Retarus Secure Email Gateway Modeling Rule

Modeling Rule

Retarus Secure Email Gateway

Details

IDRetarus_Secure_Email_Gateway_ModelingRule
From Version8.5.0

Rules (XIF)

[RULE: retarus_secure_email_gw_common_fields]
alter
        tmp_description = if(direction = "INBOUND", "Inbound Email", "Outbound Email"),
        source_ipv4 = arrayindex(regextract(sourceIp , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
        source_ipv6 = arrayindex(regextract(sourceIp, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
        tmp_description_2 = if(
        status = "ACCEPTED", ", Email Accepted", 
        status = "REJECTED", ", Email Rejected",
        status = "INFECTED" ,", Email Is Infected", 
        status = "DETECTED", ", Malicious File/ URL Detected", 
        status = "SUSPICIOUS",", Suspicious File/ URL Found" )

| alter
        xdm.email.origination_timestamp = parse_timestamp("%F %X %z",to_string(ts)),
        xdm.observer.version = version,
        xdm.observer.name = host, 
        xdm.event.original_event_type = type,
        xdm.source.ipv4 = source_ipv4,
        xdm.source.ipv6 = source_ipv6,
        xdm.email.recipients = arraycreate(recipient),
        xdm.session_context_id = rmxId,
        xdm.observer.action = status,
        xdm.event.description = concat(tmp_description , tmp_description_2 ),
        xdm.event.type = class,
        xdm.email.message_id = mimeId;


[RULE: pzd_fields]
alter 
        extract_threatType = metaData -> threatType,
        extract_url = metaData -> uniformResourceLocator,
        extract_hash = metaData -> hashFunction,
        extract_checksum = metaData -> checksum,
        extract_mimeType = metaData -> mimeType,
        extract_details = metaData -> details

| alter
        xdm.email.attachment.file_type	= extract_mimeType,	
        xdm.alert.original_threat_name = extract_details,
        xdm.target.url = if(extract_threatType = "URL", extract_url),
        xdm.email.attachment.sha256	= if(extract_hash = "SHA-256" or extract_hash = "sha256", extract_checksum ,null),
        xdm.email.attachment.md5 = if(extract_hash != "SHA-256" and extract_hash = "sha256" and len(extract_hash) = 32, extract_checksum, null);


[RULE: mta_inbound_fields]
alter 
        extract_protocol = metaData -> transportEncryption.protocol,
        extract_cipher = metaData -> transportEncryption.cipherSuite,
        extract_auth_dkim_status = metaData -> authentication.dkim.status,
        extract_auth_dkim_details = arrayindex(regextract(metaData -> authentication.dkim.details ,"reason\s*=\s*([\S\s]+)\""),0),
        extract_subject = metaData -> header.subject

| alter 
        extract_details_reason = replace(extract_auth_dkim_details, "\"","")
| alter
        xdm.email.subject = extract_subject,
        xdm.event.outcome = if(extract_auth_dkim_status = "pass", XDM_CONST.OUTCOME_SUCCESS, 
        extract_auth_dkim_status = "fail", XDM_CONST.OUTCOME_FAILED, 
        extract_auth_dkim_status = "none", XDM_CONST.OUTCOME_UNKNOWN),
        xdm.event.outcome_reason = extract_details_reason,
        xdm.network.tls.protocol_version = extract_protocol,
        xdm.network.tls.cipher = extract_cipher;


[RULE: mta_outbound_fields]
alter 
        extract_protocol = metaData -> transportEncryption.protocol,
        extract_cipher = metaData -> transportEncryption.cipherSuite,
        extract_subject = metaData -> header.subject

| alter
        xdm.email.subject = extract_subject,
        xdm.network.tls.protocol_version = extract_protocol,
        xdm.network.tls.cipher = extract_cipher;


[RULE: multiscan_fields]
alter 
        extract_details = metaData -> details

| alter
        xdm.alert.original_threat_name = extract_details,
        xdm.alert.description = extract_details;


[RULE: sandboxing_fields]
alter 
        extract_hash = metaData -> hashFunction,
        extract_checksum = metaData -> checksum

| alter
        xdm.email.attachment.sha256	= if(extract_hash = "SHA-256" or extract_hash = "sha256", extract_checksum ,null),
        xdm.email.attachment.md5 = if(extract_hash != "SHA-256" and extract_hash = "sha256" and len(extract_hash) = 32, extract_checksum, null);


[RULE: mapping_sender_field]
alter
        xdm.email.sender = sender;


[RULE: mapping_sender_field_for_mta_events]
alter
        extract_header_from = metaData -> header.from
|alter 
        extract_from = arrayindex(regextract(extract_header_from ,"<(\S*)>"), 0)
|alter
        xdm.email.sender = coalesce(extract_from, sender);


[MODEL: dataset=retarus_secure_email_gateway_raw]
filter type = "CxO"
|call retarus_secure_email_gw_common_fields
|call mapping_sender_field;


filter type = "PZD"
|call retarus_secure_email_gw_common_fields
|call pzd_fields
|call mapping_sender_field;


filter type = "Sandboxing"
|call retarus_secure_email_gw_common_fields
|call sandboxing_fields
|call mapping_sender_field;


filter type = "MultiScan"
|call retarus_secure_email_gw_common_fields
|call multiscan_fields
|call mapping_sender_field;


filter type = "MTA" and direction ="INBOUND"
|call retarus_secure_email_gw_common_fields
|call mta_inbound_fields
|call mapping_sender_field_for_mta_events;


filter type = "MTA" and direction ="OUTBOUND"
|call retarus_secure_email_gw_common_fields
|call mta_outbound_fields
|call mapping_sender_field_for_mta_events;

Schema

retarus_secure_email_gateway_raw

Field Type Array?
class string
direction string
host string
metaData string
mimeId string
recipient string
rmxId string
sender string
sourceIp string
status string
ts datetime
type string
version string
Raw JSON
{
    "retarus_secure_email_gateway_raw": {
        "ts": {
            "type": "datetime",
            "is_array": false
        },
        "version": {
            "type": "string",
            "is_array": false
        },
        "host": {
            "type": "string",
            "is_array": false
        },
        "type": {
            "type": "string",
            "is_array": false
        },
        "sourceIp": {
            "type": "string",
            "is_array": false
        },
        "recipient": {
            "type": "string",
            "is_array": false
        },
        "sender": {
            "type": "string",
            "is_array": false
        },
        "direction": {
            "type": "string",
            "is_array": false
        },
        "rmxId": {
            "type": "string",
            "is_array": false
        },
        "status": {
            "type": "string",
            "is_array": false
        },
        "class": {
            "type": "string",
            "is_array": false
        },
        "mimeId": {
            "type": "string",
            "is_array": false
        },
        "metaData": {
            "type": "string",
            "is_array": false
        }
    }
}