Trend Micro Email Security Modeling Rule

Modeling Rule

Trend Micro Email Security

Details

IDTrend_Micro_Email_Security_ModelingRule
From Version6.10.0

Rules (XIF)

[MODEL: dataset=trend_micro_email_security_raw]
alter
    _is_policy_event = if(logType = "policy_logs")
| alter
    _event_outcome_traffic = if(action in ("Deleted", "Bounced", "Expired"), XDM_CONST.OUTCOME_FAILED, action in ("Temporary delivery error", "Quarantined", "Redirected", "Submitted to sandbox", "Password analyzing", "Deferred"), XDM_CONST.OUTCOME_PARTIAL, action in ("Delivered"), XDM_CONST.OUTCOME_SUCCESS),
    _event_outcome_policy = if(policyAction ~="Bypass", XDM_CONST.OUTCOME_UNKNOWN, policyAction ~="Deliver", XDM_CONST.OUTCOME_SUCCESS, policyAction in("Message deleted", "Delete"), XDM_CONST.OUTCOME_FAILED, policyAction in("Attachment sanitized", "Sanitize attachments", "Attachment deleted upon failure to remove active content", "Attachment deleted", "BCC", "Cleaned", "Notification sent", "Send notification", "Quarantine", "Quarantined", "Recipient changed", "Change recipient", "Stamp inserted", "Insert stamp in body", "Subject tagged", "Tag Subject", "Submitted for encryption", "X-Header inserted", "Insert X-Header", "Clean cleanable malware", "delete those that cannot be cleaned"), XDM_CONST.OUTCOME_PARTIAL),
    _attachments_array = if(_is_policy_event = True, coalesce(json_extract_array(details, "$.fileInfo"), json_extract_array(details, "$.urlInfo")), json_extract_array(attachments, "$."))
| alter
    _attachments_names = arraymap(_attachments_array, coalesce(json_extract_scalar("@element", "$.fileName"), json_extract_scalar("@element", "$.attachmentName"))),
    _attachments_sha256 = arraymap(_attachments_array, coalesce(json_extract_scalar("@element", "$.sha256"), json_extract_scalar("@element", "$.fileSha256"), json_extract_scalar("@element", "$.attachmentSha256")))
| alter
    _attachments_extensions = arraymap(_attachments_names, if("@element" ~= "\.\w+$", arrayindex(regextract("@element", ".+?\.(\w+)$"), 0), "")),
    _mail_tracking_events_urls = arraystring(arraymap(embeddedUrls -> [], trim("@element", "\"")), ","),
    _policy_events_urls = arraystring(arraymap(json_extract_array(details, "$.urlInfo"), json_extract_scalar("@element", "$.url")), ","),
    _fqdn = arrayindex(regextract(deliveredTo, "^([\w\-]+\.[\w\-\.]+\w)"), 0)
| alter 
    xdm.event.outcome = if(_is_policy_event = True, _event_outcome_policy, _event_outcome_traffic),
    xdm.observer.action = if(_is_policy_event = True, policyAction, action),
    xdm.email.attachment.filename = arraystring(_attachments_names, ","),
    xdm.email.attachment.sha256 = arraystring(_attachments_sha256, ","),
    xdm.email.attachment.extension = arraystring(_attachments_extensions, ","),
    xdm.event.description = details,
    xdm.alert.severity = json_extract_scalar(details, "$.riskLevel"),
    xdm.alert.name = json_extract_scalar(details, "$.threatNames"),
    xdm.observer.type = direction,
    xdm.source.user.domain = if(direction = "out", domainName),
    xdm.target.domain = if(direction = "in", domainName),
    xdm.target.url = if(_is_policy_event = True, _policy_events_urls, _mail_tracking_events_urls),
    xdm.alert.subcategory = eventSubtype,
    xdm.alert.category = eventType,
    xdm.event.type = coalesce(eventType , logType),
    xdm.email.recipients = arraymap(headerTo -> [], trim("@element", "\"")),
    xdm.target.resource.id = mailID,
    xdm.email.message_id = messageID,
    xdm.network.rule = policyName,
    xdm.event.outcome_reason = coalesce(reason, details),
    xdm.email.sender = coalesce(headerFrom, sender),
    xdm.source.ipv4 = if(senderIP ~= "\.", senderIP, null),
    xdm.source.ipv6 = if(senderIP ~= "\:", senderIP, null),
    xdm.email.attachment.size = size,
    xdm.email.subject = subject,
    xdm.network.tls.protocol_version = tlsInfo,
    xdm.intermediate.host.fqdn = _fqdn,
    xdm.intermediate.host.hostname = coalesce(arrayindex(regextract(_fqdn, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0), arrayindex(regextract(_fqdn, "^([^\.]+)"), 0)),
    xdm.intermediate.port = to_integer(arrayindex(regextract(deliveredTo, "\]\:(\d{2,5})$"), 0)),
    xdm.intermediate.ipv4 = arrayindex(regextract(deliveredTo, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"), 0),
    xdm.email.delivery_timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%SZ", to_string(deliveryTime));

Schema

trend_micro_email_security_raw

Field Type Array?
action string
attachments string
deliveredTo string
deliveryTime datetime
details string
direction string
domainName string
embeddedUrls string
eventSubtype string
eventType string
genTime datetime
headerFrom string
headerTo string
logType string
mailID string
messageID string
policyAction string
policyName string
reason string
recipient string
recipients string
sender string
senderIP string
size int
subject string
timestamp datetime
tlsInfo string
Raw JSON
{
    "trend_micro_email_security_raw": {
        "action": {
            "type": "string",
            "is_array": false
        },
        "mailID": {
            "type": "string",
            "is_array": false
        },
        "sender": {
            "type": "string",
            "is_array": false
        },
        "genTime": {
            "type": "datetime",
            "is_array": false
        },
        "logType": {
            "type": "string",
            "is_array": false
        },
        "subject": {
            "type": "string",
            "is_array": false
        },
        "tlsInfo": {
            "type": "string",
            "is_array": false
        },
        "senderIP": {
            "type": "string",
            "is_array": false
        },
        "direction": {
            "type": "string",
            "is_array": false
        },
        "eventType": {
            "type": "string",
            "is_array": false
        },
        "messageID": {
            "type": "string",
            "is_array": false
        },
        "recipient": {
            "type": "string",
            "is_array": false
        },
        "domainName": {
            "type": "string",
            "is_array": false
        },
        "headerFrom": {
            "type": "string",
            "is_array": false
        },
        "policyName": {
            "type": "string",
            "is_array": false
        },
        "eventSubtype": {
            "type": "string",
            "is_array": false
        },
        "policyAction": {
            "type": "string",
            "is_array": false
        },
        "deliveredTo": {
            "type": "string",
            "is_array": false
        },
        "attachments": {
            "type": "string",
            "is_array": false
        },
        "recipients": {
            "type": "string",
            "is_array": false
        },
        "headerTo": {
            "type": "string",
            "is_array": false
        },
        "details": {
            "type": "string",
            "is_array": false
        },
        "timestamp": {
            "type": "datetime",
            "is_array": false
        },
        "size": {
            "type": "int",
            "is_array": false
        },
        "deliveryTime": {
            "type": "datetime",
            "is_array": false
        },
        "embeddedUrls": {
            "type": "string",
            "is_array": false
        },
        "reason": {
            "type": "string",
            "is_array": false
        }
    }
}