subject": "Stranger", + "to": { + "address": [ + "jeff.dasovich@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-14T15:17:22.889Z", + "original": "{\"_offset\":72407,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"nNsYsZo5PsiS7tsPPMhScw_1731597441\",\"messageId\":\"<3a5a32b949bc68d5-44894@hapi.b41.one>\",\"processingId\":\"Ju7DcVaik3AmIzS7u9rY8klrnT3r33IyQUYVFC__byk_1731597441\",\"recipients\":\"jeff.dasovich@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"pilot-meadow.b41.one\",\"senderEnvelope\":\"courtney_abernathy@pilot-meadow.b41.one\",\"senderHeader\":\"courtney_abernathy@pilot-meadow.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Stranger\",\"subtype\":null,\"timestamp\":1731597442889,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "nNsYsZo5PsiS7tsPPMhScw_1731597441", + "log_type": "spam", + "processingId": "Ju7DcVaik3AmIzS7u9rY8klrnT3r33IyQUYVFC__byk_1731597441", + "senderHeader": "courtney_abernathy@pilot-meadow.b41.one" + }, + "related": { + "user": [ + "courtney_abernathy@pilot-meadow.b41.one", + "jeff.dasovich@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "pilot-meadow.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2024-11-17T07:17:31.036Z", + "ecs": { + "version": "8.11.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "nikep@arcadia-group.b41.one" + ] + }, + "message_id": "<69b360ac6c02441e-173968@hapi.b41.one>", + "subject": "Weekly Report", + "to": { + "address": [ + "max.yzaguirre@demo-int.elastic.mime-api.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "created": "2024-11-17T07:17:31.036Z", + "original": "{\"_offset\":74368,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"aggregateId\":\"Zyc2YQp5NiebreJzicSY0g_1731827848\",\"messageId\":\"<69b360ac6c02441e-173968@hapi.b41.one>\",\"processingId\":\"rdbUbf7dO9buFz-hm-jV4eMdfFO2Qnu6iZy__ONwPng_1731827848\",\"recipients\":\"max.yzaguirre@demo-int.elastic.mime-api.com\",\"route\":\"Inbound\",\"senderDomain\":\"arcadia-group.b41.one\",\"senderEnvelope\":\"nikep@arcadia-group.b41.one\",\"senderHeader\":\"nikep@arcadia-group.b41.one\",\"senderIp\":\"81.2.69.144\",\"subject\":\"Weekly Report\",\"subtype\":null,\"timestamp\":1731827851036,\"type\":\"spam\"}", + "outcome": "unknown" + }, + "mimecast": { + "accountId": "CUSB4A274", + "aggregateId": "Zyc2YQp5NiebreJzicSY0g_1731827848", + "log_type": "spam", + "processingId": "rdbUbf7dO9buFz-hm-jV4eMdfFO2Qnu6iZy__ONwPng_1731827848", + "senderHeader": "nikep@arcadia-group.b41.one" + }, + "related": { + "user": [ + "nikep@arcadia-group.b41.one", + "max.yzaguirre@demo-int.elastic.mime-api.com" + ] + }, + "source": { + "domain": "arcadia-group.b41.one", + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-default-config.yml b/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml similarity index 100% rename from packages/mimecast/data_stream/siem_logs/_dev/test/system/test-default-config.yml rename to packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v2-config.yml b/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v2-config.yml new file mode 100644 index 00000000000..3ad28ad2205 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v2-config.yml @@ -0,0 +1,17 @@ +input: cel +service: mimecast +vars: + api_url: http://{{Hostname}}:{{Port}} + client_id: slightlysecretclientid + client_secret: totallysecretlientsecret +data_stream: + vars: + initial_interval: 24h + batch_size: 2 + preserve_original_event: true + enable_request_tracer: true + types: + - "internal email protect" + - "receipt" +assert: + hit_count: 4 diff --git a/packages/mimecast/data_stream/siem_logs/agent/stream/cel.yml.hbs b/packages/mimecast/data_stream/siem_logs/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..bdd92057e24 --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/agent/stream/cel.yml.hbs @@ -0,0 +1,173 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +resource.url: {{api_url}} +fields_under_root: true +keep_null: true +state: + client_id: {{client_id}} + client_secret: {{client_secret}} + page_size: {{batch_size}} + look_back: {{initial_interval}} + path: /siem/v1/batch/events/cg + start_field: dateRangeStartsAt + end_field: dateRangeEndsAt +{{#if types}} + types: +{{#each types as |t|}} + - {{t}} +{{/each}} +{{/if}} +redact: + fields: + - client_id + - client_secret + - token.access_token +program: | + state.with( + ( + (has(state.?token.expires) && now() < timestamp(state.token.expires)) ? + // The token we have is still valid. + state.token + : + // Get a new token. + post_request(state.url.trim_right("/") + "/oauth/token", "application/x-www-form-urlencoded", + { + "client_id": [state.client_id], + "client_secret": [state.client_secret], + "grant_type": ["client_credentials"], + }.format_query() + ).do_request().as(auth, auth.StatusCode == 200 ? + bytes(auth.Body).decode_json().as(auth_body, auth_body.with({ + // Include 60s grace period to avoid attempting to make + // a request with a stale authentication token. + "expires": now()+duration(string(int(auth_body.expires_in)-60)+"s"), + })) + : + { + "events": { + "error": { + "code": string(auth.StatusCode), + "id": string(auth.Status), + "message": "POST /oauth/token: "+( + size(auth.Body) != 0 ? + string(auth.Body) + : + string(auth.Status) + ' (' + string(auth.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ).as(token, !has(token.access_token) ? token : + state.?cursor.work_list.orValue(state.types.map(t, {"type": t})).as(work_list, size(work_list) == 0 ? + state.types.map(t, {"type": t}) + : + work_list + ).as(work_list, + get_request( + state.url.trim_right("/") + state.path + "?" + { + "type": [work_list[0].type], + ?"nextPage": work_list[0].?next.optMap(next, [next]), + ?"dateRangeStartsAt": state.?start.optMap(start, [start.format("2006-01-02")]), + ?"dateRangeEndsAt": state.?end.optMap(end, [end.format("2006-01-02")]), + ?"pageSize": state.?page_size.optMap(size, [string(int(size))]), + }.format_query() + ).with({ + "Header": { + "Authorization": ["Bearer " + token.access_token], + "Accept": ["application/json"], + "Content-Type": ["application/json"], + } + }).do_request().as(resp, resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body, + { + "events": body.value.map(b, has(b.url), + get(b.url).as(batch, batch.StatusCode == 200 ? + bytes(batch.Body).mime("application/gzip").mime("application/x-ndjson").map(e, + { + "message": dyn(e.encode_json()), + } + ) + : + [{ + "error": { + "code": string(batch.StatusCode), + "id": string(batch.Status), + "message": "GET " + b.url + ": " + ( + size(batch.Body) != 0 ? + string(batch.Body) + : + string(batch.Status) + ' (' + string(batch.StatusCode) + ')' + ), + }, + }] + ) + ).flatten(), + "cursor": { + "work_list": ( + "@nextPage" in body && size(body.value) != 0 ? + [work_list[0].with({"next": body["@nextPage"]})] + : + [] + ) + tail(work_list), + }, + "token": { + "access_token": token.access_token, + "expires": token.expires, + }, + "want_more": "@nextPage" in body && size(body.value) != 0, + }.as(to_publish, to_publish.with({ + "want_more": to_publish.want_more || size(to_publish.cursor.work_list) != 0, + })) + ).as(state, + // Check whether we still need to get more, but have + // no event for this type. If we do, populate events + // with a place-holder to be discarded by the ingest + // pipeline. + state.want_more && size(state.events) == 0 ? + state.with({"events": [{"message": "want_more"}]}) + : + state + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET " + state.path + ": " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index 0f8fb6b2d83..88c54c771e1 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -1,7 +1,10 @@ --- description: Pipeline for processing Mimecast siem_logs. processors: - # Generic event/ecs fields we always want to populate. + - drop: + description: Ignore want_more placeholder message. + if: ctx.message == "want_more" + - set: field: ecs.version value: '8.11.0' @@ -15,503 +18,27 @@ processors: field: event.original target_field: mimecast - drop: - if: ctx?.mimecast?.datetime == null - - - date: - description: Use 'mimecast.datetime' as the '@timestamp' - field: mimecast.datetime - timezone: UTC - formats: - - yyyy-MM-dd'T'HH:mm:ssZ - - ### NOTE LOG TYPE - - script: - lang: painless - params: - definite_positive: - action: receipt - attempt: delivery - attnames: process - customerip: avlog - customname: impersonation-protect - customthreatdictionary: impersonation-protect - definition: impersonation-protect - delivered: delivery - err: delivery - error: receipt - filename: attachment-protect - hits: impersonation-protect - hld: process - internalname: impersonation-protect - ipinternalname: process - ipnewdomain: process - ipreplymismatch: process - ipsimilardomain: process - ipthreaddict: process - latency: delivery - mimecastip: avlog - msgsize: process - newdomain: impersonation-protect - reason: url-protect - receiptack: delivery - replymismatch: impersonation-protect - rcptacttype: jrnl - scanresultinfo: internal-email-protect - senderdomaininternal: avlog - similarcustomexternaldomain: impersonation-protect - similarinternaldomain: impersonation-protect - similarmimecastexternaldomain: impersonation-protect - snt: delivery - spaminfo: receipt - spamlimit: receipt - spamprocessingdetail: receipt - spamscore: receipt - taggedexternal: impersonation-protect - taggedmalicious: impersonation-protect - threatdictionary: impersonation-protect - usetls: delivery - negative: - acode: [avlog, url-protect, attachment-protect] - act: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - attcnt: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - attsize: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - cphr: [process,avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - dir: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] - fileext: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - filemime: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - headerfrom: [process, delivery, avlog, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - ip: [process, spam, internal-email-protect, url-protect, jrnl] - md5: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - rcpt: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] - recipient: [receipt, process, delivery, jrnl] - rejcode: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - rejinfo: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - rejtype: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - route: [receipt, process, jrnl] - senderdomain: [receipt, process, delivery, internal-email-protect, impersonation-protect, jrnl] - sha1: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - sha256: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - size: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] - sourceip: [receipt, process, delivery, avlog, internal-email-protect, impersonation-protect, attachment-protect, jrnl] - tlsver: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - url: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] - urlcategory: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] - virus: [process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] - positive: - acode: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, jrnl] - act: [receipt, process] - attcnt: [process, delivery] - attsize: [process, delivery] - cphr: [receipt, delivery] - dir: [receipt, delivery, jrnl] - fileext: [avlog, attachment-protect] - filemime: [avlog, attachment-protect] - headerfrom: [receipt, spam] - ip: [receipt, delivery, avlog, impersonation-protect, attachment-protect] - md5: [avlog, attachment-protect] - rcpt: [receipt, delivery, jrnl] - recipient: [avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] - rejcode: [receipt, delivery] - rejinfo: [receipt, delivery] - rejtype: [receipt, delivery] - route: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] - senderdomain: [avlog, spam, url-protect, attachment-protect] - sha1: [avlog, attachment-protect] - sha256: [avlog, attachment-protect] - size: [avlog, attachment-protect] - sourceip: [spam, url-protect] - tlsver: [receipt, delivery] - url: [internal-email-protect, url-protect] - urlcategory: [internal-email-protect, url-protect] - virus: [receipt, avlog] - candidates: - receipt: 0 - process: 0 - delivery: 0 - jrnl: 0 - avlog: 0 - spam: 0 - internal-email-protect: 0 - impersonation-protect: 0 - url-protect: 0 - attachment-protect: 0 - if: ctx.mimecast instanceof Map - source: | - // Canonicalise keys to lowercase. If this causes issues in future - // because case becomes significant, this table space optimisation - // will need to be reverted. - def keys = new HashSet(); - for (def k: ctx.mimecast.keySet()) { - keys.add(k.toLowerCase()); - } - for (def k: keys) { - def typ = params.definite_positive.get(k); - if (typ != null) { - // We have a definitive known log_type. - ctx.mimecast.log_type = typ; - return; - } - } - def score = params.candidates.clone(); - for (def k: keys) { - def typ = params.negative.get(k); - if (typ == null) { - continue; - } - for (String e: typ) { - score.remove(e); - } - } - if (score.size() == 1) { - // We have removed all but one of the candidates. - ctx.mimecast.log_type = score.keySet().toArray()[0]; - return; - } - // Find best remaining and list all co-equal winners. - int max = 0; - for (def k: keys) { - def typ = params.positive.get(k); - if (typ == null) { - continue; - } - for (String e: typ) { - def s = score.get(e); - if (s == null) { - continue; - } - s++; - if (s > max) { - max = s; - } - score.put(e, s); - } - } - for (def e: score.entrySet()) { - if (e.getValue() < max) { - score.remove(e.getKey()); - } - } - ctx.mimecast.log_type = score.keySet(); - - - fingerprint: - fields: - - mimecast.MsgId - - mimecast.aCode - - mimecast.datetime - - mimecast.Sender - - mimecast.Rcpt - - mimecast.Attempt - - mimecast.log_type - - mimecast.sha256 - - mimecast.url - target_field: "_id" - ignore_missing: true - - ### RECEIPT LOGS - - rename: - field: mimecast.aCode - target_field: email.local_id - ignore_missing: true - - rename: - field: mimecast.Act - target_field: event.action - ignore_missing: true - - rename: - field: mimecast.Cphr - target_field: tls.cipher - ignore_missing: true - - rename: - field: mimecast.Dir - target_field: email.direction - ignore_missing: true - - rename: - field: mimecast.Error - target_field: error.message - ignore_missing: true - - rename: - field: mimecast.IP - target_field: source.ip - ignore_missing: true - - rename: - field: mimecast.MsgId - target_field: email.message_id - ignore_missing: true - - append: - field: email.to.address - value: '{{{mimecast.Rcpt}}}' - allow_duplicates: false - if: ctx.mimecast?.Rcpt != null - - append: - field: email.from.address - value: '{{{mimecast.headerFrom}}}' - allow_duplicates: false - if: ctx.mimecast?.headerFrom != null - - rename: - field: mimecast.RejCode - target_field: error.code - ignore_missing: true - - rename: - field: mimecast.RejInfo - target_field: event.reason - ignore_missing: true - - rename: - field: mimecast.RejType - target_field: error.type - ignore_missing: true - - append: - field: email.from.address - value: "{{{mimecast.Sender}}}" - allow_duplicates: false - if: "ctx?.mimecast?.Sender != null" - - rename: - field: mimecast.Subject - target_field: email.subject - ignore_missing: true - - rename: - field: mimecast.TlsVer - target_field: tls.version - ignore_missing: true - - ### PROCESS LOGS - - rename: - field: mimecast.AttSize - target_field: email.attachments.file.size - ignore_missing: true - - rename: - field: mimecast.AttNames - target_field: email.attachments.file.name - ignore_missing: true - - rename: - field: mimecast.Hld - target_field: event.reason - ignore_missing: true - - ### DELIVERY LOGS - - rename: - field: mimecast.Err - target_field: error.message - ignore_missing: true - - rename: - field: mimecast.UseTls - target_field: tls.established - ignore_missing: true - - set: - field: tls.established - value: true - if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "yes"' - - set: - field: tls.established - value: false - if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "no"' - - ### AV LOGS - - rename: - field: mimecast.fileExt - target_field: email.attachments.file.extension - ignore_missing: true - - rename: - field: mimecast.fileMime - target_field: email.attachments.file.mime_type - ignore_missing: true - - rename: - field: mimecast.md5 - target_field: email.attachments.file.hash.md5 - ignore_missing: true - - append: - field: email.to.address - value: '{{{mimecast.Recipient}}}' - allow_duplicates: false - if: ctx.mimecast?.Recipient != null - - rename: - field: mimecast.SenderDomain - target_field: source.domain - ignore_missing: true - - rename: - field: mimecast.sha1 - target_field: email.attachments.file.hash.sha1 - ignore_missing: true - - rename: - field: mimecast.sha256 - target_field: email.attachments.file.hash.sha256 - ignore_missing: true - - rename: - field: mimecast.Size - target_field: email.attachments.file.size - ignore_missing: true - - rename: - field: mimecast.fileName - target_field: email.attachments.file.name - ignore_missing: true - - ### SPAM EVENT THREAD LOGS - - rename: - field: mimecast.SourceIP - target_field: source.ip - ignore_missing: true - - ### SIEM Email Protect Logs - - rename: - field: mimecast.URL - target_field: url.full - ignore_missing: true - - ### SIEM Impersonation logs - - rename: - field: mimecast.Action - target_field: event.action - ignore_missing: true - - rename: - field: mimecast.Definition - target_field: rule.name - ignore_missing: true - - rename: - field: mimecast.NewDomain - target_field: source.domain - ignore_missing: true - - ### SIEM TTP Url Logs - - rename: - field: mimecast.reason - target_field: event.reason - ignore_missing: true - - append: - field: email.to.address - value: '{{{mimecast.recipient}}}' - allow_duplicates: false - if: ctx.mimecast?.recipient != null - - rename: - field: mimecast.route - target_field: email.direction - ignore_missing: true - - append: - field: email.from.address - value: "{{{mimecast.sender}}}" - allow_duplicates: false - if: "ctx?.mimecast?.sender != null" - - rename: - field: mimecast.senderDomain - target_field: source.domain - ignore_missing: true - - rename: - field: mimecast.sourceIp - target_field: source.ip - ignore_missing: true - - rename: - field: mimecast.subject - target_field: email.subject - ignore_missing: true - - rename: - field: mimecast.url - target_field: url.full - ignore_missing: true - - rename: - field: mimecast.action - target_field: event.action - ignore_missing: true - - set: - field: event.created - value: "{{{mimecast.datetime}}}" - if: 'ctx?.mimecast?.datetime != null' - - set: - field: tls.established - value: false - if: 'ctx?.tls?.established == "No"' + if: ctx.mimecast?.datetime == null && ctx.mimecast?.timestamp == null - set: - field: tls.established - value: true - if: 'ctx?.tls?.established == "Yes"' - - rename: - field: mimecast.Delivered - target_field: event.outcome - ignore_missing: true - - set: - field: event.outcome - value: "success" - if: ctx?.event?.outcome == true - - set: - field: event.outcome - value: "failure" - if: ctx?.event?.outcome == false - - set: - field: event.outcome - value: "unknown" - if: ctx?.event?.outcome == null - - lowercase: - field: email.direction - ignore_missing: true - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: event.category + value: [email] - # Cleanup - - remove: - description: Cleanup of repeated/unwanted/temporary fields. - field: - - mimecast.eventTime - - mimecast.Content-Disposition - - mimecast.datetime - - mimecast.headerFrom - - mimecast.log_type_part1 - - mimecast.log_type_part2 - - mimecast.log_type_parts - - mimecast.recipient - - mimecast.Rcpt - - mimecast.sender - - mimecast.Sender - ignore_missing: true - - script: - lang: painless - description: This script processor iterates over the whole document to remove fields with null values. - source: | - void handleMap(Map map) { - for (def x : map.values()) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - void handleList(List list) { - for (def x : list) { - if (x instanceof Map) { - handleMap(x); - } else if (x instanceof List) { - handleList(x); - } - } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); - } - handleMap(ctx); - - remove: - description: Remove 'event.original' if 'preserve_original_event' is not set. - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true + - pipeline: + name: '{{ IngestPipeline "v1_pipeline" }}' + if: ctx.mimecast?.datetime != null + tag: v1_pipeline + - pipeline: + name: '{{ IngestPipeline "v2_pipeline" }}' + if: ctx.mimecast?.timestamp != null + tag: v1_pipeline -# Error handling on_failure: - set: field: event.kind value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml new file mode 100644 index 00000000000..070f9e9f6fa --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v1_pipeline.yml @@ -0,0 +1,497 @@ +--- +description: Pipeline for processing Mimecast siem_logs from v1 API. +processors: + - date: + description: Use 'mimecast.datetime' as the '@timestamp' + field: mimecast.datetime + if: ctx.mimecast?.datetime != null + timezone: UTC + formats: + - yyyy-MM-dd'T'HH:mm:ssZ + + ### NOTE LOG TYPE + - script: + lang: painless + if: ctx.mimecast instanceof Map + params: + definite_positive: + action: receipt + attempt: delivery + attnames: process + customerip: avlog + customname: impersonation-protect + customthreatdictionary: impersonation-protect + definition: impersonation-protect + delivered: delivery + err: delivery + error: receipt + filename: attachment-protect + hits: impersonation-protect + hld: process + internalname: impersonation-protect + ipinternalname: process + ipnewdomain: process + ipreplymismatch: process + ipsimilardomain: process + ipthreaddict: process + latency: delivery + mimecastip: avlog + msgsize: process + newdomain: impersonation-protect + reason: url-protect + receiptack: delivery + replymismatch: impersonation-protect + rcptacttype: jrnl + scanresultinfo: internal-email-protect + senderdomaininternal: avlog + similarcustomexternaldomain: impersonation-protect + similarinternaldomain: impersonation-protect + similarmimecastexternaldomain: impersonation-protect + snt: delivery + spaminfo: receipt + spamlimit: receipt + spamprocessingdetail: receipt + spamscore: receipt + taggedexternal: impersonation-protect + taggedmalicious: impersonation-protect + threatdictionary: impersonation-protect + usetls: delivery + negative: + acode: [avlog, url-protect, attachment-protect] + act: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + attcnt: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + attsize: [receipt, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + cphr: [process,avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + dir: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + fileext: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + filemime: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + headerfrom: [process, delivery, avlog, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + ip: [process, spam, internal-email-protect, url-protect, jrnl] + md5: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + rcpt: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + recipient: [receipt, process, delivery, jrnl] + rejcode: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + rejinfo: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + rejtype: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + route: [receipt, process, jrnl] + senderdomain: [receipt, process, delivery, internal-email-protect, impersonation-protect, jrnl] + sha1: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + sha256: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + size: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, jrnl] + sourceip: [receipt, process, delivery, avlog, internal-email-protect, impersonation-protect, attachment-protect, jrnl] + tlsver: [process, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + url: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] + urlcategory: [receipt, process, delivery, avlog, spam, impersonation-protect, attachment-protect, jrnl] + virus: [process, delivery, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect, jrnl] + positive: + acode: [receipt, process, delivery, spam, internal-email-protect, impersonation-protect, jrnl] + act: [receipt, process] + attcnt: [process, delivery] + attsize: [process, delivery] + cphr: [receipt, delivery] + dir: [receipt, delivery, jrnl] + fileext: [avlog, attachment-protect] + filemime: [avlog, attachment-protect] + headerfrom: [receipt, spam] + ip: [receipt, delivery, avlog, impersonation-protect, attachment-protect] + md5: [avlog, attachment-protect] + rcpt: [receipt, delivery, jrnl] + recipient: [avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + rejcode: [receipt, delivery] + rejinfo: [receipt, delivery] + rejtype: [receipt, delivery] + route: [delivery, avlog, spam, internal-email-protect, impersonation-protect, url-protect, attachment-protect] + senderdomain: [avlog, spam, url-protect, attachment-protect] + sha1: [avlog, attachment-protect] + sha256: [avlog, attachment-protect] + size: [avlog, attachment-protect] + sourceip: [spam, url-protect] + tlsver: [receipt, delivery] + url: [internal-email-protect, url-protect] + urlcategory: [internal-email-protect, url-protect] + virus: [receipt, avlog] + candidates: + receipt: 0 + process: 0 + delivery: 0 + jrnl: 0 + avlog: 0 + spam: 0 + internal-email-protect: 0 + impersonation-protect: 0 + url-protect: 0 + attachment-protect: 0 + source: | + // Canonicalise keys to lowercase. If this causes issues in future + // because case becomes significant, this table space optimisation + // will need to be reverted. + def keys = new HashSet(); + for (def k: ctx.mimecast.keySet()) { + keys.add(k.toLowerCase()); + } + for (def k: keys) { + def typ = params.definite_positive.get(k); + if (typ != null) { + // We have a definitive known log_type. + ctx.mimecast.log_type = typ; + return; + } + } + def score = params.candidates.clone(); + for (def k: keys) { + def typ = params.negative.get(k); + if (typ == null) { + continue; + } + for (String e: typ) { + score.remove(e); + } + } + if (score.size() == 1) { + // We have removed all but one of the candidates. + ctx.mimecast.log_type = score.keySet().toArray()[0]; + return; + } + // Find best remaining and list all co-equal winners. + int max = 0; + for (def k: keys) { + def typ = params.positive.get(k); + if (typ == null) { + continue; + } + for (String e: typ) { + def s = score.get(e); + if (s == null) { + continue; + } + s++; + if (s > max) { + max = s; + } + score.put(e, s); + } + } + for (def e: score.entrySet()) { + if (e.getValue() < max) { + score.remove(e.getKey()); + } + } + ctx.mimecast.log_type = score.keySet(); + + - fingerprint: + fields: + - mimecast.MsgId + - mimecast.aCode + - mimecast.datetime + - mimecast.Sender + - mimecast.Rcpt + - mimecast.Attempt + - mimecast.log_type + - mimecast.sha256 + - mimecast.url + target_field: "_id" + ignore_missing: true + + ### RECEIPT LOGS + - rename: + field: mimecast.aCode + target_field: email.local_id + ignore_missing: true + - rename: + field: mimecast.Act + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.Cphr + target_field: tls.cipher + ignore_missing: true + - rename: + field: mimecast.Dir + target_field: email.direction + ignore_missing: true + - rename: + field: mimecast.Error + target_field: error.message + ignore_missing: true + - rename: + field: mimecast.IP + target_field: source.ip + ignore_missing: true + - rename: + field: mimecast.MsgId + target_field: email.message_id + ignore_missing: true + - append: + field: email.to.address + value: '{{{mimecast.Rcpt}}}' + allow_duplicates: false + if: ctx.mimecast?.Rcpt != null + - append: + field: email.from.address + value: '{{{mimecast.headerFrom}}}' + allow_duplicates: false + if: ctx.mimecast?.headerFrom != null + - rename: + field: mimecast.RejCode + target_field: error.code + ignore_missing: true + - rename: + field: mimecast.RejInfo + target_field: event.reason + ignore_missing: true + - rename: + field: mimecast.RejType + target_field: error.type + ignore_missing: true + - append: + field: email.from.address + value: "{{{mimecast.Sender}}}" + allow_duplicates: false + if: "ctx?.mimecast?.Sender != null" + - rename: + field: mimecast.Subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.TlsVer + target_field: tls.version + ignore_missing: true + + ### PROCESS LOGS + - rename: + field: mimecast.AttSize + target_field: email.attachments.file.size + ignore_missing: true + - rename: + field: mimecast.AttNames + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: mimecast.Hld + target_field: event.reason + ignore_missing: true + + ### DELIVERY LOGS + - rename: + field: mimecast.Err + target_field: error.message + ignore_missing: true + - rename: + field: mimecast.UseTls + target_field: tls.established + ignore_missing: true + - set: + field: tls.established + value: true + if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "yes"' + - set: + field: tls.established + value: false + if: 'ctx.tls?.established instanceof String && ctx.tls.established.toLowerCase() == "no"' + + ### AV LOGS + - rename: + field: mimecast.fileExt + target_field: email.attachments.file.extension + ignore_missing: true + - rename: + field: mimecast.fileMime + target_field: email.attachments.file.mime_type + ignore_missing: true + - rename: + field: mimecast.md5 + target_field: email.attachments.file.hash.md5 + ignore_missing: true + - append: + field: email.to.address + value: '{{{mimecast.Recipient}}}' + allow_duplicates: false + if: ctx.mimecast?.Recipient != null + - rename: + field: mimecast.SenderDomain + target_field: source.domain + ignore_missing: true + - rename: + field: mimecast.sha1 + target_field: email.attachments.file.hash.sha1 + ignore_missing: true + - rename: + field: mimecast.sha256 + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: mimecast.Size + target_field: email.attachments.file.size + ignore_missing: true + - rename: + field: mimecast.fileName + target_field: email.attachments.file.name + ignore_missing: true + + ### SPAM EVENT THREAD LOGS + - rename: + field: mimecast.SourceIP + target_field: source.ip + ignore_missing: true + + ### SIEM Email Protect Logs + - rename: + field: mimecast.URL + target_field: url.full + ignore_missing: true + + ### SIEM Impersonation logs + - rename: + field: mimecast.Action + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.Definition + target_field: rule.name + ignore_missing: true + - rename: + field: mimecast.NewDomain + target_field: source.domain + ignore_missing: true + + ### SIEM TTP Url Logs + - rename: + field: mimecast.reason + target_field: event.reason + ignore_missing: true + - append: + field: email.to.address + value: '{{{mimecast.recipient}}}' + allow_duplicates: false + if: ctx.mimecast?.recipient != null + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + - append: + field: email.from.address + value: "{{{mimecast.sender}}}" + allow_duplicates: false + if: "ctx?.mimecast?.sender != null" + - rename: + field: mimecast.senderDomain + target_field: source.domain + ignore_missing: true + - rename: + field: mimecast.sourceIp + target_field: source.ip + ignore_missing: true + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.url + target_field: url.full + ignore_missing: true + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + - set: + field: event.created + value: "{{{mimecast.datetime}}}" + if: 'ctx?.mimecast?.datetime != null' + - set: + field: tls.established + value: false + if: 'ctx?.tls?.established == "No"' + - set: + field: tls.established + value: true + if: 'ctx?.tls?.established == "Yes"' + - rename: + field: mimecast.Delivered + target_field: event.outcome + ignore_missing: true + - set: + field: event.outcome + value: "success" + if: ctx?.event?.outcome == true + - set: + field: event.outcome + value: "failure" + if: ctx?.event?.outcome == false + - set: + field: event.outcome + value: "unknown" + if: ctx?.event?.outcome == null + - lowercase: + field: email.direction + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + + # Cleanup + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast.eventTime + - mimecast.Content-Disposition + - mimecast.datetime + - mimecast.headerFrom + - mimecast.log_type_part1 + - mimecast.log_type_part2 + - mimecast.log_type_parts + - mimecast.recipient + - mimecast.Rcpt + - mimecast.sender + - mimecast.Sender + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); + +# Error handling +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml new file mode 100644 index 00000000000..269d731a9ce --- /dev/null +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/v2_pipeline.yml @@ -0,0 +1,418 @@ +--- +description: Pipeline for processing Mimecast siem_logs from v2 API. +processors: + - date: + description: Use 'mimecast.timestamp' as the '@timestamp' + field: mimecast.timestamp + if: ctx.mimecast?.timestamp != null + timezone: UTC + formats: + - UNIX_MS + - set: + field: event.created + copy_from: '@timestamp' + if: ctx['@timestamp'] != null + + ### NOTE LOG TYPE + - script: + lang: painless + params: + 'av': 'avlog' + 'delivery': 'delivery' + 'internal email protect': 'internal-email-protect' + 'impersonation protect': 'impersonation-protect' + 'journal': 'jrnl' + 'process': 'process' + 'receipt': 'receipt' + 'attachment protect': 'attachment-protect' + 'spam': 'spam' + 'url protect': 'url-protect' + if: ctx.mimecast?.type != null + source: | + ctx.mimecast.log_type = params.get(ctx.mimecast.type); + ctx.mimecast.type = null; + + - set: + field: original + copy_from: mimecast + tag: preserve_custom_duplicate_fields + ignore_empty_value: true + if: ctx.tags?.contains('preserve_duplicate_custom_fields') == true + + - fingerprint: + fields: + - mimecast.messageId + - mimecast.processingId + - mimecast.aggregateId + - mimecast.accountId + - mimecast.timestamp + - mimecast.action + - mimecast.log_type + - mimecast.subtype + target_field: "_id" + ignore_missing: true + + ### Common + - foreach: + if: ctx.mimecast?.recipients instanceof List + field: mimecast.recipients + processor: + append: + field: email.to.address + value: '{{{_ingest._value.value}}}' + allow_duplicates: false + - append: + field: email.to.address + value: '{{{mimecast.recipients}}}' + allow_duplicates: false + if: 'ctx.mimecast?.recipients != null && !(ctx.mimecast.recipients instanceof List)' + + ### RECEIPT LOGS + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.tlsCipher + target_field: tls.cipher + ignore_missing: true + - rename: + field: mimecast.direction + target_field: email.direction + ignore_missing: true + - rename: + field: mimecast.receiptErrors + target_field: error.message + ignore_missing: true + - rename: + field: mimecast.senderIp + target_field: source.ip + ignore_missing: true + - rename: + field: mimecast.messageId + target_field: email.message_id + ignore_missing: true + - append: + field: email.from.address + value: '{{{mimecast.senderHeader}}}' + allow_duplicates: false + if: ctx.mimecast?.senderHeader != null + - rename: + field: mimecast.rejectionCode + target_field: error.code + ignore_missing: true + - rename: + field: mimecast.rejectionInfo + target_field: event.reason + ignore_missing: true + - rename: + field: mimecast.rejectionType + target_field: error.type + ignore_missing: true + - append: + field: email.from.address + value: '{{{mimecast.senderEnvelope}}}' + allow_duplicates: false + if: ctx.mimecast?.senderEnvelope != null + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.tlsVer + target_field: tls.version + ignore_missing: true + + ### PROCESS LOGS + - rename: + field: mimecast.totalSizeAttachments + target_field: email.attachments.file.size + ignore_missing: true + - convert: + field: email.attachments.file.size + target_field: email.attachments.file.size + type: long + ignore_missing: true + on_failure: + - remove: + field: email.attachments.file.size + - rename: + field: mimecast.attachments + target_field: email.attachments.file.name + ignore_missing: true + - rename: + field: mimecast.holdReason + target_field: event.reason + ignore_missing: true + + ### DELIVERY LOGS + - rename: + field: mimecast.destinationIp + target_field: destination.ip + ignore_missing: true + - rename: + field: mimecast.deliveryErrors + target_field: error.message + ignore_missing: true + - rename: + field: mimecast.tlsUsed + target_field: tls.established + ignore_missing: true + - set: + field: tls.established + value: true + if: ctx.tls?.established instanceof String && ctx.tls.established.equalsIgnoreCase('yes') + - set: + field: tls.established + value: false + if: ctx.tls?.established instanceof String && ctx.tls.established.equalsIgnoreCase('no') + + ### AV LOGS + - rename: + field: mimecast.fileExtension + target_field: email.attachments.file.extension + ignore_missing: true + - rename: + field: mimecast.md5 + target_field: email.attachments.file.hash.md5 + ignore_missing: true + - rename: + field: mimecast.senderDomainInternal + target_field: source.domain + ignore_missing: true + - rename: + field: mimecast.sha1 + target_field: email.attachments.file.hash.sha1 + ignore_missing: true + - rename: + field: mimecast.sha256 + target_field: email.attachments.file.hash.sha256 + ignore_missing: true + - rename: + field: mimecast.fileName + target_field: email.attachments.file.name + ignore_missing: true + + ### SPAM EVENT THREAD LOGS + - rename: + field: mimecast.senderIp + target_field: source.ip + ignore_missing: true + + ### SIEM Email Protect Logs + - rename: + field: mimecast.url + target_field: url.full + ignore_missing: true + + ### SIEM Impersonation logs + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.policyDefinition + target_field: rule.name + ignore_missing: true + - rename: + field: mimecast.newDomain + target_field: source.domain + ignore_missing: true + + ### SIEM TTP Url Logs + - rename: + field: mimecast.blockReason + target_field: event.reason + ignore_missing: true + - rename: + field: mimecast.route + target_field: email.direction + ignore_missing: true + if: ctx.email?.direction == null + - append: + field: email.from.address + value: "{{{mimecast.sender}}}" + allow_duplicates: false + if: ctx.mimecast?.sender != null + - rename: + field: mimecast.senderDomain + target_field: source.domain + ignore_missing: true + - rename: + field: mimecast.sourceIp + target_field: source.ip + ignore_missing: true + - rename: + field: mimecast.subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.url + target_field: url.full + ignore_missing: true + - rename: + field: mimecast.action + target_field: event.action + ignore_missing: true + - rename: + field: mimecast.Delivered + target_field: event.outcome + ignore_missing: true + - set: + field: event.outcome + value: "success" + if: ctx.event?.outcome == true + - set: + field: event.outcome + value: "failure" + if: ctx.event?.outcome == false + - set: + field: event.outcome + value: "unknown" + if: ctx.event?.outcome == null + - lowercase: + field: email.direction + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + + # Handle users. + - foreach: + tag: collect_related_users_from + if: ctx.email?.from?.address instanceof List + field: email.from.address + processor: + append: + field: related.user + value: '{{{_ingest._value}}}' + allow_duplicates: false + - foreach: + tag: collect_related_users_to + if: ctx.email?.to?.address instanceof List + field: email.to.address + processor: + append: + field: related.user + value: '{{{_ingest._value}}}' + allow_duplicates: false + + # Handle hosts. + - append: + tag: collect_related_hosts + if: ctx.mimecast?.Hostname != null + field: related.hosts + value: '{{{mimecast.Hostname}}}' + allow_duplicates: false + + # Handle attachment details. + - foreach: + tag: collect_attachment_file_hashes + if: ctx.email?.attachments?.file?.hash instanceof Map + field: email.attachments.file.hash + processor: + append: + field: related.hash + value: '{{{_ingest._value}}}' + allow_duplicates: false + - script: + tag: promote_email_attachments_to_array + if: ctx.email?.attachments != null + lang: painless + source: | + def attachments = []; + attachments.add(ctx.email.attachments); + ctx.email.attachments = attachments; + + - remove: + tag: remove_duplicate_custom_fields + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + field: + - mimecast.recipients + - mimecast.senderEnvelope + ignore_missing: true + + # Cleanup + - rename: + field: original + target_field: mimecast + override: true + ignore_missing: true + - remove: + description: Cleanup of repeated/unwanted/temporary fields. + field: + - mimecast._offset + - mimecast._partition + - mimecast.timestamp + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); + +# Error handling +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/mimecast/data_stream/siem_logs/fields/field.yml b/packages/mimecast/data_stream/siem_logs/fields/field.yml index f1df23f755f..762d9883286 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/field.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/field.yml @@ -1,6 +1,7 @@ - name: mimecast type: group fields: + # v1 API https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/ ### Receipt logs - name: acc type: keyword @@ -51,7 +52,8 @@ - name: AttNames type: keyword description: The filenames of all attachments on the email. - ### Delivery logs + + ### Delivery logs - name: Attempt type: long description: The count of attempts that the Mimecast MTA has made to deliver the email. @@ -67,7 +69,8 @@ - name: Snt type: long description: The amount of data in bytes that were delivered. - ### AV Logs + + ### AV Logs - name: CustomerIP type: keyword description: The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. @@ -80,21 +83,24 @@ - name: Recipient type: keyword description: The recipient of the original message. - ### Spam Event Thread Logs + + ### Spam Event Thread Logs - name: ScanResultInfo type: keyword description: The reason that the click was blocked. - ### Siem Email Protect Logs + + ### Siem Email Protect Logs - name: UrlCategory type: keyword description: The category of the URL that was clicked. - ### Siem Impersonation Logs + + ### Siem Impersonation Logs - name: CustomName type: keyword description: The message has matched a custom name. - name: CustomThreatDictionary type: keyword - description: The content of the email was detected to contain words in a custom threat dictionary. + description: The content of the email was detected to contain words in a custom threat dictionary. - name: Hits type: keyword description: Number of items flagged for the message. @@ -121,15 +127,17 @@ description: The message has been tagged as malicious. - name: ThreatDictionary type: keyword - description: The content of the email was detected to contain words in the Mimecast threat dictionary. - ### SIEM TTP Url Protect Logs + description: The content of the email was detected to contain words in the Mimecast threat dictionary. + + ### SIEM TTP Url Protect Logs - name: urlCategory type: keyword description: The category of the URL that was clicked. - name: credentialTheft type: keyword description: The info about credential theft. - ### SIEM Journal Logs + + ### SIEM Journal Logs - name: RcptHdrType type: keyword description: Type of the receipt header. @@ -142,3 +150,320 @@ - name: msgid type: keyword description: The internet message id of the email. + + # v2 API https://developer.services.mimecast.com/siem-tutorial-cg + ### Undocumented + - name: deliveryAttempts + type: keyword + - name: subtype + type: keyword + - name: Hostname + type: keyword + + ### Common fields + - name: processingId + type: keyword + description: >- + Unique identifier that allows you to correlate/group related events. + - name: aggregateId + type: keyword + description: >- + Unique identifier that allows you to correlate/group related events. + - name: messageId + type: keyword + description: >- + The internet message id of the email. + - name: timestamp + type: keyword + description: >- + The date and time of event. + - name: accountId + type: keyword + description: >- + The Mimecast account code for your account + - name: action + type: keyword + description: >- + The action taken at the receipt stage. Receipt logs:(Rej; Acc; Ign; Bnc), Process logs:(Acc; Hld; Bnc; Sdbx; Rty), Impersonation Protect logs:(None; Hold), URL Protect logs:(Block). + + ### Email fields + - name: subject + type: keyword + description: >- + The subject of the email. + - name: senderEnvelope + type: keyword + description: >- + The sender of the email. + - name: senderDomain + type: keyword + description: >- + The sender domain. + - name: senderIp + type: keyword + description: >- + The source IP of the original message or sending mail server. + - name: senderHeader + type: keyword + description: >- + Sender address found in the from header of the email. + - name: recipients + type: keyword + description: >- + The recipient of the email. + - name: emailSize + type: keyword + description: >- + The amount of data in bytes that were delivered. + - name: direction + type: keyword + description: >- + The direction of the email based on the sending and receiving domains. (Inbound; Outbound; Internal; External) + - name: numberAttachments + type: keyword + description: >- + The number of attachments on the email. + - name: totalSizeAttachments + type: keyword + description: >- + The total size of all attachments on the email. + - name: rejectionCode + type: keyword + description: >- + The rejection code, for messages rejected by the receiving mail server. + - name: rejectionType + type: keyword + description: >- + The rejection type, for messages rejected by the receiving mail server. + - name: route + type: keyword + description: >- + The route of the message. (Inbound; Outbound; Internal; External) + + ### TLS fields + - name: tlsVersion + type: keyword + description: >- + The TLS version used if the email was delivered or received using TLS. + - name: tlsCipher + type: keyword + description: >- + The TLS Cipher used if the email was delivered or received using TLS. + + ### File fields + - name: fileName + type: keyword + description: >- + The name of file. + - name: fileExtension + type: keyword + description: >- + The file extension. + + ### Hash fields + - name: md5 + type: keyword + description: >- + MD5 Hash. + - name: sha1 + type: keyword + description: >- + SHA1 hash. + - name: sha256 + type: keyword + description: >- + SHA256 hash. + + ### Virus fields + - name: virusFound + type: keyword + description: >- + The name or signature of the virus found on the email, if applicable. + + ### Receipt logs + - name: rejectionInfo + type: keyword + description: >- + The rejection information if the email was rejected at the receipt stage. + - name: spamInfo + type: keyword + description: >- + Information from Mimecast Spam scanners for messages found to be Spam. + - name: spamProcessingDetail + type: keyword + description: >- + The Spam processing details for DKIM, SPF, DMARC + - name: spamScore + type: keyword + description: >- + The metric that measures the likelihood of the event being considered spam. + - name: spamDetectionLevel + type: keyword + description: >- + The detection level defined for the given sender and recipient. + - name: receiptErrors + type: keyword + description: >- + Information about any errors that occurred during receipt. + + ### Process logs + - name: attachments + type: keyword + description: >- + The filenames of all attachments on the email + - name: holdReason + type: keyword + description: >- + The reason the email was held for review (quarantined), if applicable. (Spm; Att; RcptLimit; Exp; Imp; Sbx; Oth; Url; Ctnt; Dpp; RBL; (absent)) + - name: ipUserName + type: keyword + description: >- + For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name. + - name: ipNewDomain + type: keyword + description: >- + For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain. + - name: ipReplyMismatch + type: keyword + description: >- + For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. + - name: ipSimilarDomain + type: keyword + description: >- + For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. + - name: ipThreatDictionary + type: keyword + description: >- + For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. + + ### Delivery logs + - name: delivery + type: keyword + description: >- + Attempts The count of attempts that the Mimecast MTA has made to deliver the email. + - name: delivered + type: keyword + description: >- + * If the email was delivered successfully or not. False; True + - name: deliveryErrors + type: keyword + description: >- + Information about any errors that occurred on the delivery attempt. + - name: destinationIp + type: keyword + description: >- + The destination IP address for the delivery attempt. + - name: deliveryTime + type: keyword + description: >- + The time in milliseconds that the delivery attempt took. + - name: tlsUsed + type: keyword + description: >- + If the message was delivered using TLS or not. (Yes; No) + + ### AV logs + - name: senderDomainInternal + type: keyword + description: >- + The sender domain is a registered internal domain. + - name: customerIp + type: keyword + description: >- + The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. + + ### Internal Email Protect logs + - name: scanResults + type: keyword + description: >- + The reason that the click was blocked. + - name: similarDomain + type: keyword + description: >- + The domain is similar to a registered domain. + - name: monitoredDomainSource + type: keyword + description: >- + the source of the URL match based on Mimecast's heuristic scanning techniques + + ### Impersonation Protect logs + - name: policyDefinition + type: keyword + description: >- + The definition of policy triggered. + - name: itemsDetected + type: keyword + description: >- + Number of items flagged for the message. + - name: internalUserName + type: keyword + description: >- + The email was detected to be from an internal user name. (Hit; No Hit) + - name: customNameMatch + type: keyword + description: >- + The message has matched a custom name. True; False + - name: similarInternalDomain + type: keyword + description: >- + The senders domain is similar to a registered internal domain. (True; False) + - name: similarCustomExternalDomain + type: keyword + description: >- + The senders domain is similar to a custom external domain list. (True; False) + - name: similarMimecastExternalDomain + type: keyword + description: >- + The senders domain is similar to a Mimecast managed list of domains. (True; False) + - name: newDomain + type: keyword + description: >- + The email was detected to be from a new domain (True; False) + - name: replyMismatch + type: keyword + description: >- + The reply address does not correspond to the senders address. (True; False) + - name: mimecastThreatDictionary + type: keyword + description: >- + The content of the email was detected to contain words in the Mimecast threat dictionary. (True; False) + - name: customThreatDictionary + type: keyword + description: >- + The content of the email was detected to contain words in the client custom threat dictionary. (True; False) + - name: taggedMalicious + type: keyword + description: >- + The message has been tagged as malicious. (True; False) + - name: taggedExternal + type: keyword + description: >- + The message has been tagged as originating from a external source. (True; False) + + ### URL Protect logs (Blocked events only) + - name: url + type: keyword + description: >- + URL Clicked + - name: sourceIp + type: keyword + description: >- + The source IP of the original message. + - name: blockReason + type: keyword + description: >- + The reason click was blocked. (Unknown; File Detected; Clean; Malicious; Suspicious) + - name: analysis + type: keyword + description: >- + The senders domain is similar to a custom external domain list. + - name: similarMimecastExternalDomainResults + type: keyword + description: >- + Advanced phishing detection results from scanners + + ### Attachment Protect logs + - name: sizeAttachment + type: keyword + description: >- + The size (in bytes) of the malicious file. diff --git a/packages/mimecast/data_stream/siem_logs/manifest.yml b/packages/mimecast/data_stream/siem_logs/manifest.yml index 50b1c8be34a..3fbb57f467f 100644 --- a/packages/mimecast/data_stream/siem_logs/manifest.yml +++ b/packages/mimecast/data_stream/siem_logs/manifest.yml @@ -48,3 +48,84 @@ streams: show_user: false description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: cel + template_path: cel.yml.hbs + title: SIEM logs + enabled: false + description: Collect SIEM Logs + vars: + - name: interval + type: text + title: Interval + description: Duration between requests to the API. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: false + default: 5m + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: false + description: Initial interval for the first API call. Defaults to 24 hours. Supported units for this parameter are h/m/s. + default: 24h + - name: types + type: text + title: Log Types + description: Log types to collect. + multi: true + required: true + show_user: true + default: + - "av" + - "delivery" + - "internal email protect" + - "impersonation protect" + - "journal" + - "process" + - "receipt" + - "attachment protect" + - "spam" + - "url protect" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - mimecast-siem-logs + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve mimecast SIEM logs fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: > + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index f9c42d2e049..3e1c8d6f8ba 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,59 +1,83 @@ { - "@timestamp": "2021-11-12T12:15:46.000Z", + "@timestamp": "2024-11-12T18:52:07.130Z", "agent": { - "ephemeral_id": "9e414d8d-fe0d-4db1-a95f-aed984c0eef9", - "id": "a26821e0-e36a-4513-a137-0df112893aba", - "name": "docker-fleet-agent", + "ephemeral_id": "3d21ae78-86cd-4666-84a7-c6309a29e2e5", + "id": "260b2d28-beb4-4e1e-83aa-9fd450347db8", + "name": "elastic-agent-64770", "type": "filebeat", - "version": "8.12.1" + "version": "8.15.0" }, "data_stream": { "dataset": "mimecast.siem_logs", - "namespace": "ep", + "namespace": "18433", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a26821e0-e36a-4513-a137-0df112893aba", + "id": "260b2d28-beb4-4e1e-83aa-9fd450347db8", "snapshot": false, - "version": "8.12.1" + "version": "8.15.0" }, "email": { - "direction": "internal", + "direction": "outbound", "from": { "address": [ - "johndoe@example.com" + "chris.germany@demo-int.elastic.mime-api.com" ] }, - "local_id": "fjihpfEgM_iRwemxhe3t_w", + "message_id": "<23b9843f48f8d349-99325@hapi.b41.one>", + "subject": "Out of office", "to": { "address": [ - "o365_service_account@example.com" + "dkinney@pacific-concept.b41.one" ] } }, "event": { + "action": "Acc", "agent_id_status": "verified", - "created": "2021-11-12T12:15:46+0000", + "category": [ + "email" + ], + "created": "2024-11-12T18:52:07.130Z", "dataset": "mimecast.siem_logs", - "ingested": "2024-04-07T21:50:35Z", - "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "ingested": "2024-12-08T21:06:17Z", + "original": "{\"_offset\":70595,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"q1h3LjgrN46b12GlX0By9Q_1731437523\",\"direction\":\"Outbound\",\"messageId\":\"\\u003c23b9843f48f8d349-99325@hapi.b41.one\\u003e\",\"numberAttachments\":\"0\",\"processingId\":\"X7OQopo8177ryv7KXWXxytbksk3qv0Ct8NSYWcQkhJM_1731437523\",\"receiptErrors\":null,\"recipients\":\"dkinney@pacific-concept.b41.one\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"chris.germany@demo-int.elastic.mime-api.com\",\"senderHeader\":\"chris.germany@demo-int.elastic.mime-api.com\",\"senderIp\":\"54.236.186.184\",\"spamDetectionLevel\":\"28\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":null,\"spamScore\":\"0\",\"subject\":\"Out of office\",\"subtype\":\"Acc\",\"timestamp\":1731437527130,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", "outcome": "unknown" }, "input": { - "type": "httpjson" + "type": "cel" }, "mimecast": { - "RcptActType": "Jnl", - "RcptHdrType": "Unknown", - "acc": "ABC123", - "log_type": "jrnl" + "accountId": "CUSB4A274", + "aggregateId": "q1h3LjgrN46b12GlX0By9Q_1731437523", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "X7OQopo8177ryv7KXWXxytbksk3qv0Ct8NSYWcQkhJM_1731437523", + "senderHeader": "chris.germany@demo-int.elastic.mime-api.com", + "spamDetectionLevel": "28", + "spamInfo": "[]", + "spamScore": "0", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "chris.germany@demo-int.elastic.mime-api.com", + "dkinney@pacific-concept.b41.one" + ] + }, + "source": { + "ip": "54.236.186.184" }, "tags": [ "preserve_original_event", "forwarded", "mimecast-siem-logs" - ] + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } } \ No newline at end of file diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 9d0583f3db8..8d2949502ab 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -560,63 +560,87 @@ An example event for `siem` looks as following: ```json { - "@timestamp": "2021-11-12T12:15:46.000Z", + "@timestamp": "2024-11-12T18:52:07.130Z", "agent": { - "ephemeral_id": "9e414d8d-fe0d-4db1-a95f-aed984c0eef9", - "id": "a26821e0-e36a-4513-a137-0df112893aba", - "name": "docker-fleet-agent", + "ephemeral_id": "3d21ae78-86cd-4666-84a7-c6309a29e2e5", + "id": "260b2d28-beb4-4e1e-83aa-9fd450347db8", + "name": "elastic-agent-64770", "type": "filebeat", - "version": "8.12.1" + "version": "8.15.0" }, "data_stream": { "dataset": "mimecast.siem_logs", - "namespace": "ep", + "namespace": "18433", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "a26821e0-e36a-4513-a137-0df112893aba", + "id": "260b2d28-beb4-4e1e-83aa-9fd450347db8", "snapshot": false, - "version": "8.12.1" + "version": "8.15.0" }, "email": { - "direction": "internal", + "direction": "outbound", "from": { "address": [ - "johndoe@example.com" + "chris.germany@demo-int.elastic.mime-api.com" ] }, - "local_id": "fjihpfEgM_iRwemxhe3t_w", + "message_id": "<23b9843f48f8d349-99325@hapi.b41.one>", + "subject": "Out of office", "to": { "address": [ - "o365_service_account@example.com" + "dkinney@pacific-concept.b41.one" ] } }, "event": { + "action": "Acc", "agent_id_status": "verified", - "created": "2021-11-12T12:15:46+0000", + "category": [ + "email" + ], + "created": "2024-11-12T18:52:07.130Z", "dataset": "mimecast.siem_logs", - "ingested": "2024-04-07T21:50:35Z", - "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "ingested": "2024-12-08T21:06:17Z", + "original": "{\"_offset\":70595,\"_partition\":60,\"accountId\":\"CUSB4A274\",\"action\":\"Acc\",\"aggregateId\":\"q1h3LjgrN46b12GlX0By9Q_1731437523\",\"direction\":\"Outbound\",\"messageId\":\"\\u003c23b9843f48f8d349-99325@hapi.b41.one\\u003e\",\"numberAttachments\":\"0\",\"processingId\":\"X7OQopo8177ryv7KXWXxytbksk3qv0Ct8NSYWcQkhJM_1731437523\",\"receiptErrors\":null,\"recipients\":\"dkinney@pacific-concept.b41.one\",\"rejectionCode\":null,\"rejectionInfo\":null,\"rejectionType\":null,\"senderEnvelope\":\"chris.germany@demo-int.elastic.mime-api.com\",\"senderHeader\":\"chris.germany@demo-int.elastic.mime-api.com\",\"senderIp\":\"54.236.186.184\",\"spamDetectionLevel\":\"28\",\"spamInfo\":\"[]\",\"spamProcessingDetail\":null,\"spamScore\":\"0\",\"subject\":\"Out of office\",\"subtype\":\"Acc\",\"timestamp\":1731437527130,\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"tlsVersion\":\"TLSv1.3\",\"type\":\"receipt\",\"virusFound\":null}", "outcome": "unknown" }, "input": { - "type": "httpjson" + "type": "cel" }, "mimecast": { - "RcptActType": "Jnl", - "RcptHdrType": "Unknown", - "acc": "ABC123", - "log_type": "jrnl" + "accountId": "CUSB4A274", + "aggregateId": "q1h3LjgrN46b12GlX0By9Q_1731437523", + "log_type": "receipt", + "numberAttachments": "0", + "processingId": "X7OQopo8177ryv7KXWXxytbksk3qv0Ct8NSYWcQkhJM_1731437523", + "senderHeader": "chris.germany@demo-int.elastic.mime-api.com", + "spamDetectionLevel": "28", + "spamInfo": "[]", + "spamScore": "0", + "subtype": "Acc", + "tlsVersion": "TLSv1.3" + }, + "related": { + "user": [ + "chris.germany@demo-int.elastic.mime-api.com", + "dkinney@pacific-concept.b41.one" + ] + }, + "source": { + "ip": "54.236.186.184" }, "tags": [ "preserve_original_event", "forwarded", "mimecast-siem-logs" - ] + ], + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384" + } } ``` @@ -640,9 +664,10 @@ An example event for `siem` looks as following: | mimecast.AttNames | The filenames of all attachments on the email. | keyword | | mimecast.Attempt | The count of attempts that the Mimecast MTA has made to deliver the email. | long | | mimecast.CustomName | The message has matched a custom name. | keyword | -| mimecast.CustomThreatDictionary | The content of the email was detected to contain words in a custom threat dictionary. | keyword | +| mimecast.CustomThreatDictionary | The content of the email was detected to contain words in a custom threat dictionary. | keyword | | mimecast.CustomerIP | The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. | keyword | | mimecast.Hits | Number of items flagged for the message. | keyword | +| mimecast.Hostname | | keyword | | mimecast.IPInternalName | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from an internal user name. | keyword | | mimecast.IPNewDomain | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detected to be from a new domain. | keyword | | mimecast.IPReplyMismatch | For emails subject to Targeted Threat Protection - Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. | keyword | @@ -672,14 +697,86 @@ An example event for `siem` looks as following: | mimecast.Subject | The subject of the email, limited to 150 characters. | keyword | | mimecast.TaggedExternal | The message has been tagged as originating from a external source. | keyword | | mimecast.TaggedMalicious | The message has been tagged as malicious. | keyword | -| mimecast.ThreatDictionary | The content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | +| mimecast.ThreatDictionary | The content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | | mimecast.UrlCategory | The category of the URL that was clicked. | keyword | | mimecast.Virus | The name of the virus found on the email, if applicable. | keyword | | mimecast.acc | The Mimecast account code for your account. | keyword | +| mimecast.accountId | The Mimecast account code for your account | keyword | +| mimecast.action | The action taken at the receipt stage. Receipt logs:(Rej; Acc; Ign; Bnc), Process logs:(Acc; Hld; Bnc; Sdbx; Rty), Impersonation Protect logs:(None; Hold), URL Protect logs:(Block). | keyword | +| mimecast.aggregateId | Unique identifier that allows you to correlate/group related events. | keyword | +| mimecast.analysis | The senders domain is similar to a custom external domain list. | keyword | +| mimecast.attachments | The filenames of all attachments on the email | keyword | +| mimecast.blockReason | The reason click was blocked. (Unknown; File Detected; Clean; Malicious; Suspicious) | keyword | | mimecast.credentialTheft | The info about credential theft. | keyword | +| mimecast.customNameMatch | The message has matched a custom name. True; False | keyword | +| mimecast.customThreatDictionary | The content of the email was detected to contain words in the client custom threat dictionary. (True; False) | keyword | +| mimecast.customerIp | The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. | keyword | +| mimecast.delivered | \* If the email was delivered successfully or not. False; True | keyword | +| mimecast.delivery | Attempts The count of attempts that the Mimecast MTA has made to deliver the email. | keyword | +| mimecast.deliveryAttempts | | keyword | +| mimecast.deliveryErrors | Information about any errors that occurred on the delivery attempt. | keyword | +| mimecast.deliveryTime | The time in milliseconds that the delivery attempt took. | keyword | +| mimecast.destinationIp | The destination IP address for the delivery attempt. | keyword | +| mimecast.direction | The direction of the email based on the sending and receiving domains. (Inbound; Outbound; Internal; External) | keyword | +| mimecast.emailSize | The amount of data in bytes that were delivered. | keyword | +| mimecast.fileExtension | The file extension. | keyword | +| mimecast.fileName | The name of file. | keyword | +| mimecast.holdReason | The reason the email was held for review (quarantined), if applicable. (Spm; Att; RcptLimit; Exp; Imp; Sbx; Oth; Url; Ctnt; Dpp; RBL; (absent)) | keyword | +| mimecast.internalUserName | The email was detected to be from an internal user name. (Hit; No Hit) | keyword | +| mimecast.ipNewDomain | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain. | keyword | +| mimecast.ipReplyMismatch | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. | keyword | +| mimecast.ipSimilarDomain | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. | keyword | +| mimecast.ipThreatDictionary | For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. | keyword | +| mimecast.ipUserName | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name. | keyword | +| mimecast.itemsDetected | Number of items flagged for the message. | keyword | | mimecast.log_type | String to get type of SIEM log. | keyword | +| mimecast.md5 | MD5 Hash. | keyword | +| mimecast.messageId | The internet message id of the email. | keyword | +| mimecast.mimecastThreatDictionary | The content of the email was detected to contain words in the Mimecast threat dictionary. (True; False) | keyword | +| mimecast.monitoredDomainSource | the source of the URL match based on Mimecast's heuristic scanning techniques | keyword | | mimecast.msgid | The internet message id of the email. | keyword | +| mimecast.newDomain | The email was detected to be from a new domain (True; False) | keyword | +| mimecast.numberAttachments | The number of attachments on the email. | keyword | +| mimecast.policyDefinition | The definition of policy triggered. | keyword | +| mimecast.processingId | Unique identifier that allows you to correlate/group related events. | keyword | +| mimecast.receiptErrors | Information about any errors that occurred during receipt. | keyword | +| mimecast.recipients | The recipient of the email. | keyword | +| mimecast.rejectionCode | The rejection code, for messages rejected by the receiving mail server. | keyword | +| mimecast.rejectionInfo | The rejection information if the email was rejected at the receipt stage. | keyword | +| mimecast.rejectionType | The rejection type, for messages rejected by the receiving mail server. | keyword | +| mimecast.replyMismatch | The reply address does not correspond to the senders address. (True; False) | keyword | +| mimecast.route | The route of the message. (Inbound; Outbound; Internal; External) | keyword | +| mimecast.scanResults | The reason that the click was blocked. | keyword | +| mimecast.senderDomain | The sender domain. | keyword | +| mimecast.senderDomainInternal | The sender domain is a registered internal domain. | keyword | +| mimecast.senderEnvelope | The sender of the email. | keyword | +| mimecast.senderHeader | Sender address found in the from header of the email. | keyword | +| mimecast.senderIp | The source IP of the original message or sending mail server. | keyword | +| mimecast.sha1 | SHA1 hash. | keyword | +| mimecast.sha256 | SHA256 hash. | keyword | +| mimecast.similarCustomExternalDomain | The senders domain is similar to a custom external domain list. (True; False) | keyword | +| mimecast.similarDomain | The domain is similar to a registered domain. | keyword | +| mimecast.similarInternalDomain | The senders domain is similar to a registered internal domain. (True; False) | keyword | +| mimecast.similarMimecastExternalDomain | The senders domain is similar to a Mimecast managed list of domains. (True; False) | keyword | +| mimecast.similarMimecastExternalDomainResults | Advanced phishing detection results from scanners | keyword | +| mimecast.sizeAttachment | The size (in bytes) of the malicious file. | keyword | +| mimecast.sourceIp | The source IP of the original message. | keyword | +| mimecast.spamDetectionLevel | The detection level defined for the given sender and recipient. | keyword | +| mimecast.spamInfo | Information from Mimecast Spam scanners for messages found to be Spam. | keyword | +| mimecast.spamProcessingDetail | The Spam processing details for DKIM, SPF, DMARC | keyword | +| mimecast.spamScore | The metric that measures the likelihood of the event being considered spam. | keyword | +| mimecast.subject | The subject of the email. | keyword | +| mimecast.subtype | | keyword | +| mimecast.taggedExternal | The message has been tagged as originating from a external source. (True; False) | keyword | +| mimecast.taggedMalicious | The message has been tagged as malicious. (True; False) | keyword | +| mimecast.timestamp | The date and time of event. | keyword | +| mimecast.tlsCipher | The TLS Cipher used if the email was delivered or received using TLS. | keyword | +| mimecast.tlsUsed | If the message was delivered using TLS or not. (Yes; No) | keyword | +| mimecast.tlsVersion | The TLS version used if the email was delivered or received using TLS. | keyword | +| mimecast.totalSizeAttachments | The total size of all attachments on the email. | keyword | +| mimecast.url | URL Clicked | keyword | | mimecast.urlCategory | The category of the URL that was clicked. | keyword | +| mimecast.virusFound | The name or signature of the virus found on the email, if applicable. | keyword | ### Threat Intel Feed Malware: Customer diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 799ad0dcc53..96ce8fc790e 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,13 +1,13 @@ format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "2.0.0" +version: "2.1.0" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"] conditions: kibana: - version: "^8.14.0" + version: "^8.15.0" screenshots: - src: /img/mimecast.png title: Sample screenshot