diff --git a/packages/mimecast/_dev/build/build.yml b/packages/mimecast/_dev/build/build.yml index 08d85edcf9a..809e76063e9 100644 --- a/packages/mimecast/_dev/build/build.yml +++ b/packages/mimecast/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.12 + reference: git@8.0 diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 65ee88d44f2..4825f4982f8 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.0.6" + changes: + - description: Add use cases for audit events and update sample events and docs + type: enhancement + link: https://github.com/elastic/integrations/pull/2690 - version: "0.0.5" changes: - description: Fix typo diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log index 8f129afe2f2..c8284127bd8 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log @@ -13,7 +13,7 @@ {"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password","category":"authentication_logs"} {"id":"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w","auditType":"Existing Archive Task Changed","user":"johdoe@example.com","eventTime":"2021-10-12T08:47:54+0000","eventInfo":"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM","auditType":"Connectors Management","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:53+0000","eventInfo":"Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console","category":"integrations_and_apis"} -{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe","category":"account_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe","category":"account_logs"} {"id":"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF","auditType":"Custom Report Definition Created","user":"johndoe@example.local","eventTime":"2021-10-11T19:53:41+0000","eventInfo":"Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console","category":"reporting_logs"} {"id":"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh","auditType":"Folder Log Entry","user":"johndoe@example.com","eventTime":"2021-10-11T18:23:10+0000","eventInfo":"Action Performed - Deleted New Folder by johndoe@example.com Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console","category":"profile_group_logs"} {"id":"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR","auditType":"User Password Changed","user":"johndoe@example.com","eventTime":"2021-10-12T19:56:55+0000","eventInfo":"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null","category":"user_account_and_role_logs"} @@ -22,4 +22,6 @@ {"id":"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84","auditType":"Archive Mailbox Restore","user":"johndoejr@example.com","eventTime":"2021-10-12T18:19:33+0000","eventInfo":"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0","auditType":"Archive Mailbox Export Download","user":"johndoe@example.com","eventTime":"2021-10-12T17:55:14+0000","eventInfo":"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} \ No newline at end of file +{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked","category":"authentication_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password","category":"authentication_logs"} \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index ccfa7cfc7f8..7bb1eeb7f92 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -18,7 +18,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "threat-intel-feed-download", @@ -71,7 +71,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "threat-intel-feed-download", @@ -124,7 +124,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "user-logged-on", @@ -133,9 +133,11 @@ "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}" }, "mimecast": { - "application": "Administration Console, Method: Two Step Auth, 2FA: TOTP", + "2FA": "TOTP", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP", + "method": "Two Step Auth" }, "related": { "ip": [ @@ -173,7 +175,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "logon-requires-challenge", @@ -182,9 +184,11 @@ "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}" }, "mimecast": { - "application": "Administration Console, Method: Office 365, 2FA: TOTP", + "2FA": "TOTP", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP" + "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP", + "method": "Office 365" }, "related": { "ip": [ @@ -222,7 +226,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "user-logged-on", @@ -231,9 +235,10 @@ "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}" }, "mimecast": { - "application": "Administration Console, Method: Cloud", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud", + "method": "Cloud" }, "related": { "ip": [ @@ -271,7 +276,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "mimecast-support-login", @@ -320,7 +325,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "mimecast-support-login", @@ -369,7 +374,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { @@ -390,8 +395,7 @@ "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", - "name": {} + "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review" }, "related": { "ip": [ @@ -429,7 +433,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "search-action", @@ -478,7 +482,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "logon-authentication-failed", @@ -515,7 +519,7 @@ { "@timestamp": "2021-10-11T13:21:06.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "completed-directory-sync", @@ -556,7 +560,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "case-action", @@ -605,19 +609,20 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "logon-authentication-failed", "created": "2021-10-11T22:47:55.000Z", "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", - "reason": "Reason: Wrong password" + "reason": "Wrong password" }, "mimecast": { "application": "mimecast-moa", "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password" + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password", + "method": "Office 365" }, "related": { "ip": [ @@ -655,7 +660,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "existing-archive-task-changed", @@ -704,7 +709,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "connectors-management", @@ -753,13 +758,13 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "page-data-exports", "created": "2021-10-12T02:27:18.000Z", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}" }, "file": { "extension": ".xlsx", @@ -769,15 +774,15 @@ "mimecast": { "application": "mimecast-matfe", "category": "account_logs", - "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" + "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" }, "related": { "ip": [ "67.43.156.15" ], "user": [ - "johdoe", - "johdoe@example.com" + "johndoe", + "johndoe@example.com" ] }, "tags": [ @@ -785,8 +790,8 @@ ], "user": { "domain": "example.com", - "email": "johdoe@example.com", - "name": "johdoe" + "email": "johndoe@example.com", + "name": "johndoe" } }, { @@ -807,7 +812,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "custom-report-definition-created", @@ -856,7 +861,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "folder-log-entry", @@ -887,7 +892,7 @@ { "@timestamp": "2021-10-12T19:56:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "user-password-changed", @@ -931,14 +936,13 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "remediation-incident-adjustment", "created": "2021-10-12T19:49:30.000Z", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", - "type": "type : manual" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}" }, "mimecast": { "application": "Administration Console", @@ -981,7 +985,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "archive-mailbox-restore", @@ -1030,7 +1034,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "archive-mailbox-restore", @@ -1079,7 +1083,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "archive-mailbox-export-download", @@ -1128,7 +1132,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "review-set-action", @@ -1177,14 +1181,13 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "remediation-incident-adjustment", "created": "2021-10-12T15:38:05.000Z", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", - "type": "type : restore" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}" }, "mimecast": { "application": "Administration Console", @@ -1208,6 +1211,107 @@ "email": "johndoe@example.com", "name": "johndoe" } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T22:54:04.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked\",\"category\":\"authentication_logs\"}", + "reason": "Account Locked" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T21:48:01.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password\",\"category\":\"authentication_logs\"}", + "reason": "Wrong Password" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password", + "method": "Cloud" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 660c0ee91a3..3f4c32f1ef4 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # # Generic event/ecs fields we always want to populate - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original @@ -19,7 +19,15 @@ processors: field: mimecast.eventTime timezone: UTC formats: - - yyyy-MM-dd'T'HH:mm:ssZ + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + - "yyyy-MM-dd'T'HH:mm:ss z" ### @@ -52,55 +60,85 @@ processors: # Here we want to add as much categorization information as possible # We can do this by parsing mimecast.eventInfo differently based on # what event.action is, etc. - ### - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.filename}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-requires-challenge"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "remediation-incident-adjustment"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.type}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "review-set-action"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "archive-mailbox-restore"' #logon-authentication-failed - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.description}, %{mimecast.product}, %{mimecast.provider}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "connectors-management"' + ### - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.criteria}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "search-action"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: <%{mimecast.name.from}> %{email.from.address}, %{?key}: <%{mimecast.name.to}> %{email.to.address}, %{?key}: %{email.subject}, %{?key}: %{email.origination_timestamp}, %{?key}: %{mimecast.viewed}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "message-action"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{mimecast.application_method}, %{event.reason}" + pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" if: 'ctx?.event?.action=="logon-authentication-failed"' ignore_missing: true ignore_failure: true - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="logon-authentication-failed"' + pattern: "%{mimecast.info}, %{mimecast.rest_of_event_info}" + if: 'ctx.mimecast?.info == null' ignore_missing: true ignore_failure: true - dissect: - field: mimecast.eventInfo - pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="folder-log-entry" || ctx?.event?.action=="custom-report-definition-created"' + field: mimecast.eventInfo + pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" + if: 'ctx?.event?.action=="folder-log-entry" || ctx?.event?.action=="custom-report-definition-created" || ctx?.event?.action=="mimecast-support-login"' + ignore_missing: true + ignore_failure: true + - kv: + field: mimecast.rest_of_event_info + field_split: ", " + value_split: ": " + target_field: mimecast.event_info_parts + ignore_failure: true + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Date + target_field: mimecast.date + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Time + target_field: mimecast.time + ignore_missing: true + - rename: + field: mimecast.event_info_parts.IP + target_field: client.ip + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Application + target_field: mimecast.application + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Method + target_field: mimecast.method + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Reason + target_field: event.reason + ignore_missing: true + - rename: + field: mimecast.info + target_field: mimecast.filename + ignore_missing: true + if: 'ctx?.event?.action == "threat-intel-feed-download"' + - rename: + field: mimecast.event_info_parts.Processed + target_field: email.origination_timestamp + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.event_info_parts.2FA + target_field: mimecast.2FA + ignore_missing: true - dissect: - field: mimecast.eventInfo - pattern: "%{?drop->} - %{mimecast.info}. %{mimecast.byuser}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="mimecast-support-login"' + field: mimecast.event_info_parts.From + pattern: "<%{?drop}> %{email.from.address}" + if: 'ctx?.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true + - dissect: + field: mimecast.event_info_parts.To + pattern: "<%{?drop}> %{email.to.address}" + if: 'ctx?.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true - dissect: field: mimecast.eventInfo pattern: "[%{?key} : %{mimecast.export_type},%{?key} :%{mimecast.export_name},%{?key} :%{user.email},%{?key} :%{mimecast.weekday} %{mimecast.month} %{mimecast.monthday} %{mimecast.time} %{mimecast.timezone} %{mimecast.year},%{?key} :%{client.ip},%{?key} :%{mimecast.columns_exported},%{?key} : %{file.name},%{?key}: %{file.size},%{?key} : %{file.extension}], %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" @@ -149,6 +187,15 @@ processors: - yyyy-MM-dd HH:mm:ssZ - yyyy-MM-dd HH:mm:ss z - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssz + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.Sz + - yyyy-MM-dd'T'HH:mm:ss.SZ + - yyyy-MM-dd'T'HH:mm:ss.SSz + - yyyy-MM-dd'T'HH:mm:ss.SSZ + - yyyy-MM-dd'T'HH:mm:ss.SSSz + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy-MM-dd'T'HH:mm:ss z if: 'ctx?.event?.created != null' - geoip: field: client.ip @@ -202,11 +249,7 @@ processors: - mimecast.provider - mimecast.filename - mimecast.criteria - - mimecast.aplication_method - - mimecast.name.to - - mimecast.name.from - mimecast.viewed - - mimecast.application_method - mimecast.timezone - mimecast.byuser - mimecast.export_type @@ -218,6 +261,9 @@ processors: - mimecast.columns_exported - mimecast.as.asn - mimecast.organization_name + - mimecast.event_info_parts + - mimecast.rest_of_event_info + ignore_missing: true - remove: description: Remove 'event.original' if 'preserve_original_event' is not set. diff --git a/packages/mimecast/data_stream/audit_events/fields/field.yml b/packages/mimecast/data_stream/audit_events/fields/field.yml index be7e5f2a870..201f678ce13 100644 --- a/packages/mimecast/data_stream/audit_events/fields/field.yml +++ b/packages/mimecast/data_stream/audit_events/fields/field.yml @@ -16,3 +16,9 @@ - name: email.address type: keyword description: Email address from event info. + - name: method + type: keyword + description: Method which triggers audit events. + - name: 2FA + type: keyword + description: Info about two-factor authentication. diff --git a/packages/mimecast/data_stream/audit_events/sample_event.json b/packages/mimecast/data_stream/audit_events/sample_event.json index 473cd0af7f3..0790fcddb71 100644 --- a/packages/mimecast/data_stream/audit_events/sample_event.json +++ b/packages/mimecast/data_stream/audit_events/sample_event.json @@ -1,30 +1,12 @@ { "@timestamp": "2021-11-16T12:01:37.000Z", "agent": { - "ephemeral_id": "57841034-22ed-4fcd-bcfd-0a9518249e2d", + "ephemeral_id": "fa35babb-45a8-4537-b7e9-037256a9d3e5", "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.0" - }, - "client": { - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "geo": { - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 37.751, - "lon": -97.822 - } - }, - "ip": "8.8.8.8" + "version": "7.17.0" }, "data_stream": { "dataset": "mimecast.audit_events", @@ -32,34 +14,30 @@ "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "event": { - "action": "case-action", + "action": "search-action", "agent_id_status": "verified", - "created": "2021-11-16T12:01:37.000Z", + "created": "2022-02-22T15:33:36.764Z", "dataset": "mimecast.audit_events", - "id": "eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI", - "ingested": "2021-11-24T15:39:11Z", - "original": "{\"auditType\":\"Case Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI\",\"user\":\"johndoe@example.com\"}" + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-02-22T15:33:37Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" }, "input": { "type": "httpjson" }, "mimecast": { - "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" }, "related": { - "ip": [ - "8.8.8.8" - ], "user": [ "johndoe", "johndoe@example.com" diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index 9b4d7b4b982..b85334758a1 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-15T20:41:25.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -31,7 +31,7 @@ { "@timestamp": "2021-10-15T20:41:25.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -59,7 +59,7 @@ { "@timestamp": "2021-10-15T20:41:22.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -87,7 +87,7 @@ { "@timestamp": "2021-10-15T20:41:22.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -115,7 +115,7 @@ { "@timestamp": "2021-10-15T20:41:21.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -143,7 +143,7 @@ { "@timestamp": "2021-10-15T20:41:21.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -171,7 +171,7 @@ { "@timestamp": "2021-10-15T20:41:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -199,7 +199,7 @@ { "@timestamp": "2021-10-15T20:41:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -227,7 +227,7 @@ { "@timestamp": "2021-10-15T20:41:17.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -255,7 +255,7 @@ { "@timestamp": "2021-10-15T20:41:17.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index c8b887e596e..3d3ea2ed289 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/dlp_logs/sample_event.json b/packages/mimecast/data_stream/dlp_logs/sample_event.json index 88b952d6767..ed66b44bab2 100644 --- a/packages/mimecast/data_stream/dlp_logs/sample_event.json +++ b/packages/mimecast/data_stream/dlp_logs/sample_event.json @@ -1,12 +1,12 @@ { "@timestamp": "2021-11-18T21:41:18.000Z", "agent": { - "ephemeral_id": "1aef981f-3448-4d12-bd5a-723ac1cdcc81", + "ephemeral_id": "351662e4-0671-45fc-978c-613243b6b7fe", "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.0" + "version": "7.17.0" }, "data_stream": { "dataset": "mimecast.dlp_logs", @@ -14,12 +14,12 @@ "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "direction": "inbound", @@ -37,7 +37,7 @@ "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2021-11-24T15:39:49Z", + "ingested": "2022-02-22T15:34:19Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index 2495457b799..edda7ab9aea 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-18T08:02:43.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -38,7 +38,7 @@ { "@timestamp": "2021-10-19T06:06:40.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -91,7 +91,7 @@ { "@timestamp": "2021-10-19T06:04:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -125,7 +125,7 @@ { "@timestamp": "2021-10-19T06:04:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -170,7 +170,7 @@ { "@timestamp": "2021-11-08T12:09:18.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "Internal", @@ -200,7 +200,7 @@ { "@timestamp": "2021-11-08T12:10:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "Internal", @@ -235,7 +235,7 @@ { "@timestamp": "2021-11-29T15:13:58.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index 88766e31edc..77f82f98c88 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index 01ef03c371e..7b72a41118c 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,36 +1,56 @@ { - "@timestamp": "2021-10-18T08:02:43.000Z", + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d60af43e-84dc-4f3b-b6c9-7616ac605053", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.siem_logs", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, - "event": { - "reason": "Spm", - "action": "Hld", - "ingested": "2021-11-25T11:34:11.459620200Z", - "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", - "created": "2021-10-18T09:02:43+0100", - "outcome": "unknown" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", + "direction": "Internal", "from": { - "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" - }, - "attachments": { - "file": { - "size": 0 - } + "address": "johndoe@example.com" }, - "local_id": "HhuwRf_AOcuJZINE2ZgcKw", - "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!", - "message_size": 157436 + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-02-22T15:34:56Z", + "original": "{\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json index 6340ded082e..87a8c644373 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json @@ -4,7 +4,7 @@ { "@timestamp": "2021-10-29T15:07:26.653Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-29T15:07:22.595Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -92,7 +92,7 @@ { "@timestamp": "2021-10-29T15:07:17.538Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -136,7 +136,7 @@ { "@timestamp": "2021-10-29T15:07:14.044Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -180,7 +180,7 @@ { "@timestamp": "2021-10-29T15:07:07.295Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -224,7 +224,7 @@ { "@timestamp": "2021-10-29T15:07:00.555Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -268,7 +268,7 @@ { "@timestamp": "2021-10-29T15:07:00.259Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml index 6ad7bbc4bd5..4f43e923e13 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: #################### - set: field: ecs.version - value: "1.12" + value: "8.0.0" - set: field: event.kind value: enrichment diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json index 7627d4d8cde..f2171989640 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json @@ -1,41 +1,68 @@ { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "ed2b1a30-7f2d-4dee-a2c1-2d8cf54981ef", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:35:42.813Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-02-22T15:35:43Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "ingested": "2021-11-17T13:42:34.324885300Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_customer", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json index ca72d64d8f6..f76cea121c4 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json @@ -4,7 +4,7 @@ { "@timestamp": "2021-10-29T15:07:26.653Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-29T15:07:22.595Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -92,7 +92,7 @@ { "@timestamp": "2021-10-29T15:07:17.538Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -136,7 +136,7 @@ { "@timestamp": "2021-10-29T15:07:14.044Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -180,7 +180,7 @@ { "@timestamp": "2021-10-29T15:07:07.295Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -224,7 +224,7 @@ { "@timestamp": "2021-10-29T15:07:00.555Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -268,7 +268,7 @@ { "@timestamp": "2021-10-29T15:07:00.259Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml index 16d618c6c19..13f140e554f 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: #################### - set: field: ecs.version - value: "1.12" + value: "8.0.0" - set: field: event.kind value: enrichment diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json index 23becc0e29b..0419ce66ba0 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json @@ -1,40 +1,68 @@ { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "1cf099da-bb55-4fba-8b4d-d4cc5a3c3c72", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:36:21.369Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-02-22T15:36:22Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "ingested": "2021-11-17T13:42:35.248902200Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_grid", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index c6171bc1b99..df58c04da5a 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-14T18:54:32.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-14T11:24:23.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -93,7 +93,7 @@ { "@timestamp": "2021-10-14T11:24:23.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index cc55251a5f6..29681b778a0 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json index 78bdf6beb1a..a6e1a0e6b64 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json @@ -1,44 +1,71 @@ { - "@timestamp": "2021-10-14T18:54:32.000Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04477e86-6c35-45fb-84c1-3369e6841252", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "related": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "data_stream": { + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" }, - "rule": { - "name": "Inbound - Safe file with On-Demand Sandbox" + "ecs": { + "version": "8.0.0" }, - "event": { - "action": "user_release_none", - "ingested": "2021-11-19T14:40:07.263592900Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T18:54:32+0000" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", "attachments": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", "file": { - "name": "numbers.pdf", + "extension": "pdf", "mime_type": "application/pdf", - "extension": "pdf" - } + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" + }, + "hash": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" }, - "to": { - "address": "johndoe@example.com" + "direction": "inbound", + "from": { + "address": "\u003c\u003e" }, - "subject": "Important Updated Numbers from the Center for Disease Control", - "direction": "inbound" + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", + "to": { + "address": "johndoe@emample.com" + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-02-22T15:37:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" - } + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index b936d1f469c..fff88ea7f22 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-15T17:10:46.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { @@ -55,7 +55,7 @@ { "@timestamp": "2021-10-15T06:16:34.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { @@ -107,7 +107,7 @@ { "@timestamp": "2021-10-13T16:12:07.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index 578e4fb6dab..b461bdcddcf 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json index 1ebe748244a..95c63d6e38d 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json @@ -1,51 +1,78 @@ { - "@timestamp": "2021-10-15T17:10:46.000Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "c3429d44-3582-45ff-9a45-240e99753ecc", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "related": { - "ip": "8.8.8.8" + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" }, - "rule": { - "name": "IP - 1 hit (Tag email)" + "ecs": { + "version": "8.0.0" }, - "source": { - "ip": "8.8.8.8" - }, - "event": { - "action": "none", - "ingested": "2021-11-19T14:42:59.823940200Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", - "created": "2021-10-15T17:10:46+0000" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "from": { - "address": "smtp@example.com" + "address": "johndoe@example.com" }, - "message_id": "\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e", + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", "to": { "address": "johndoe@example.com" - }, - "subject": "Requested File" + } + }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-02-22T15:37:59Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe Jr", - "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e" + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", + "stringSimilarToDomain": "John Doe" } ], - "taggedMalicious": true, "taggedExternal": false, - "identifiers": [ - "internal_user_name" + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" ] - } + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index 1d0f4f1d27f..b665d814b15 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-16T14:45:34.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -60,7 +60,7 @@ { "@timestamp": "2021-10-16T14:07:38.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -117,7 +117,7 @@ { "@timestamp": "2021-10-16T13:31:56.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index a8685b2d7f5..82c559ab44c 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json index caff8ea714c..1727a303ff0 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json @@ -1,58 +1,83 @@ { - "rule": { - "name": "Inbound URL 'Aggressive'" + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "32e43233-fc59-4b6d-97c4-bc2d0647f8a0", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "source": { - "ip": "8.8.8.8" + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" }, - "url": { - "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" - }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-10-16T14:45:34.000Z", "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "8.8.8.8" - ] + "version": "8.0.0" }, - "event": { - "action": "Continue", - "ingested": "2021-11-24T14:39:10.084705200Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"8.8.8.8\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", - "created": "2021-10-16T14:45:34+0000" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "direction": "inbound", "from": { - "address": "bestbuyinfo@emailinfo.bestbuy.com" + "address": "googlealerts-noreply@google.com" }, - "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", - "direction": "inbound" + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china" + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-02-22T15:38:37Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" + }, + "input": { + "type": "httpjson" }, "mimecast": { - "userOverride": "None", "action": "allow", - "adminOverride": "N/A", - "scanResult": "clean", - "category": "Business", "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", "creationMethod": "User Click", "emailPartsDescription": [ "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] + }, + "rule": { + "name": "Inbound URL 'Aggressive'" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" + }, + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } } \ No newline at end of file diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index e5ce3174083..d11658b3662 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -21,30 +21,12 @@ An example event for `audit_events` looks as following: { "@timestamp": "2021-11-16T12:01:37.000Z", "agent": { - "ephemeral_id": "57841034-22ed-4fcd-bcfd-0a9518249e2d", + "ephemeral_id": "fa35babb-45a8-4537-b7e9-037256a9d3e5", "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.0" - }, - "client": { - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "geo": { - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 37.751, - "lon": -97.822 - } - }, - "ip": "8.8.8.8" + "version": "7.17.0" }, "data_stream": { "dataset": "mimecast.audit_events", @@ -52,34 +34,30 @@ An example event for `audit_events` looks as following: "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "event": { - "action": "case-action", + "action": "search-action", "agent_id_status": "verified", - "created": "2021-11-16T12:01:37.000Z", + "created": "2022-02-22T15:33:36.764Z", "dataset": "mimecast.audit_events", - "id": "eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI", - "ingested": "2021-11-24T15:39:11Z", - "original": "{\"auditType\":\"Case Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI\",\"user\":\"johndoe@example.com\"}" + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-02-22T15:33:37Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" }, "input": { "type": "httpjson" }, "mimecast": { - "application": "mimecast-case-review", "category": "case_review_logs", - "eventInfo": "Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" }, "related": { - "ip": [ - "8.8.8.8" - ], "user": [ "johndoe", "johndoe@example.com" @@ -162,11 +140,13 @@ An example event for `audit_events` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| mimecast.2FA | Info about two-factor authentication. | keyword | | mimecast.application | The Mimecast unique id of the event. | keyword | | mimecast.category | The category of the event. | keyword | | mimecast.email.address | Email address from event info. | keyword | | mimecast.email.metadata | The email meta data from audit info. | keyword | | mimecast.eventInfo | The detailed event information. | keyword | +| mimecast.method | Method which triggers audit events. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | tags | List of keywords used to tag each event. | keyword | @@ -185,12 +165,12 @@ An example event for `dlp` looks as following: { "@timestamp": "2021-11-18T21:41:18.000Z", "agent": { - "ephemeral_id": "1aef981f-3448-4d12-bd5a-723ac1cdcc81", + "ephemeral_id": "351662e4-0671-45fc-978c-613243b6b7fe", "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", "name": "docker-fleet-agent", "type": "filebeat", - "version": "7.16.0" + "version": "7.17.0" }, "data_stream": { "dataset": "mimecast.dlp_logs", @@ -198,12 +178,12 @@ An example event for `dlp` looks as following: "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "direction": "inbound", @@ -221,7 +201,7 @@ An example event for `dlp` looks as following: "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2021-11-24T15:39:49Z", + "ingested": "2022-02-22T15:34:19Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { @@ -306,40 +286,60 @@ An example event for `siem` looks as following: ```json { - "@timestamp": "2021-10-18T08:02:43.000Z", + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d60af43e-84dc-4f3b-b6c9-7616ac605053", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.siem_logs", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, - "event": { - "reason": "Spm", - "action": "Hld", - "ingested": "2021-11-25T11:34:11.459620200Z", - "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", - "created": "2021-10-18T09:02:43+0100", - "outcome": "unknown" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", + "direction": "Internal", "from": { - "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" - }, - "attachments": { - "file": { - "size": 0 - } + "address": "johndoe@example.com" }, - "local_id": "HhuwRf_AOcuJZINE2ZgcKw", - "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!", - "message_size": 157436 + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-02-22T15:34:56Z", + "original": "{\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] } ``` @@ -451,7 +451,7 @@ An example event for `siem` looks as following: | mimecast.msgid | The internet message id of the email. | keyword | | mimecast.urlCategory | The category of the URL that was clicked. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | | tls.cipher | String indicating the cipher used during the current connection. | keyword | @@ -469,55 +469,82 @@ An example event for `ttp_ip` looks as following: ```json { - "@timestamp": "2021-10-15T17:10:46.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": "8.8.8.8" + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "c3429d44-3582-45ff-9a45-240e99753ecc", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "rule": { - "name": "IP - 1 hit (Tag email)" + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" }, - "source": { - "ip": "8.8.8.8" + "ecs": { + "version": "8.0.0" }, - "event": { - "action": "none", - "ingested": "2021-11-19T14:42:59.823940200Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", - "created": "2021-10-15T17:10:46+0000" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "from": { - "address": "smtp@example.com" + "address": "johndoe@example.com" }, - "message_id": "\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e", + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", "to": { "address": "johndoe@example.com" - }, - "subject": "Requested File" + } + }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-02-22T15:37:59Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe Jr", - "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e" + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", + "stringSimilarToDomain": "John Doe" } ], - "taggedMalicious": true, "taggedExternal": false, - "identifiers": [ - "internal_user_name" + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" ] - } + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] } ``` @@ -588,7 +615,7 @@ An example event for `ttp_ip` looks as following: | mimecast.taggedMalicious | Whether the message was tagged as malicious. | boolean | | related.ip | All of the IPs seen on your event. | ip | | rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | @@ -601,48 +628,75 @@ An example event for `ttp_ap` looks as following: ```json { - "@timestamp": "2021-10-14T18:54:32.000Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04477e86-6c35-45fb-84c1-3369e6841252", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "related": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "data_stream": { + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" }, - "rule": { - "name": "Inbound - Safe file with On-Demand Sandbox" + "ecs": { + "version": "8.0.0" }, - "event": { - "action": "user_release_none", - "ingested": "2021-11-19T14:40:07.263592900Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T18:54:32+0000" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", "attachments": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", "file": { - "name": "numbers.pdf", + "extension": "pdf", "mime_type": "application/pdf", - "extension": "pdf" - } + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" + }, + "hash": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" }, - "to": { - "address": "johndoe@example.com" + "direction": "inbound", + "from": { + "address": "\u003c\u003e" }, - "subject": "Important Updated Numbers from the Center for Disease Control", - "direction": "inbound" + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", + "to": { + "address": "johndoe@emample.com" + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-02-22T15:37:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" - } + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] } ``` @@ -724,61 +778,86 @@ An example event for `ttp_url` looks as following: ```json { - "rule": { - "name": "Inbound URL 'Aggressive'" - }, - "source": { - "ip": "8.8.8.8" + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "32e43233-fc59-4b6d-97c4-bc2d0647f8a0", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "url": { - "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" }, - "tags": [ - "preserve_original_event" - ], - "@timestamp": "2021-10-16T14:45:34.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "8.8.8.8" - ] - }, - "event": { - "action": "Continue", - "ingested": "2021-11-24T14:39:10.084705200Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"8.8.8.8\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", - "created": "2021-10-16T14:45:34+0000" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "direction": "inbound", "from": { - "address": "bestbuyinfo@emailinfo.bestbuy.com" + "address": "googlealerts-noreply@google.com" }, - "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", - "direction": "inbound" + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china" + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-02-22T15:38:37Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" + }, + "input": { + "type": "httpjson" }, "mimecast": { - "userOverride": "None", "action": "allow", - "adminOverride": "N/A", - "scanResult": "clean", - "category": "Business", "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", "creationMethod": "User Click", "emailPartsDescription": [ "Body" + ], + "scanResult": "clean", + "userOverride": "None" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] + }, + "rule": { + "name": "Inbound URL 'Aggressive'" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" + }, + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } } ``` @@ -867,44 +946,71 @@ An example event for `threat_intel_malware_customer` looks as following: ```json { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "ed2b1a30-7f2d-4dee-a2c1-2d8cf54981ef", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:35:42.813Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-02-22T15:35:43Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "ingested": "2021-11-17T13:42:34.324885300Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "type": "indicator", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_customer", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } ``` @@ -985,43 +1091,71 @@ An example event for `threat_intel_malware_grid` looks as following: ```json { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "1cf099da-bb55-4fba-8b4d-d4cc5a3c3c72", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:36:21.369Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-02-22T15:36:22Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" + ] }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "ingested": "2021-11-17T13:42:35.248902200Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", - "category": "threat", - "kind": "enrichment" - }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], - "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", - "log_type": "malware_grid", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } ``` diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index c6e27eef374..a6e5ff97758 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.5 +version: 0.0.6 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration