Details
| ID | ModelingAbnormalSecurityEventCollector |
|---|---|
| From Version | 3.3.0 |
| To Version | 6.9.9 |
Rules (XIF)
[MODEL: model="Email", dataset="abnormal_security_email_protection_raw"]
alter XDM.Email.event_timestamp = sentTime,
XDM.Email.attachment.filename = attachmentNames,
XDM.Email.cc = arraycreate(ccEmails),
XDM.Email.delivery_timestamp = receivedTime,
XDM.Email.original_event_description = summaryInsights,
XDM.Email.recipients = arraycreate(toAddresses),
XDM.Email.return_path = returnPath,
XDM.Email.sender = fromAddress,
XDM.Email.Server.host.ipv4_addresses = arraycreate(senderIpAddress),
XDM.Email.subject = subject,
XDM.Email.threat.category = attackType,
XDM.Email.threat.name = attackStrategy,
XDM.Email.threat.original_alert_id = to_string(abxMessageId),
XDM.Email.threat.original_threat_id = threatId,
XDM.Email.threat.subcategory = attackVector,
XDM.Email.Observer.vendor = _vendor,
XDM.Email.Observer.product = _product,
XDM.Email.Client.user.user_type = attackedParty,
XDM.Email.original_event_id = internetMessageId,
XDM.Email.threat.description = summaryInsights;
Schema
abnormal_security_email_protection_raw
| Field | Type | Array? |
|---|---|---|
_product |
string | — |
_vendor |
string | — |
abxMessageId |
int | — |
attachmentNames |
string | — |
attackStrategy |
string | — |
attackType |
string | — |
attackVector |
string | — |
attackedParty |
string | — |
ccEmails |
string | Yes |
fromAddress |
string | — |
internetMessageId |
string | — |
receivedTime |
string | — |
returnPath |
string | — |
senderIpAddress |
string | — |
sentTime |
string | — |
subject |
string | — |
summaryInsights |
string | — |
threatId, |
string | — |
toAddresses |
string | — |
Raw JSON
{ "abnormal_security_email_protection_raw": { "sentTime": { "type": "string", "is_array": false }, "attachmentNames": { "type": "string", "is_array": false }, "ccEmails": { "type": "string", "is_array": true }, "receivedTime": { "type": "string", "is_array": false }, "summaryInsights": { "type": "string", "is_array": false }, "toAddresses": { "type": "string", "is_array": false }, "returnPath": { "type": "string", "is_array": false }, "fromAddress": { "type": "string", "is_array": false }, "senderIpAddress": { "type": "string", "is_array": false }, "subject": { "type": "string", "is_array": false }, "attackType": { "type": "string", "is_array": false }, "attackStrategy": { "type": "string", "is_array": false }, "abxMessageId": { "type": "int", "is_array": false }, "threatId,": { "type": "string", "is_array": false }, "attackVector": { "type": "string", "is_array": false }, "_vendor": { "type": "string", "is_array": false }, "_product": { "type": "string", "is_array": false }, "attackedParty": { "type": "string", "is_array": false }, "internetMessageId": { "type": "string", "is_array": false } } }