Rules (XIF)
[MODEL: dataset=trend_micro_email_security_raw]
alter
_is_policy_event = if(logType = "policy_logs")
| alter
_event_outcome_traffic = if(action in ("Deleted", "Bounced", "Expired"), XDM_CONST.OUTCOME_FAILED, action in ("Temporary delivery error", "Quarantined", "Redirected", "Submitted to sandbox", "Password analyzing", "Deferred"), XDM_CONST.OUTCOME_PARTIAL, action in ("Delivered"), XDM_CONST.OUTCOME_SUCCESS),
_event_outcome_policy = if(policyAction ~="Bypass", XDM_CONST.OUTCOME_UNKNOWN, policyAction ~="Deliver", XDM_CONST.OUTCOME_SUCCESS, policyAction in("Message deleted", "Delete"), XDM_CONST.OUTCOME_FAILED, policyAction in("Attachment sanitized", "Sanitize attachments", "Attachment deleted upon failure to remove active content", "Attachment deleted", "BCC", "Cleaned", "Notification sent", "Send notification", "Quarantine", "Quarantined", "Recipient changed", "Change recipient", "Stamp inserted", "Insert stamp in body", "Subject tagged", "Tag Subject", "Submitted for encryption", "X-Header inserted", "Insert X-Header", "Clean cleanable malware", "delete those that cannot be cleaned"), XDM_CONST.OUTCOME_PARTIAL),
_attachments_array = if(_is_policy_event = True, coalesce(json_extract_array(details, "$.fileInfo"), json_extract_array(details, "$.urlInfo")), json_extract_array(attachments, "$."))
| alter
_attachments_names = arraymap(_attachments_array, coalesce(json_extract_scalar("@element", "$.fileName"), json_extract_scalar("@element", "$.attachmentName"))),
_attachments_sha256 = arraymap(_attachments_array, coalesce(json_extract_scalar("@element", "$.sha256"), json_extract_scalar("@element", "$.fileSha256"), json_extract_scalar("@element", "$.attachmentSha256")))
| alter
_attachments_extensions = arraymap(_attachments_names, if("@element" ~= "\.\w+$", arrayindex(regextract("@element", ".+?\.(\w+)$"), 0), "")),
_mail_tracking_events_urls = arraystring(arraymap(embeddedUrls -> [], trim("@element", "\"")), ","),
_policy_events_urls = arraystring(arraymap(json_extract_array(details, "$.urlInfo"), json_extract_scalar("@element", "$.url")), ","),
_fqdn = arrayindex(regextract(deliveredTo, "^([\w\-]+\.[\w\-\.]+\w)"), 0)
| alter
xdm.event.outcome = if(_is_policy_event = True, _event_outcome_policy, _event_outcome_traffic),
xdm.observer.action = if(_is_policy_event = True, policyAction, action),
xdm.email.attachment.filename = arraystring(_attachments_names, ","),
xdm.email.attachment.sha256 = arraystring(_attachments_sha256, ","),
xdm.email.attachment.extension = arraystring(_attachments_extensions, ","),
xdm.event.description = details,
xdm.alert.severity = json_extract_scalar(details, "$.riskLevel"),
xdm.alert.name = json_extract_scalar(details, "$.threatNames"),
xdm.observer.type = direction,
xdm.source.user.domain = if(direction = "out", domainName),
xdm.target.domain = if(direction = "in", domainName),
xdm.target.url = if(_is_policy_event = True, _policy_events_urls, _mail_tracking_events_urls),
xdm.alert.subcategory = eventSubtype,
xdm.alert.category = eventType,
xdm.event.type = coalesce(eventType , logType),
xdm.email.recipients = arraymap(headerTo -> [], trim("@element", "\"")),
xdm.target.resource.id = mailID,
xdm.email.message_id = messageID,
xdm.network.rule = policyName,
xdm.event.outcome_reason = coalesce(reason, details),
xdm.email.sender = coalesce(headerFrom, sender),
xdm.source.ipv4 = if(senderIP ~= "\.", senderIP, null),
xdm.source.ipv6 = if(senderIP ~= "\:", senderIP, null),
xdm.email.attachment.size = size,
xdm.email.subject = subject,
xdm.network.tls.protocol_version = tlsInfo,
xdm.intermediate.host.fqdn = _fqdn,
xdm.intermediate.host.hostname = coalesce(arrayindex(regextract(_fqdn, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), arrayindex(regextract(_fqdn, "^([^\.]+)"), 0)),
xdm.intermediate.port = to_integer(arrayindex(regextract(deliveredTo, "\]\:(\d{2,5})$"), 0)),
xdm.intermediate.ipv4 = arrayindex(regextract(deliveredTo, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
xdm.email.delivery_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%SZ", to_string(deliveryTime));
Schema
trend_micro_email_security_raw
| Field |
Type |
Array? |
action |
string |
— |
attachments |
string |
— |
deliveredTo |
string |
— |
deliveryTime |
datetime |
— |
details |
string |
— |
direction |
string |
— |
domainName |
string |
— |
embeddedUrls |
string |
— |
eventSubtype |
string |
— |
eventType |
string |
— |
genTime |
datetime |
— |
headerFrom |
string |
— |
headerTo |
string |
— |
logType |
string |
— |
mailID |
string |
— |
messageID |
string |
— |
policyAction |
string |
— |
policyName |
string |
— |
reason |
string |
— |
recipient |
string |
— |
recipients |
string |
— |
sender |
string |
— |
senderIP |
string |
— |
size |
int |
— |
subject |
string |
— |
timestamp |
datetime |
— |
tlsInfo |
string |
— |
Raw JSON
{
"trend_micro_email_security_raw": {
"action": {
"type": "string",
"is_array": false
},
"mailID": {
"type": "string",
"is_array": false
},
"sender": {
"type": "string",
"is_array": false
},
"genTime": {
"type": "datetime",
"is_array": false
},
"logType": {
"type": "string",
"is_array": false
},
"subject": {
"type": "string",
"is_array": false
},
"tlsInfo": {
"type": "string",
"is_array": false
},
"senderIP": {
"type": "string",
"is_array": false
},
"direction": {
"type": "string",
"is_array": false
},
"eventType": {
"type": "string",
"is_array": false
},
"messageID": {
"type": "string",
"is_array": false
},
"recipient": {
"type": "string",
"is_array": false
},
"domainName": {
"type": "string",
"is_array": false
},
"headerFrom": {
"type": "string",
"is_array": false
},
"policyName": {
"type": "string",
"is_array": false
},
"eventSubtype": {
"type": "string",
"is_array": false
},
"policyAction": {
"type": "string",
"is_array": false
},
"deliveredTo": {
"type": "string",
"is_array": false
},
"attachments": {
"type": "string",
"is_array": false
},
"recipients": {
"type": "string",
"is_array": false
},
"headerTo": {
"type": "string",
"is_array": false
},
"details": {
"type": "string",
"is_array": false
},
"timestamp": {
"type": "datetime",
"is_array": false
},
"size": {
"type": "int",
"is_array": false
},
"deliveryTime": {
"type": "datetime",
"is_array": false
},
"embeddedUrls": {
"type": "string",
"is_array": false
},
"reason": {
"type": "string",
"is_array": false
}
}
}