From 15159b11395097724c7c45fbccd51e6fe1f12cbf Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Mon, 14 Feb 2022 11:27:48 +0100 Subject: [PATCH 01/14] Add use cases for parsing audit events logs and update sample events and docs --- packages/mimecast/changelog.yml | 5 + .../_dev/test/pipeline/test-audit-events.log | 4 +- .../test-audit-events.log-expected.json | 102 +++- .../elasticsearch/ingest_pipeline/default.yml | 33 +- .../audit_events/sample_event.json | 84 ++-- .../data_stream/dlp_logs/sample_event.json | 8 - .../data_stream/siem_logs/sample_event.json | 34 +- .../sample_event.json | 33 +- .../sample_event.json | 35 +- .../data_stream/ttp_ap_logs/sample_event.json | 43 +- .../data_stream/ttp_ip_logs/sample_event.json | 64 ++- .../ttp_url_logs/sample_event.json | 40 +- packages/mimecast/docs/README.md | 470 +++++++++++------- packages/mimecast/manifest.yml | 2 +- 14 files changed, 603 insertions(+), 354 deletions(-) diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 106e6bf3df2..436c8bbe7ff 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.0.6" + changes: + - description: Add use cases for audit events and update sample events and docs + type: bugfix + link: https://github.com/elastic/integrations/pull/2644 - version: "0.0.5" changes: - description: Fix typo diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log index 8f129afe2f2..1c1e898b1d1 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log @@ -22,4 +22,6 @@ {"id":"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84","auditType":"Archive Mailbox Restore","user":"johndoejr@example.com","eventTime":"2021-10-12T18:19:33+0000","eventInfo":"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0","auditType":"Archive Mailbox Export Download","user":"johndoe@example.com","eventTime":"2021-10-12T17:55:14+0000","eventInfo":"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} -{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} \ No newline at end of file +{"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked","category":"authentication_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password","category":"authentication_logs"} \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 0e873498751..ab852a5726e 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -1233,6 +1233,106 @@ "category": "account_logs", "eventInfo": "Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console" } - } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T22:54:04.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked\",\"category\":\"authentication_logs\"}", + "reason": "Account Locked" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T21:48:01.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password\",\"category\":\"authentication_logs\"}", + "reason": "Reason: Wrong Password" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index f75b58aca00..c5ee9a83877 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -22,7 +22,15 @@ processors: field: mimecast.eventTime timezone: UTC formats: - - yyyy-MM-dd'T'HH:mm:ssZ + - "yyyy-MM-dd'T'HH:mm:ssz" + - "yyyy-MM-dd'T'HH:mm:ssZ" + - "yyyy-MM-dd'T'HH:mm:ss.Sz" + - "yyyy-MM-dd'T'HH:mm:ss.SZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSZ" + - "yyyy-MM-dd'T'HH:mm:ss.SSSz" + - "yyyy-MM-dd'T'HH:mm:ss.SSSZ" + - "yyyy-MM-dd'T'HH:mm:ss z" ### @@ -93,7 +101,18 @@ processors: - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="logon-authentication-failed"' + if: 'ctx?.event?.action=="logon-authentication-failed" && (ctx?.mimecast?.email?.metadata != "")' + ignore_missing: true + ignore_failure: true + - split: + field: mimecast.eventInfo + separator: "," + target_field: mimecast.event_info_parts + if: 'ctx?.mimecast?.eventInfo != null && ctx?.event?.action=="logon-authentication-failed"' + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{?key}: %{event.reason}" + if: 'ctx?.event?.action=="logon-authentication-failed" && (ctx?.mimecast?.event_info_parts.length == 6)' ignore_missing: true ignore_failure: true - dissect: @@ -152,6 +171,15 @@ processors: - yyyy-MM-dd HH:mm:ssZ - yyyy-MM-dd HH:mm:ss z - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssz + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.Sz + - yyyy-MM-dd'T'HH:mm:ss.SZ + - yyyy-MM-dd'T'HH:mm:ss.SSz + - yyyy-MM-dd'T'HH:mm:ss.SSZ + - yyyy-MM-dd'T'HH:mm:ss.SSSz + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy-MM-dd'T'HH:mm:ss z if: 'ctx?.event?.created != null' - geoip: field: client.ip @@ -221,6 +249,7 @@ processors: - mimecast.columns_exported - mimecast.as.asn - mimecast.organization_name + - mimecast.event_info_parts ignore_missing: true - remove: description: Remove 'event.original' if 'preserve_original_event' is not set. diff --git a/packages/mimecast/data_stream/audit_events/sample_event.json b/packages/mimecast/data_stream/audit_events/sample_event.json index 473cd0af7f3..644d774860d 100644 --- a/packages/mimecast/data_stream/audit_events/sample_event.json +++ b/packages/mimecast/data_stream/audit_events/sample_event.json @@ -1,12 +1,25 @@ { - "@timestamp": "2021-11-16T12:01:37.000Z", - "agent": { - "ephemeral_id": "57841034-22ed-4fcd-bcfd-0a9518249e2d", - "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" + "@timestamp": "2022-02-09T02:45:01.000Z", + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip" + }, + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.audit_events" }, "client": { "as": { @@ -26,53 +39,22 @@ }, "ip": "8.8.8.8" }, - "data_stream": { - "dataset": "mimecast.audit_events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" - }, "event": { - "action": "case-action", "agent_id_status": "verified", - "created": "2021-11-16T12:01:37.000Z", - "dataset": "mimecast.audit_events", - "id": "eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI", - "ingested": "2021-11-24T15:39:11Z", - "original": "{\"auditType\":\"Case Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI\",\"user\":\"johndoe@example.com\"}" + "ingested": "2022-02-09T09:45:25Z", + "created": "2022-02-09T02:45:01.000Z", + "action": "threat-intel-feed-download", + "id": "eNqrVipOTS4tSs1MUbJSyvMxyknzzcqN0S9Nzs_PqCoNCTE2j3ILS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsZGhobmJkYKKjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCY1Sx4", + "dataset": "mimecast.audit_events" }, - "input": { - "type": "httpjson" - }, - "mimecast": { - "application": "mimecast-case-review", - "category": "case_review_logs", - "eventInfo": "Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" - }, - "related": { - "ip": [ - "8.8.8.8" - ], - "user": [ - "johndoe", - "johndoe@example.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "mimecast-audit-events" - ], "user": { "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" + "name": "johdoe", + "email": "johndoe@example.com" + }, + "mimecast": { + "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip, Date: 2022-02-09, Time: 02:45:01+0000, IP: 8.8.8.8, Application: Integrations", + "application": "Integrations", + "category": "reporting_logs" } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/dlp_logs/sample_event.json b/packages/mimecast/data_stream/dlp_logs/sample_event.json index 88b952d6767..e6b6e217321 100644 --- a/packages/mimecast/data_stream/dlp_logs/sample_event.json +++ b/packages/mimecast/data_stream/dlp_logs/sample_event.json @@ -1,13 +1,5 @@ { "@timestamp": "2021-11-18T21:41:18.000Z", - "agent": { - "ephemeral_id": "1aef981f-3448-4d12-bd5a-723ac1cdcc81", - "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, "data_stream": { "dataset": "mimecast.dlp_logs", "namespace": "ep", diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index 01ef03c371e..5b5ec9b3bb2 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,33 +1,35 @@ { - "@timestamp": "2021-10-18T08:02:43.000Z", + "@timestamp": "2022-02-03T18:17:38.000Z", "ecs": { "version": "1.12.0" }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.siem_logs" + }, "event": { - "reason": "Spm", - "action": "Hld", - "ingested": "2021-11-25T11:34:11.459620200Z", - "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", - "created": "2021-10-18T09:02:43+0100", + "agent_id_status": "verified", + "ingested": "2022-02-09T09:58:25Z", + "created": "2022-02-03T18:17:38+0000", + "action": "Acc", + "dataset": "mimecast.siem_logs", "outcome": "unknown" }, "email": { - "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", - "from": { - "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" - }, "attachments": { "file": { "size": 0 } }, - "local_id": "HhuwRf_AOcuJZINE2ZgcKw", - "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!", - "message_size": 157436 + "local_id": "23e26c29-14fa-4a31-a6a1-474ba8fa7943", + "subject": "You've been sent a secure message: hello world", + "message_id": "\u003c151821003-1643912257257@uk-mta-93.uk.example.lan\u003e", + "from": { + "address": "johndoe@example.com" + }, + "message_size": 27677 }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "acc": "ABC123", "log_type": "process", diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json index 7627d4d8cde..9463a5cefab 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json @@ -1,38 +1,43 @@ { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2022-02-02T16:07:13.213Z", "ecs": { "version": "1.12" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.threat_intel_malware_customer" }, "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", + "first_seen": "2022-02-02T16:07:13.213Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "modified_at": "2022-02-02T16:07:13.213Z", "type": "file" } }, "event": { - "ingested": "2021-11-17T13:42:34.324885300Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "agent_id_status": "verified", + "ingested": "2022-02-09T08:10:24Z", + "created": "2022-02-09T08:10:24.724Z", + "kind": "enrichment", "category": "threat", "type": "indicator", - "kind": "enrichment" + "dataset": "mimecast.threat_intel_malware_customer" }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", "log_type": "malware_customer", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "pattern": "[file:hashes.'SHA-256' = 'f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d']", + "id": "indicator--17be7188-db80-4f6e-84cf-7fcb016f45de", "type": "indicator", "labels": [ "malicious-activity" diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json index 23becc0e29b..7cfd47b864a 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json @@ -1,37 +1,44 @@ { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2022-02-02T08:29:59.677Z", "ecs": { "version": "1.12" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.threat_intel_malware_grid" }, "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", + "first_seen": "2022-02-02T08:29:59.677Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "modified_at": "2022-02-02T08:29:59.677Z", "type": "file" } }, "event": { - "ingested": "2021-11-17T13:42:35.248902200Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "agent_id_status": "verified", + "ingested": "2022-02-09T08:41:44Z", + "original": "{\"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20220202083530775.stix\\\"\",\"created\":\"2022-02-02T08:29:59.677Z\",\"id\":\"indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1\",\"labels\":[\"malicious-activity\"],\"modified\":\"2022-02-02T08:29:59.677Z\",\"pattern\":\"[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']\",\"type\":\"indicator\",\"valid_from\":\"2022-02-02T08:29:59.677Z\"}", + "created": "2022-02-09T08:41:43.956Z", + "kind": "enrichment", "category": "threat", - "kind": "enrichment" + "type": "indicator", + "dataset": "mimecast.threat_intel_malware_grid" }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", "log_type": "malware_grid", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "pattern": "[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']", + "id": "indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1", "type": "indicator", "labels": [ "malicious-activity" diff --git a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json index 78bdf6beb1a..6cd153d9552 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json @@ -1,44 +1,47 @@ { - "@timestamp": "2021-10-14T18:54:32.000Z", + "@timestamp": "2022-02-01T17:27:48.000Z", "ecs": { "version": "1.12.0" }, "related": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "hash": [ + "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + ] }, - "rule": { - "name": "Inbound - Safe file with On-Demand Sandbox" + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_ap_logs" }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T08:45:45Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2022-02-01T17:27:48+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 32 sec\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c20200806044148.F35F813B435@mail.example.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\"}", + "created": "2022-02-01T17:27:48+0000", "action": "user_release_none", - "ingested": "2021-11-19T14:40:07.263592900Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T18:54:32+0000" + "dataset": "mimecast.ttp_ap_logs" }, "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", "attachments": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", "file": { - "name": "numbers.pdf", + "extension": "pdf", "mime_type": "application/pdf", - "extension": "pdf" - } + "name": "numbers.pdf" + }, + "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + }, + "subject": "Important Updated Numbers from the Center for Disease Control", + "from": { + "address": "\u003c\u003e" }, + "message_id": "\u003c20200806044148.F35F813B435@mail.example.com\u003e", "to": { "address": "johndoe@example.com" }, - "subject": "Important Updated Numbers from the Center for Disease Control", "direction": "inbound" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 32 sec" } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json index 1ebe748244a..d9feed9206a 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json @@ -1,51 +1,63 @@ { - "@timestamp": "2021-10-15T17:10:46.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": "8.8.8.8" - }, "rule": { "name": "IP - 1 hit (Tag email)" }, "source": { "ip": "8.8.8.8" }, + "tags": [ + "forwarded", + "mimecast-ttp-ip" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-02-08T17:21:45.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_ip_logs" + }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T10:09:19Z", + "created": "2022-02-08T17:21:45+0000", "action": "none", - "ingested": "2021-11-19T14:42:59.823940200Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", - "created": "2021-10-15T17:10:46+0000" + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyNjAxtzQz0FEqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGPlEhM", + "dataset": "mimecast.ttp_ip_logs" }, "email": { + "subject": "FW: Subject | Training", "from": { - "address": "smtp@example.com" - }, - "message_id": "\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e", - "to": { "address": "johndoe@example.com" }, - "subject": "Requested File" + "message_id": "\u003cAS8P194MB1544675B724095ACB49F2338A82D9@AS8P194MB1544.EURP194.PROD.OUTLOOK.COM\u003e", + "to": { + "address": "janedoe@example.com" + } }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "taggedMalicious": true, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", + "similarDomain": "John Doe \u003cjohndoe@example.com\u003e", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe Jr", - "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e" + "stringSimilarToDomain": "John Doe" } ], - "taggedMalicious": true, - "taggedExternal": false, - "identifiers": [ - "internal_user_name" - ] + "taggedExternal": false } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json index caff8ea714c..01092b8b1e7 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json @@ -6,49 +6,59 @@ "ip": "8.8.8.8" }, "url": { - "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" + "original": "https://link.buzzfeed.com/click/26642507.136718/aHR0cHM6Ly93d3cuYnV6emZlZWQuY29tL25lZ2VzdGlrYXVkby9zZXgtdG95cy10by1naWZ0LXlvdXJzZWxmLWZvci12YWxlbnRpbmVzLWRheS1hbmQtZmVlbD9vcmlnaW49c2hvcHBpbmdubA/5d81de1940f8667f86011339B2d1592db" }, "tags": [ - "preserve_original_event" + "forwarded", + "mimecast-ttp-url" ], - "@timestamp": "2021-10-16T14:45:34.000Z", + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-02-09T01:39:36.000Z", "ecs": { "version": "1.12.0" }, "related": { + "ip": [ + "8.8.8.8" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "8.8.8.8" ] }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_url_logs" + }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T10:13:06Z", + "created": "2022-02-09T01:39:36+0000", "action": "Continue", - "ingested": "2021-11-24T14:39:10.084705200Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"8.8.8.8\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", - "created": "2021-10-16T14:45:34+0000" + "dataset": "mimecast.ttp_url_logs" }, "user": { + "domain": "example.com", "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "email": "johndoe@example.com" }, "email": { - "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "subject": "\"Why don't I own that already?\"", + "message_id": "\u003c20220208203837.26642507.136718@example.com\u003e", "from": { - "address": "bestbuyinfo@emailinfo.bestbuy.com" + "address": "newsletter@buzzfeed.com" }, - "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", "direction": "inbound" }, "mimecast": { "userOverride": "None", "action": "allow", "adminOverride": "N/A", + "category": "Entertainment", "scanResult": "clean", - "category": "Business", "actions": "Allow", "creationMethod": "User Click", "emailPartsDescription": [ diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index e5ce3174083..305cf6e31c2 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -2,31 +2,131 @@ The Mimecast integration collects events from the Mimecast API. -## Configuration +Full guide how to configure, deploy and use this integration find [here]() -Authorization parameters for the Mimecast API (`Application Key`, `Application ID`, `Access Key`, and `Secret Key`), should be provided by a Mimecast representative for this integration. -Under `Advanced options` you can set the time interval between two API requests as well as the API URL. A Mimecast representative should also be able to give you with this information in case you need to change the defaults. +# Documenation -Note that rate limit quotas may require you to set up different credentials for the different available log types. +## Introduction + +The purpose of this integration is to fetch logs from the Mimecast API periodically and ingest them into the Elastic in automated manner. + +The integration is made based on the specification defined by the Elastic team. Each Elastic Integration is an Elastic Package that defines how to observe a specific product with the Elastic Stack. + +An Elastic Package may define configuration for the Elastic Agent as well as assets for the Elastic Stack (such as Kibana dashboards and Elasticsearch index templates). It should also include documentation about the package. Finally, a package may also define tests to ensure that it is functioning as expected. +Elastic Packages have a certain, well-defined structure. This structure is described by the Package Specification. The repository is also used for discussions about extending the specification (with proposals). + +More about Elastic package stack and general idea about making integration this way read [here](https://www.elastic.co/blog/elastic-agent-and-fleet-make-it-easier-to-integrate-your-systems-with-elastic). + +## Deployment and Configuration Guide + +### Prerequisites + +The integration package will be deployed and made available by Elastic on their cloud platform. To access it and use it accordingly, up and running Elastic stack along with the Elastic account will be needed to find, access, and deploy the package through Kibana. + +The access to Kibana is available on your instance of Elastic stack, through the specific port and an URL based on your configuration. Steps to deploy and configure the package are provided below. + +### Deployment and configuration + +Deployment is straight-forward through Kibana. You have two steps to take in order to deploy. The first step is to add an agent, and the second step is to add and configure integration. + +To complete the first step, follow the instructions on this [link](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +To complete the second step, go to this [link](https://www.elastic.co/guide/en/fleet/7.15/integrations.htm#add-integration-under-integrations) and follow the instructions to Add integration to a policy. +Step 3 is where you should add any configuration options that are required. +Those parameters are authorization parameters against the Mimecast API (Application Key, Application ID, Access Key, and Secret Key), and they should be provided by a Mimecast representative for this integration. +Similarly, tapping the Advanced options link expands the form, allowing you to choose the time interval between two API requests as well as the API URL as the API endpoint. A Mimecast representative should also be able to give you with this information. The default interval value is 5m, but you can modify it. If you do, be sure to provide the time measurement unit (m for minute, s for seconds) rather than just a number. + +Because parameters can differ, repeat the second step for each supported log you want to consume (A list of supported logs can be found in Log Types section below). +Ingesting all logs is enabled by default, but you can disable it by moving the blue slider next to the log name. + +Once you save and confirm, ingesting logs will start automatically and you will be able to search for them. + +## User guide + +After you've finished setting and deploying integration, the elastic agent will begin ingesting data right away, and you'll be able to query it through Kibana. Instructions on how to do that can be found [here] (https://www.elastic.co/guide/en/beats/packetbeat/current/kibana-queries-filters.html). + +### Understanding Logs + +Here is the explanation of the typical log types we mentioned in the previous chapters, with relevant links toward the Mimecast documentation. + +#### Log Types + +• Audit Events — these logs contain Mimecast audit events with the following details: audit type, event category and detailed information about the event. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-audit-events/). + +• DLP Logs - these logs contain information about messages that triggered a DLP or Content Examination policy. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-dlp-logs/). + +• TTP Attachment Protection Logs - these logs contain Mimecast TTP attachment protection logs with the following details: result of attachment analysis (if it is malicious or not etc.), date when file is released, sender and recipient address, filename and type, action triggered for the attachment, the route of the original email containing the attachment and details. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-attachment-protection-logs/). + +• TTP Impersonation Protect Logs — these logs contain information about messages containing information flagged by an Impersonation Protection configuration. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-impersonation-protect-logs/). + +• TTP URL Log - these logs contain Mimecast TTP attachment protection logs with the following details: the category of the URL clicked, the email address of the user who clicked the link, the url clicked, the action taken by the user if user awareness was applied, the route of the email that contained the link, the action defined by the administrator for the URL, the date that the URL was clicked, url scan result, the action that was taken for the click, the description of the definition that triggered the URL to be rewritten by Mimecast, the action requested by the user, an array of components of the message where the URL was found. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-url-logs/). + +• Threat Intel Feed - these logs contain information about messages that return identified malware threats at a customer or regional grid level. There are two types of these logs - malware_grid (Regional) and malware_customer (Targeted) and we ingest them separately. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). + +• SIEM logs - these logs contain information about messages that contains MTA logs (MTA = message transfer agent) – all Inbound, outbound and internal messages. More about these logs [here](https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/). + +## Dashboards + +Kibana provides the ability to make a visual representation of the ingested log data. Based on the Mimecast documentation for available log types, it is possible to identify the most important data from the logs and display them within the Kibana dashboards. + +### Create and Edit Dashboard + +ELK provides the ability to make a visual representation of the ingested log data. Based on the Mimecast documentation for available log types, it is possible to identify the most important data from the logs and display them within the Kibana dashboards. + +For the reference on how to create or edit dashboard, please visit this [link](https://www.elastic.co/guide/en/kibana/current/dashboard.html). + +### Export/Import Dashboard + +Kibana provides very useful feature – to export and import dashboards. Any search query, visualization and/or dashboard you can save for later use. And once you want to switch back to them you can find them in Saved Objects and opent them, delete them and export, import them from there. For dashboards, it can be useful to export/import them. To do that, follow these instructions: + +https://www.elastic.co/guide/en/kibana/7.9/managing-saved-objects.html + +This integration also has already exported a few dashboards made as an example for you and you can see them below. + +### Dashboard Examples + +We made a couple dashboards to show you how they can be used. Steps to find them: + +1. Go to Kibana +2. Click on Dashboards +3. Type "Mimecast" in Search Field + +or you can follow [this] instructions. + +There should be nine dashboards with the word [[Mimecast]] in the title. +Dashboards like those are examples of dashboards. ## Logs -### Audit Events +### AUDIT EVENTS -This is the `mimecast.audit_events` dataset. These logs contain Mimecast audit events with the following details: audit type, event category and detailed information about the event. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-audit-events/). +This is the `mimecast.audit_events` dataset. An example event for `audit_events` looks as following: ```json { - "@timestamp": "2021-11-16T12:01:37.000Z", - "agent": { - "ephemeral_id": "57841034-22ed-4fcd-bcfd-0a9518249e2d", - "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" + "@timestamp": "2022-02-09T02:45:01.000Z", + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip" + }, + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "8.8.8.8" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.audit_events" }, "client": { "as": { @@ -46,54 +146,23 @@ An example event for `audit_events` looks as following: }, "ip": "8.8.8.8" }, - "data_stream": { - "dataset": "mimecast.audit_events", - "namespace": "ep", - "type": "logs" - }, - "ecs": { - "version": "1.12.0" - }, - "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" - }, "event": { - "action": "case-action", "agent_id_status": "verified", - "created": "2021-11-16T12:01:37.000Z", - "dataset": "mimecast.audit_events", - "id": "eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI", - "ingested": "2021-11-24T15:39:11Z", - "original": "{\"auditType\":\"Case Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSskwzjDIMyDRKLinNSEl1c0pOqXLJyQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkrqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE_sLAI\",\"user\":\"johndoe@example.com\"}" - }, - "input": { - "type": "httpjson" - }, - "mimecast": { - "application": "mimecast-case-review", - "category": "case_review_logs", - "eventInfo": "Viewed Case - Case: GDPR/CCPA, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" + "ingested": "2022-02-09T09:45:25Z", + "created": "2022-02-09T02:45:01.000Z", + "action": "threat-intel-feed-download", + "id": "eNqrVipOTS4tSs1MUbJSyvMxyknzzcqN0S9Nzs_PqCoNCTE2j3ILS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsZGhobmJkYKKjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCY1Sx4", + "dataset": "mimecast.audit_events" }, - "related": { - "ip": [ - "8.8.8.8" - ], - "user": [ - "johndoe", - "johndoe@example.com" - ] - }, - "tags": [ - "preserve_original_event", - "forwarded", - "mimecast-audit-events" - ], "user": { "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" + "name": "johdoe", + "email": "johndoe@example.com" + }, + "mimecast": { + "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip, Date: 2022-02-09, Time: 02:45:01+0000, IP: 8.8.8.8, Application: Integrations", + "application": "Integrations", + "category": "reporting_logs" } } ``` @@ -106,7 +175,7 @@ An example event for `audit_events` looks as following: | client.as.asn | Client ASN number. | long | | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | -| client.as.organization_name | Client Organization name. | keyword | +| client.as.organization_name | | keyword | | client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | @@ -175,23 +244,15 @@ An example event for `audit_events` looks as following: | user.name | Short name or login of the user. | keyword | -### DLP Logs +### DLP LOGS -This is the `mimecast.dlp_logs` dataset. These logs contain information about messages that triggered a DLP or Content Examination policy. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-dlp-logs/). +This is the `mimecast.dlp_logs` dataset. An example event for `dlp` looks as following: ```json { "@timestamp": "2021-11-18T21:41:18.000Z", - "agent": { - "ephemeral_id": "1aef981f-3448-4d12-bd5a-723ac1cdcc81", - "hostname": "docker-fleet-agent", - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "name": "docker-fleet-agent", - "type": "filebeat", - "version": "7.16.0" - }, "data_stream": { "dataset": "mimecast.dlp_logs", "namespace": "ep", @@ -298,43 +359,45 @@ An example event for `dlp` looks as following: | tags | List of keywords used to tag each event. | keyword | -### SIEM Logs +### SIEM LOGS -This is the `mimecast.siem_logs` dataset. These logs contain information about messages that contains MTA logs (MTA = message transfer agent) – all Inbound, outbound and internal messages. More about these logs [here](https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/). +This is the `mimecast.siem_logs` dataset. An example event for `siem` looks as following: ```json { - "@timestamp": "2021-10-18T08:02:43.000Z", + "@timestamp": "2022-02-03T18:17:38.000Z", "ecs": { "version": "1.12.0" }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.siem_logs" + }, "event": { - "reason": "Spm", - "action": "Hld", - "ingested": "2021-11-25T11:34:11.459620200Z", - "original": "{\"Act\":\"Hld\",\"AttCnt\":0,\"AttNames\":null,\"AttSize\":0,\"Content-Disposition\":\"attachment; filename=\\\"process_20211018093329655.json\\\"\",\"Hld\":\"Spm\",\"MsgId\":\"\\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\\u003e\",\"MsgSize\":157436,\"Sender\":\"bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu\",\"Subject\":\"Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!\",\"aCode\":\"HhuwRf_AOcuJZINE2ZgcKw\",\"acc\":\"ABC123\",\"datetime\":\"2021-10-18T09:02:43+0100\"}", - "created": "2021-10-18T09:02:43+0100", + "agent_id_status": "verified", + "ingested": "2022-02-09T09:58:25Z", + "created": "2022-02-03T18:17:38+0000", + "action": "Acc", + "dataset": "mimecast.siem_logs", "outcome": "unknown" }, "email": { - "message_id": "\u003cINX.164dae0719be95da77068c7d264.3e915.e7719.c78c.17c926a3231ace@newsletter.77onlineshop.eu\u003e", - "from": { - "address": "bounce_9244+cdaahhimyaaaaagaad5ekqaaaaaaaaeribenpq@newsletter.77onlineshop.eu" - }, "attachments": { "file": { "size": 0 } }, - "local_id": "HhuwRf_AOcuJZINE2ZgcKw", - "subject": "Hi Sandra! Neue Styles eingetroffen! – Finde deinen Lieblings-Look!", - "message_size": 157436 + "local_id": "23e26c29-14fa-4a31-a6a1-474ba8fa7943", + "subject": "You've been sent a secure message: hello world", + "message_id": "\u003c151821003-1643912257257@uk-mta-93.uk.example.lan\u003e", + "from": { + "address": "johndoe@example.com" + }, + "message_size": 27677 }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "acc": "ABC123", "log_type": "process", @@ -461,62 +524,74 @@ An example event for `siem` looks as following: | user.email | User email address. | keyword | -### TTP Impersonation Logs +### TTP IMPERSONATION LOGS -This is the `mimecast.ttp_ip_logs` dataset. These logs contain information about messages containing information flagged by an Impersonation Protection configuration. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-impersonation-protect-logs/). +This is the `mimecast.ttp_ip_logs` dataset. An example event for `ttp_ip` looks as following: ```json { - "@timestamp": "2021-10-15T17:10:46.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": "8.8.8.8" - }, "rule": { "name": "IP - 1 hit (Tag email)" }, "source": { "ip": "8.8.8.8" }, + "tags": [ + "forwarded", + "mimecast-ttp-ip" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-02-08T17:21:45.000Z", + "ecs": { + "version": "1.12.0" + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_ip_logs" + }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T10:09:19Z", + "created": "2022-02-08T17:21:45+0000", "action": "none", - "ingested": "2021-11-19T14:42:59.823940200Z", - "original": "{\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG\",\"senderAddress\":\"smtp@example.com\",\"recipientAddress\":\"johndoe@example.com\",\"subject\":\"Requested File\",\"definition\":\"IP - 1 hit (Tag email)\",\"hits\":1,\"identifiers\":[\"internal_user_name\"],\"action\":\"none\",\"taggedExternal\":false,\"taggedMalicious\":true,\"senderIpAddress\":\"8.8.8.8\",\"eventTime\":\"2021-10-15T17:10:46+0000\",\"impersonationResults\":[{\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe Jr \u003cjohndoejr@example.com\u003e\",\"stringSimilarToDomain\":\"John Doe Jr\",\"checkerResult\":\"hit\"}],\"messageId\":\"\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e\"}", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjU1NjIw1FEqSy0qzszPU7ICskvywAoNDAyVagFirRIG", - "created": "2021-10-15T17:10:46+0000" + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyNjAxtzQz0FEqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGPlEhM", + "dataset": "mimecast.ttp_ip_logs" }, "email": { + "subject": "FW: Subject | Training", "from": { - "address": "smtp@example.com" - }, - "message_id": "\u003cEE7E97EA-1926-4A90-9399-D049A98893F4@emailsec.ninja\u003e", - "to": { "address": "johndoe@example.com" }, - "subject": "Requested File" + "message_id": "\u003cAS8P194MB1544675B724095ACB49F2338A82D9@AS8P194MB1544.EURP194.PROD.OUTLOOK.COM\u003e", + "to": { + "address": "janedoe@example.com" + } }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "hits": 1, + "taggedMalicious": true, + "identifiers": [ + "internal_user_name" + ], "impersonationResults": [ { "checkerResult": "hit", + "similarDomain": "John Doe \u003cjohndoe@example.com\u003e", "impersonationDomainSource": "internal_user_name", - "stringSimilarToDomain": "John Doe Jr", - "similarDomain": "John Doe Jr \u003cjohndoejr@example.com\u003e" + "stringSimilarToDomain": "John Doe" } ], - "taggedMalicious": true, - "taggedExternal": false, - "identifiers": [ - "internal_user_name" - ] + "taggedExternal": false } } ``` @@ -593,55 +668,58 @@ An example event for `ttp_ip` looks as following: | tags | List of keywords used to tag each event. | keyword | -### TTP Attachment Logs +### TTP ATTACHMENT LOGS -This is the `mimecast.ttp_ap_logs` dataset. These logs contain Mimecast TTP attachment protection logs with the following details: result of attachment analysis (if it is malicious or not etc.), date when file is released, sender and recipient address, filename and type, action triggered for the attachment, the route of the original email containing the attachment and details. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-attachment-protection-logs/). +This is the `mimecast.ttp_ap_logs` dataset. An example event for `ttp_ap` looks as following: ```json { - "@timestamp": "2021-10-14T18:54:32.000Z", + "@timestamp": "2022-02-01T17:27:48.000Z", "ecs": { "version": "1.12.0" }, "related": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "hash": [ + "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + ] }, - "rule": { - "name": "Inbound - Safe file with On-Demand Sandbox" + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_ap_logs" }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T08:45:45Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2022-02-01T17:27:48+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 32 sec\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c20200806044148.F35F813B435@mail.example.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\"}", + "created": "2022-02-01T17:27:48+0000", "action": "user_release_none", - "ingested": "2021-11-19T14:40:07.263592900Z", - "original": "{\"senderAddress\":\"\u003c\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application\\/pdf\",\"result\":\"safe\",\"actionTriggered\":\"user release, none\",\"date\":\"2021-10-14T18:54:32+0000\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 4 sec\",\"route\":\"inbound\",\"messageId\":\"\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\"}", - "created": "2021-10-14T18:54:32+0000" + "dataset": "mimecast.ttp_ap_logs" }, "email": { - "from": { - "address": "\u003c\u003e" - }, - "message_id": "\u003c20200806044148.F35F813B435@mail.brianjthronton.com\u003e", "attachments": { - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3", "file": { - "name": "numbers.pdf", + "extension": "pdf", "mime_type": "application/pdf", - "extension": "pdf" - } + "name": "numbers.pdf" + }, + "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" }, + "subject": "Important Updated Numbers from the Center for Disease Control", + "from": { + "address": "\u003c\u003e" + }, + "message_id": "\u003c20200806044148.F35F813B435@mail.example.com\u003e", "to": { "address": "johndoe@example.com" }, - "subject": "Important Updated Numbers from the Center for Disease Control", "direction": "inbound" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 4 sec" + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 32 sec" } } ``` @@ -716,9 +794,9 @@ An example event for `ttp_ap` looks as following: | tags | List of keywords used to tag each event. | keyword | -### TTP URL Logs +### TTP URL LOGS -This is the `mimecast.ttp_url_logs` dataset. These logs contain Mimecast TTP attachment protection logs with the following details: the category of the URL clicked, the email address of the user who clicked the link, the url clicked, the action taken by the user if user awareness was applied, the route of the email that contained the link, the action defined by the administrator for the URL, the date that the URL was clicked, url scan result, the action that was taken for the click, the description of the definition that triggered the URL to be rewritten by Mimecast, the action requested by the user, an array of components of the message where the URL was found. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-url-logs/). +This is the `mimecast.ttp_url_logs` dataset. An example event for `ttp_url` looks as following: @@ -731,49 +809,59 @@ An example event for `ttp_url` looks as following: "ip": "8.8.8.8" }, "url": { - "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" + "original": "https://link.buzzfeed.com/click/26642507.136718/aHR0cHM6Ly93d3cuYnV6emZlZWQuY29tL25lZ2VzdGlrYXVkby9zZXgtdG95cy10by1naWZ0LXlvdXJzZWxmLWZvci12YWxlbnRpbmVzLWRheS1hbmQtZmVlbD9vcmlnaW49c2hvcHBpbmdubA/5d81de1940f8667f86011339B2d1592db" }, "tags": [ - "preserve_original_event" + "forwarded", + "mimecast-ttp-url" ], - "@timestamp": "2021-10-16T14:45:34.000Z", + "input": { + "type": "httpjson" + }, + "@timestamp": "2022-02-09T01:39:36.000Z", "ecs": { "version": "1.12.0" }, "related": { + "ip": [ + "8.8.8.8" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "8.8.8.8" ] }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.ttp_url_logs" + }, "event": { + "agent_id_status": "verified", + "ingested": "2022-02-09T10:13:06Z", + "created": "2022-02-09T01:39:36+0000", "action": "Continue", - "ingested": "2021-11-24T14:39:10.084705200Z", - "original": "{\"userEmailAddress\": \"johndoe@example.com\", \"fromUserEmailAddress\": \"bestbuyinfo@emailinfo.bestbuy.com\", \"url\": \"https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d\", \"ttpDefinition\": \"Inbound URL 'Aggressive'\", \"subject\": \"Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.\", \"action\": \"allow\", \"adminOverride\": \"N/A\", \"userOverride\": \"None\", \"scanResult\": \"clean\", \"category\": \"Business\", \"sendingIp\": \"8.8.8.8\", \"userAwarenessAction\": \"Continue\", \"date\": \"2021-10-16T14:45:34+0000\", \"actions\": \"Allow\", \"route\": \"inbound\", \"creationMethod\": \"User Click\", \"emailPartsDescription\": [ \"Body\" ], \"messageId\": \"\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e\" }", - "created": "2021-10-16T14:45:34+0000" + "dataset": "mimecast.ttp_url_logs" }, "user": { + "domain": "example.com", "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "email": "johndoe@example.com" }, "email": { - "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", + "subject": "\"Why don't I own that already?\"", + "message_id": "\u003c20220208203837.26642507.136718@example.com\u003e", "from": { - "address": "bestbuyinfo@emailinfo.bestbuy.com" + "address": "newsletter@buzzfeed.com" }, - "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more.", "direction": "inbound" }, "mimecast": { "userOverride": "None", "action": "allow", "adminOverride": "N/A", + "category": "Entertainment", "scanResult": "clean", - "category": "Business", "actions": "Allow", "creationMethod": "User Click", "emailPartsDescription": [ @@ -859,48 +947,53 @@ An example event for `ttp_url` looks as following: | user.name | Short name or login of the user. | keyword | -### Threat Intel Feed Malware: Customer +### THREAT INTEL FEED MALWARE CUSTOMER -This is the `mimecast.threat_intel_malware_customer` dataset. These logs contain information about messages that return identified malware threats at a customer level. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). +This is the `mimecast.threat_intel_malware_customer` dataset. An example event for `threat_intel_malware_customer` looks as following: ```json { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2022-02-02T16:07:13.213Z", "ecs": { "version": "1.12" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.threat_intel_malware_customer" }, "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", + "first_seen": "2022-02-02T16:07:13.213Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "modified_at": "2022-02-02T16:07:13.213Z", "type": "file" } }, "event": { - "ingested": "2021-11-17T13:42:34.324885300Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_customer_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "agent_id_status": "verified", + "ingested": "2022-02-09T08:10:24Z", + "created": "2022-02-09T08:10:24.724Z", + "kind": "enrichment", "category": "threat", "type": "indicator", - "kind": "enrichment" + "dataset": "mimecast.threat_intel_malware_customer" }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", "log_type": "malware_customer", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "pattern": "[file:hashes.'SHA-256' = 'f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d']", + "id": "indicator--17be7188-db80-4f6e-84cf-7fcb016f45de", "type": "indicator", "labels": [ "malicious-activity" @@ -977,47 +1070,54 @@ An example event for `threat_intel_malware_customer` looks as following: | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -### Threat Intel Feed Malware: Grid +### THREAT INTEL FEED MALWARE GRID -This is the `mimecast.threat_intel_malware_grid` dataset. These logs contain information about messages that return identified malware threats at a regional grid level. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). +This is the `mimecast.threat_intel_malware_grid` dataset. An example event for `threat_intel_malware_grid` looks as following: ```json { - "@timestamp": "2021-10-29T15:07:26.653Z", + "@timestamp": "2022-02-02T08:29:59.677Z", "ecs": { "version": "1.12" }, "related": { - "hash": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "hash": [ + "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + ] + }, + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "mimecast.threat_intel_malware_grid" }, "threat": { "indicator": { - "first_seen": "2021-10-29T15:07:26.653Z", + "first_seen": "2022-02-02T08:29:59.677Z", "file": { "hash": { - "sha256": "c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de" + "sha256": "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" } }, - "modified_at": "2021-10-29T15:07:26.653Z", + "modified_at": "2022-02-02T08:29:59.677Z", "type": "file" } }, "event": { - "ingested": "2021-11-17T13:42:35.248902200Z", - "original": "{ \"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20211028161801144.stix\\\"\",\"type\": \"indicator\", \"id\": \"indicator--18c62174-0d31-4653-afe6-d104c57b6b2c\", \"created\": \"2021-10-29T15:07:26.653Z\", \"modified\": \"2021-10-29T15:07:26.653Z\", \"labels\": [ \"malicious-activity\" ], \"pattern\": \"[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']\", \"valid_from\": \"2021-10-29T15:07:26.653Z\" }", + "agent_id_status": "verified", + "ingested": "2022-02-09T08:41:44Z", + "original": "{\"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20220202083530775.stix\\\"\",\"created\":\"2022-02-02T08:29:59.677Z\",\"id\":\"indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1\",\"labels\":[\"malicious-activity\"],\"modified\":\"2022-02-02T08:29:59.677Z\",\"pattern\":\"[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']\",\"type\":\"indicator\",\"valid_from\":\"2022-02-02T08:29:59.677Z\"}", + "created": "2022-02-09T08:41:43.956Z", + "kind": "enrichment", "category": "threat", - "kind": "enrichment" + "type": "indicator", + "dataset": "mimecast.threat_intel_malware_grid" }, - "tags": [ - "preserve_original_event", - "malicious-activity" - ], "mimecast": { - "pattern": "[file:hashes.'SHA-256' = 'c20d551424f2df6312f7fa700ed97cd199c3d5c8a0f4dfd683627f18913096de']", "log_type": "malware_grid", - "id": "indicator--18c62174-0d31-4653-afe6-d104c57b6b2c", + "pattern": "[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']", + "id": "indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1", "type": "indicator", "labels": [ "malicious-activity" diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 0021a623a70..de7b1d35ced 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.5 +version: 0.0.6 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration From 9752ceedd6e0fa03a5565b183e778dfca91e6508 Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Mon, 14 Feb 2022 11:30:25 +0100 Subject: [PATCH 02/14] Change link to pull PR in changelog.yaml --- packages/mimecast/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 436c8bbe7ff..9b42b1bb953 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -2,7 +2,7 @@ changes: - description: Add use cases for audit events and update sample events and docs type: bugfix - link: https://github.com/elastic/integrations/pull/2644 + link: https://github.com/elastic/integrations/pull/2690 - version: "0.0.5" changes: - description: Fix typo From b838c737ae49e170d229b10b21ef49d11c336c8c Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Mon, 14 Feb 2022 15:25:39 +0100 Subject: [PATCH 03/14] CR changes --- packages/mimecast/changelog.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/mimecast/docs/README.md | 129 +++--------------- 3 files changed, 23 insertions(+), 110 deletions(-) diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 9b42b1bb953..f685d1e5e39 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,7 +1,7 @@ - version: "0.0.6" changes: - description: Add use cases for audit events and update sample events and docs - type: bugfix + type: enhancement link: https://github.com/elastic/integrations/pull/2690 - version: "0.0.5" changes: diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index c5ee9a83877..089e91f109c 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -101,7 +101,7 @@ processors: - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="logon-authentication-failed" && (ctx?.mimecast?.email?.metadata != "")' + if: 'ctx?.event?.action=="logon-authentication-failed"' ignore_missing: true ignore_failure: true - split: diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 305cf6e31c2..19f71c54460 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -2,105 +2,18 @@ The Mimecast integration collects events from the Mimecast API. -Full guide how to configure, deploy and use this integration find [here]() +## Configuration -# Documenation +Authorization parameters for the Mimecast API (`Application Key`, `Application ID`, `Access Key`, and `Secret Key`), should be provided by a Mimecast representative for this integration. +Under `Advanced options` you can set the time interval between two API requests as well as the API URL. A Mimecast representative should also be able to give you with this information in case you need to change the defaults. -## Introduction - -The purpose of this integration is to fetch logs from the Mimecast API periodically and ingest them into the Elastic in automated manner. - -The integration is made based on the specification defined by the Elastic team. Each Elastic Integration is an Elastic Package that defines how to observe a specific product with the Elastic Stack. - -An Elastic Package may define configuration for the Elastic Agent as well as assets for the Elastic Stack (such as Kibana dashboards and Elasticsearch index templates). It should also include documentation about the package. Finally, a package may also define tests to ensure that it is functioning as expected. -Elastic Packages have a certain, well-defined structure. This structure is described by the Package Specification. The repository is also used for discussions about extending the specification (with proposals). - -More about Elastic package stack and general idea about making integration this way read [here](https://www.elastic.co/blog/elastic-agent-and-fleet-make-it-easier-to-integrate-your-systems-with-elastic). - -## Deployment and Configuration Guide - -### Prerequisites - -The integration package will be deployed and made available by Elastic on their cloud platform. To access it and use it accordingly, up and running Elastic stack along with the Elastic account will be needed to find, access, and deploy the package through Kibana. - -The access to Kibana is available on your instance of Elastic stack, through the specific port and an URL based on your configuration. Steps to deploy and configure the package are provided below. - -### Deployment and configuration - -Deployment is straight-forward through Kibana. You have two steps to take in order to deploy. The first step is to add an agent, and the second step is to add and configure integration. - -To complete the first step, follow the instructions on this [link](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). - -To complete the second step, go to this [link](https://www.elastic.co/guide/en/fleet/7.15/integrations.htm#add-integration-under-integrations) and follow the instructions to Add integration to a policy. -Step 3 is where you should add any configuration options that are required. -Those parameters are authorization parameters against the Mimecast API (Application Key, Application ID, Access Key, and Secret Key), and they should be provided by a Mimecast representative for this integration. -Similarly, tapping the Advanced options link expands the form, allowing you to choose the time interval between two API requests as well as the API URL as the API endpoint. A Mimecast representative should also be able to give you with this information. The default interval value is 5m, but you can modify it. If you do, be sure to provide the time measurement unit (m for minute, s for seconds) rather than just a number. - -Because parameters can differ, repeat the second step for each supported log you want to consume (A list of supported logs can be found in Log Types section below). -Ingesting all logs is enabled by default, but you can disable it by moving the blue slider next to the log name. - -Once you save and confirm, ingesting logs will start automatically and you will be able to search for them. - -## User guide - -After you've finished setting and deploying integration, the elastic agent will begin ingesting data right away, and you'll be able to query it through Kibana. Instructions on how to do that can be found [here] (https://www.elastic.co/guide/en/beats/packetbeat/current/kibana-queries-filters.html). - -### Understanding Logs - -Here is the explanation of the typical log types we mentioned in the previous chapters, with relevant links toward the Mimecast documentation. - -#### Log Types - -• Audit Events — these logs contain Mimecast audit events with the following details: audit type, event category and detailed information about the event. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-audit-events/). - -• DLP Logs - these logs contain information about messages that triggered a DLP or Content Examination policy. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-dlp-logs/). - -• TTP Attachment Protection Logs - these logs contain Mimecast TTP attachment protection logs with the following details: result of attachment analysis (if it is malicious or not etc.), date when file is released, sender and recipient address, filename and type, action triggered for the attachment, the route of the original email containing the attachment and details. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-attachment-protection-logs/). - -• TTP Impersonation Protect Logs — these logs contain information about messages containing information flagged by an Impersonation Protection configuration. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-impersonation-protect-logs/). - -• TTP URL Log - these logs contain Mimecast TTP attachment protection logs with the following details: the category of the URL clicked, the email address of the user who clicked the link, the url clicked, the action taken by the user if user awareness was applied, the route of the email that contained the link, the action defined by the administrator for the URL, the date that the URL was clicked, url scan result, the action that was taken for the click, the description of the definition that triggered the URL to be rewritten by Mimecast, the action requested by the user, an array of components of the message where the URL was found. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-url-logs/). - -• Threat Intel Feed - these logs contain information about messages that return identified malware threats at a customer or regional grid level. There are two types of these logs - malware_grid (Regional) and malware_customer (Targeted) and we ingest them separately. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). - -• SIEM logs - these logs contain information about messages that contains MTA logs (MTA = message transfer agent) – all Inbound, outbound and internal messages. More about these logs [here](https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/). - -## Dashboards - -Kibana provides the ability to make a visual representation of the ingested log data. Based on the Mimecast documentation for available log types, it is possible to identify the most important data from the logs and display them within the Kibana dashboards. - -### Create and Edit Dashboard - -ELK provides the ability to make a visual representation of the ingested log data. Based on the Mimecast documentation for available log types, it is possible to identify the most important data from the logs and display them within the Kibana dashboards. - -For the reference on how to create or edit dashboard, please visit this [link](https://www.elastic.co/guide/en/kibana/current/dashboard.html). - -### Export/Import Dashboard - -Kibana provides very useful feature – to export and import dashboards. Any search query, visualization and/or dashboard you can save for later use. And once you want to switch back to them you can find them in Saved Objects and opent them, delete them and export, import them from there. For dashboards, it can be useful to export/import them. To do that, follow these instructions: - -https://www.elastic.co/guide/en/kibana/7.9/managing-saved-objects.html - -This integration also has already exported a few dashboards made as an example for you and you can see them below. - -### Dashboard Examples - -We made a couple dashboards to show you how they can be used. Steps to find them: - -1. Go to Kibana -2. Click on Dashboards -3. Type "Mimecast" in Search Field - -or you can follow [this] instructions. - -There should be nine dashboards with the word [[Mimecast]] in the title. -Dashboards like those are examples of dashboards. +Note that rate limit quotas may require you to set up different credentials for the different available log types. ## Logs -### AUDIT EVENTS +### Audit Events -This is the `mimecast.audit_events` dataset. +This is the `mimecast.audit_events` dataset. These logs contain Mimecast audit events with the following details: audit type, event category and detailed information about the event. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-audit-events/). An example event for `audit_events` looks as following: @@ -175,7 +88,7 @@ An example event for `audit_events` looks as following: | client.as.asn | Client ASN number. | long | | client.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | client.as.organization.name | Organization name. | keyword | -| client.as.organization_name | | keyword | +| client.as.organization_name | Client Organization name. | keyword | | client.geo.city_name | City name. | keyword | | client.geo.continent_name | Name of the continent. | keyword | | client.geo.country_iso_code | Country ISO code. | keyword | @@ -244,9 +157,9 @@ An example event for `audit_events` looks as following: | user.name | Short name or login of the user. | keyword | -### DLP LOGS +### DLP Logs -This is the `mimecast.dlp_logs` dataset. +This is the `mimecast.dlp_logs` dataset. These logs contain information about messages that triggered a DLP or Content Examination policy. More information about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-dlp-logs/). An example event for `dlp` looks as following: @@ -359,9 +272,9 @@ An example event for `dlp` looks as following: | tags | List of keywords used to tag each event. | keyword | -### SIEM LOGS +### SIEM Logs -This is the `mimecast.siem_logs` dataset. +This is the `mimecast.siem_logs` dataset. These logs contain information about messages that contains MTA logs (MTA = message transfer agent) – all Inbound, outbound and internal messages. More about these logs [here](https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/). An example event for `siem` looks as following: @@ -524,9 +437,9 @@ An example event for `siem` looks as following: | user.email | User email address. | keyword | -### TTP IMPERSONATION LOGS +### TTP Impersonation Logs -This is the `mimecast.ttp_ip_logs` dataset. +This is the `mimecast.ttp_ip_logs` dataset. These logs contain information about messages containing information flagged by an Impersonation Protection configuration. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-impersonation-protect-logs/). An example event for `ttp_ip` looks as following: @@ -668,9 +581,9 @@ An example event for `ttp_ip` looks as following: | tags | List of keywords used to tag each event. | keyword | -### TTP ATTACHMENT LOGS +### TTP Attachment Logs -This is the `mimecast.ttp_ap_logs` dataset. +This is the `mimecast.ttp_ap_logs` dataset. These logs contain Mimecast TTP attachment protection logs with the following details: result of attachment analysis (if it is malicious or not etc.), date when file is released, sender and recipient address, filename and type, action triggered for the attachment, the route of the original email containing the attachment and details. Learn more about these logs [here] (https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-attachment-protection-logs/). An example event for `ttp_ap` looks as following: @@ -794,9 +707,9 @@ An example event for `ttp_ap` looks as following: | tags | List of keywords used to tag each event. | keyword | -### TTP URL LOGS +### TTP URL Logs -This is the `mimecast.ttp_url_logs` dataset. +This is the `mimecast.ttp_url_logs` dataset. These logs contain Mimecast TTP attachment protection logs with the following details: the category of the URL clicked, the email address of the user who clicked the link, the url clicked, the action taken by the user if user awareness was applied, the route of the email that contained the link, the action defined by the administrator for the URL, the date that the URL was clicked, url scan result, the action that was taken for the click, the description of the definition that triggered the URL to be rewritten by Mimecast, the action requested by the user, an array of components of the message where the URL was found. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/logs-and-statistics/get-ttp-url-logs/). An example event for `ttp_url` looks as following: @@ -947,9 +860,9 @@ An example event for `ttp_url` looks as following: | user.name | Short name or login of the user. | keyword | -### THREAT INTEL FEED MALWARE CUSTOMER +### Threat Intel Feed Malware: Customer -This is the `mimecast.threat_intel_malware_customer` dataset. +This is the `mimecast.threat_intel_malware_customer` dataset. These logs contain information about messages that return identified malware threats at a customer level. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). An example event for `threat_intel_malware_customer` looks as following: @@ -1070,9 +983,9 @@ An example event for `threat_intel_malware_customer` looks as following: | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | -### THREAT INTEL FEED MALWARE GRID +### Threat Intel Feed Malware: Grid -This is the `mimecast.threat_intel_malware_grid` dataset. +This is the `mimecast.threat_intel_malware_grid` dataset. These logs contain information about messages that return identified malware threats at a regional grid level. More about these logs [here](https://integrations.mimecast.com/documentation/endpoint-reference/threat-intel/get-feed/). An example event for `threat_intel_malware_grid` looks as following: From c24f6c8a65e04be82bc630ce389b22101c641ffc Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Thu, 17 Feb 2022 11:20:02 +0100 Subject: [PATCH 04/14] Refactor audit events pipeline --- .../test-audit-events.log-expected.json | 186 +++++++++--------- .../elasticsearch/ingest_pipeline/default.yml | 43 ++-- 2 files changed, 125 insertions(+), 104 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index ab852a5726e..170b8ad8f36 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -629,7 +629,7 @@ "ip": "67.43.156.15" }, "event": { - "reason": "Reason: Wrong password", + "reason": "Wrong password", "action": "logon-authentication-failed", "ingested": "2021-12-14T14:48:19.342448528Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", @@ -1235,104 +1235,104 @@ } }, { - "@timestamp": "2021-10-12T08:47:55.000Z", - "client": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.15" - }, - "ecs": { - "version": "1.12.0" - }, - "event": { - "action": "logon-authentication-failed", - "created": "2022-01-11T22:54:04.000Z", - "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked\",\"category\":\"authentication_logs\"}", - "reason": "Account Locked" - }, - "mimecast": { - "application": "POP-POP2", - "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked" + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 }, - "related": { - "ip": [ - "67.43.156.15" - ], - "user": [ - "johndoe", - "johndoe@example.com" - ] + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } }, - "tags": [ - "preserve_original_event" + "ip": "67.43.156.15" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T22:54:04.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked\",\"category\":\"authentication_logs\"}", + "reason": "Account Locked" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "user": { - "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" - } + "user": [ + "johndoe", + "johndoe@example.com" + ] }, - { - "@timestamp": "2021-10-12T08:47:55.000Z", - "client": { - "as": { - "number": 35908 - }, - "geo": { - "continent_name": "Asia", - "country_iso_code": "BT", - "country_name": "Bhutan", - "location": { - "lat": 27.5, - "lon": 90.5 - } - }, - "ip": "67.43.156.15" - }, - "ecs": { - "version": "1.12.0" - }, - "event": { - "action": "logon-authentication-failed", - "created": "2022-01-11T21:48:01.000Z", - "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password\",\"category\":\"authentication_logs\"}", - "reason": "Reason: Wrong Password" - }, - "mimecast": { - "application": "POP-POP2", - "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password" + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", + "client": { + "as": { + "number": 35908 }, - "related": { - "ip": [ - "67.43.156.15" - ], - "user": [ - "johndoe", - "johndoe@example.com" - ] + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } }, - "tags": [ - "preserve_original_event" + "ip": "67.43.156.15" + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logon-authentication-failed", + "created": "2022-01-11T21:48:01.000Z", + "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password\",\"category\":\"authentication_logs\"}", + "reason": "Wrong Password" + }, + "mimecast": { + "application": "POP-POP2", + "category": "authentication_logs", + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password" + }, + "related": { + "ip": [ + "67.43.156.15" ], - "user": { - "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" - } - } + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 089e91f109c..764ef8a6821 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -94,27 +94,47 @@ processors: if: 'ctx?.event?.action == "message-action"' - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{mimecast.application_method}, %{event.reason}" + pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" if: 'ctx?.event?.action=="logon-authentication-failed"' ignore_missing: true ignore_failure: true - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" + pattern: "%{mimecast.info}, %{mimecast.rest_of_event_info}" if: 'ctx?.event?.action=="logon-authentication-failed"' ignore_missing: true ignore_failure: true - - split: - field: mimecast.eventInfo - separator: "," + - kv: + field: mimecast.rest_of_event_info + field_split: ", " + value_split: ": " target_field: mimecast.event_info_parts - if: 'ctx?.mimecast?.eventInfo != null && ctx?.event?.action=="logon-authentication-failed"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{?key}: %{event.reason}" - if: 'ctx?.event?.action=="logon-authentication-failed" && (ctx?.mimecast?.event_info_parts.length == 6)' ignore_missing: true - ignore_failure: true + if: 'ctx?.event?.action=="logon-authentication-failed"' + - rename: + field: mimecast.event_info_parts.Date + target_field: mimecast.date + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Time + target_field: mimecast.time + ignore_missing: true + - rename: + field: mimecast.event_info_parts.IP + target_field: client.ip + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Application + target_field: mimecast.application + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Method + target_field: mimecast.application_method + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Reason + target_field: event.reason + ignore_missing: true - dissect: field: mimecast.eventInfo pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" @@ -250,6 +270,7 @@ processors: - mimecast.as.asn - mimecast.organization_name - mimecast.event_info_parts + - mimecast.rest_of_event_info ignore_missing: true - remove: description: Remove 'event.original' if 'preserve_original_event' is not set. From 76bae0fbe7905656a12b6630dfa62a6cbb621e70 Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Thu, 17 Feb 2022 16:03:12 +0100 Subject: [PATCH 05/14] Ingest method property into audit-events logs --- .../test-audit-events.log-expected.json | 21 ++++++++++++------- .../elasticsearch/ingest_pipeline/default.yml | 10 +++++---- .../data_stream/audit_events/fields/field.yml | 3 +++ 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 170b8ad8f36..4031b86101b 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -153,9 +153,10 @@ "preserve_original_event" ], "mimecast": { - "application": "Administration Console, Method: Two Step Auth, 2FA: TOTP", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP", + "method": "Method: Two Step Auth, 2FA: TOTP" } }, { @@ -203,9 +204,10 @@ "preserve_original_event" ], "mimecast": { - "application": "Administration Console, Method: Office 365, 2FA: TOTP", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP" + "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP", + "method": "Method: Office 365, 2FA: TOTP" } }, { @@ -253,9 +255,10 @@ "preserve_original_event" ], "mimecast": { - "application": "Administration Console, Method: Cloud", + "application": "Administration Console", "category": "authentication_logs", - "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud" + "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud", + "method": "Method: Cloud" } }, { @@ -647,7 +650,8 @@ "mimecast": { "application": "mimecast-moa", "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password" + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password", + "method": "Office 365" } }, { @@ -1314,7 +1318,8 @@ "mimecast": { "application": "POP-POP2", "category": "authentication_logs", - "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password" + "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password", + "method": "Cloud" }, "related": { "ip": [ diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 764ef8a6821..92970a1b96d 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -67,7 +67,11 @@ processors: - dissect: field: mimecast.eventInfo pattern: "%{mimecast.filename}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-requires-challenge"' + if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action"' + - dissect: + field: mimecast.eventInfo + pattern: "%{mimecast.filename}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{mimecast.method}" + if: 'ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-requires-challenge"' - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" @@ -129,7 +133,7 @@ processors: ignore_missing: true - rename: field: mimecast.event_info_parts.Method - target_field: mimecast.application_method + target_field: mimecast.method ignore_missing: true - rename: field: mimecast.event_info_parts.Reason @@ -253,11 +257,9 @@ processors: - mimecast.provider - mimecast.filename - mimecast.criteria - - mimecast.aplication_method - mimecast.name.to - mimecast.name.from - mimecast.viewed - - mimecast.application_method - mimecast.timezone - mimecast.byuser - mimecast.export_type diff --git a/packages/mimecast/data_stream/audit_events/fields/field.yml b/packages/mimecast/data_stream/audit_events/fields/field.yml index be7e5f2a870..17bfbb8b815 100644 --- a/packages/mimecast/data_stream/audit_events/fields/field.yml +++ b/packages/mimecast/data_stream/audit_events/fields/field.yml @@ -16,3 +16,6 @@ - name: email.address type: keyword description: Email address from event info. + - name: method + type: keyword + description: Method which triggers audit events. From 33afe7b7584b9664d302b0aa4ef7b28bb5240e81 Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 09:34:24 +0100 Subject: [PATCH 06/14] Refactoring audit-events pipeline and update tests to pass --- .../_dev/test/pipeline/test-audit-events.log | 2 +- .../test-audit-events.log-expected.json | 18 ++--- .../elasticsearch/ingest_pipeline/default.yml | 77 +++++++++++-------- packages/mimecast/docs/README.md | 1 + 4 files changed, 56 insertions(+), 42 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log index 1c1e898b1d1..c8284127bd8 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log @@ -13,7 +13,7 @@ {"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password","category":"authentication_logs"} {"id":"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w","auditType":"Existing Archive Task Changed","user":"johdoe@example.com","eventTime":"2021-10-12T08:47:54+0000","eventInfo":"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console","category":"archive_service_logs"} {"id":"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM","auditType":"Connectors Management","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:53+0000","eventInfo":"Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console","category":"integrations_and_apis"} -{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe","category":"account_logs"} +{"id":"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U","auditType":"Page Data Exports","user":"johndoe@example.com","eventTime":"2021-10-12T02:27:18+0000","eventInfo":"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe","category":"account_logs"} {"id":"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF","auditType":"Custom Report Definition Created","user":"johndoe@example.local","eventTime":"2021-10-11T19:53:41+0000","eventInfo":"Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console","category":"reporting_logs"} {"id":"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh","auditType":"Folder Log Entry","user":"johndoe@example.com","eventTime":"2021-10-11T18:23:10+0000","eventInfo":"Action Performed - Deleted New Folder by johndoe@example.com Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console","category":"profile_group_logs"} {"id":"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR","auditType":"User Password Changed","user":"johndoe@example.com","eventTime":"2021-10-12T19:56:55+0000","eventInfo":"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null","category":"user_account_and_role_logs"} diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 4031b86101b..3ccd3aabc3c 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -156,7 +156,7 @@ "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP", - "method": "Method: Two Step Auth, 2FA: TOTP" + "method": "Two Step Auth" } }, { @@ -207,7 +207,7 @@ "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP", - "method": "Method: Office 365, 2FA: TOTP" + "method": "Office 365" } }, { @@ -258,7 +258,7 @@ "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud", - "method": "Method: Cloud" + "method": "Cloud" } }, { @@ -766,8 +766,8 @@ }, "related": { "user": [ - "johdoe", - "johdoe@example.com" + "johndoe", + "johndoe@example.com" ], "ip": [ "67.43.156.15" @@ -791,13 +791,13 @@ "event": { "action": "page-data-exports", "ingested": "2021-12-14T14:48:19.342449695Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", "created": "2021-10-12T02:27:18.000Z" }, "user": { - "name": "johdoe", - "email": "johdoe@example.com", + "name": "johndoe", + "email": "johndoe@example.com", "domain": "example.com" }, "tags": [ @@ -806,7 +806,7 @@ "mimecast": { "application": "mimecast-matfe", "category": "account_logs", - "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johdoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" + "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" } }, { diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 92970a1b96d..992be16230d 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -63,39 +63,19 @@ processors: # Here we want to add as much categorization information as possible # We can do this by parsing mimecast.eventInfo differently based on # what event.action is, etc. - ### - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.filename}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action"' + ### - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.filename}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}, %{mimecast.method}" - if: 'ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-requires-challenge"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" + pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{mimecast.rest_of_event_info}" if: 'ctx?.event?.action == "remediation-incident-adjustment"' - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.type}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" + pattern: "%{mimecast.info}, %{mimecast.type}, %{mimecast.rest_of_event_info}" if: 'ctx?.event?.action == "review-set-action"' - dissect: field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "archive-mailbox-restore"' #logon-authentication-failed - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.description}, %{mimecast.product}, %{mimecast.provider}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" + pattern: "%{mimecast.info}, %{mimecast.description}, %{mimecast.product}, %{mimecast.provider}, %{mimecast.rest_of_event_info}" if: 'ctx?.event?.action == "connectors-management"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.criteria}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "search-action"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{?key}: <%{mimecast.name.from}> %{email.from.address}, %{?key}: <%{mimecast.name.to}> %{email.to.address}, %{?key}: %{email.subject}, %{?key}: %{email.origination_timestamp}, %{?key}: %{mimecast.viewed}, %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action == "message-action"' - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" @@ -105,16 +85,21 @@ processors: - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{mimecast.rest_of_event_info}" - if: 'ctx?.event?.action=="logon-authentication-failed"' ignore_missing: true ignore_failure: true + - dissect: + field: mimecast.eventInfo + pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" + if: 'ctx?.event?.action=="folder-log-entry" || ctx?.event?.action=="custom-report-definition-created" || ctx?.event?.action=="mimecast-support-login"' + ignore_missing: true + ignore_failure: true - kv: field: mimecast.rest_of_event_info field_split: ", " value_split: ": " target_field: mimecast.event_info_parts + if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-authentication-failed" || ctx?.event?.action == "archive-mailbox-restore" || ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "logon-requires-challenge" || ctx?.event?.action=="message-action" || ctx?.event?.action=="search-action" || ctx?.event?.action=="remediation-incident-adjustment" || ctx?.event?.action=="connectors-management" || ctx?.event?.action=="review-set-action"' ignore_missing: true - if: 'ctx?.event?.action=="logon-authentication-failed"' - rename: field: mimecast.event_info_parts.Date target_field: mimecast.date @@ -139,14 +124,39 @@ processors: field: mimecast.event_info_parts.Reason target_field: event.reason ignore_missing: true + - rename: + field: mimecast.info + target_field: mimecast.filename + ignore_missing: true + if: 'ctx?.event?.action == "threat-intel-feed-download"' + - rename: + field: mimecast.event_info_parts.From + target_field: mimecast.from + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Processed + target_field: email.origination_timestamp + ignore_missing: true + - rename: + field: mimecast.event_info_parts.Subject + target_field: email.subject + ignore_missing: true + - rename: + field: mimecast.event_info_parts.To + target_field: mimecast.to + ignore_missing: true - dissect: - field: mimecast.eventInfo - pattern: "%{?drop->} - %{mimecast.info}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="folder-log-entry" || ctx?.event?.action=="custom-report-definition-created"' + field: mimecast.from + pattern: "<%{mimecast.name.from}> %{email.from.address}" + if: 'ctx?.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true - dissect: - field: mimecast.eventInfo - pattern: "%{?drop->} - %{mimecast.info}. %{mimecast.byuser}<%{user.email}> %{?key}: %{mimecast.date} %{?key}: %{mimecast.time} %{mimecast.timezone} %{?key}: %{client.ip} %{?key}: %{mimecast.application}" - if: 'ctx?.event?.action=="mimecast-support-login"' + field: mimecast.to + pattern: "<%{mimecast.name.to}> %{email.to.address}" + if: 'ctx?.event?.action=="message-action"' + ignore_missing: true + ignore_failure: true - dissect: field: mimecast.eventInfo pattern: "[%{?key} : %{mimecast.export_type},%{?key} :%{mimecast.export_name},%{?key} :%{user.email},%{?key} :%{mimecast.weekday} %{mimecast.month} %{mimecast.monthday} %{mimecast.time} %{mimecast.timezone} %{mimecast.year},%{?key} :%{client.ip},%{?key} :%{mimecast.columns_exported},%{?key} : %{file.name},%{?key}: %{file.size},%{?key} : %{file.extension}], %{?key}: %{mimecast.date}, %{?key}: %{mimecast.time}, %{?key}: %{client.ip}, %{?key}: %{mimecast.application}" @@ -273,6 +283,9 @@ processors: - mimecast.organization_name - mimecast.event_info_parts - mimecast.rest_of_event_info + - mimecast.from + - mimecast.to + ignore_missing: true - remove: description: Remove 'event.original' if 'preserve_original_event' is not set. diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index 19f71c54460..be073364c2f 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -149,6 +149,7 @@ An example event for `audit_events` looks as following: | mimecast.email.address | Email address from event info. | keyword | | mimecast.email.metadata | The email meta data from audit info. | keyword | | mimecast.eventInfo | The detailed event information. | keyword | +| mimecast.method | Method which triggers audit events. | keyword | | related.ip | All of the IPs seen on your event. | ip | | related.user | All the user names or other user identifiers seen on the event. | keyword | | tags | List of keywords used to tag each event. | keyword | From cf9d3dbcd0671a5203d352b0c049cbc061904f7a Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 12:18:11 +0100 Subject: [PATCH 07/14] Remove unnecessary thing, adding 2FA as a field, and changing coditions in pipeline operators --- .../test/pipeline/test-audit-events.log-expected.json | 6 ++++-- .../elasticsearch/ingest_pipeline/default.yml | 8 +++++++- .../mimecast/data_stream/audit_events/fields/field.yml | 3 +++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 3ccd3aabc3c..8146e34e735 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -156,7 +156,8 @@ "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP", - "method": "Two Step Auth" + "method": "Two Step Auth", + "2FA": "TOTP" } }, { @@ -207,7 +208,8 @@ "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP", - "method": "Office 365" + "method": "Office 365", + "2FA": "TOTP" } }, { diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 992be16230d..f334ff581aa 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -85,6 +85,7 @@ processors: - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{mimecast.rest_of_event_info}" + if: 'ctx.mimecast?.info == null' ignore_missing: true ignore_failure: true - dissect: @@ -98,7 +99,8 @@ processors: field_split: ", " value_split: ": " target_field: mimecast.event_info_parts - if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-authentication-failed" || ctx?.event?.action == "archive-mailbox-restore" || ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "logon-requires-challenge" || ctx?.event?.action=="message-action" || ctx?.event?.action=="search-action" || ctx?.event?.action=="remediation-incident-adjustment" || ctx?.event?.action=="connectors-management" || ctx?.event?.action=="review-set-action"' + ignore_failure: true +# if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-authentication-failed" || ctx?.event?.action == "archive-mailbox-restore" || ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "logon-requires-challenge" || ctx?.event?.action=="message-action" || ctx?.event?.action=="search-action" || ctx?.event?.action=="remediation-incident-adjustment" || ctx?.event?.action=="connectors-management" || ctx?.event?.action=="review-set-action"' ignore_missing: true - rename: field: mimecast.event_info_parts.Date @@ -141,6 +143,10 @@ processors: field: mimecast.event_info_parts.Subject target_field: email.subject ignore_missing: true + - rename: + field: mimecast.event_info_parts.2FA + target_field: mimecast.2FA + ignore_missing: true - rename: field: mimecast.event_info_parts.To target_field: mimecast.to diff --git a/packages/mimecast/data_stream/audit_events/fields/field.yml b/packages/mimecast/data_stream/audit_events/fields/field.yml index 17bfbb8b815..201f678ce13 100644 --- a/packages/mimecast/data_stream/audit_events/fields/field.yml +++ b/packages/mimecast/data_stream/audit_events/fields/field.yml @@ -19,3 +19,6 @@ - name: method type: keyword description: Method which triggers audit events. + - name: 2FA + type: keyword + description: Info about two-factor authentication. From d26e9e5db3267e2c96e61de5e30598472e104b6f Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 14:39:57 +0100 Subject: [PATCH 08/14] Remove unnecessary code to make pipeline more cleaner --- .../elasticsearch/ingest_pipeline/default.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index f334ff581aa..99d9cb1b5ab 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -68,10 +68,6 @@ processors: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{mimecast.rest_of_event_info}" if: 'ctx?.event?.action == "remediation-incident-adjustment"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.type}, %{mimecast.rest_of_event_info}" - if: 'ctx?.event?.action == "review-set-action"' - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{mimecast.description}, %{mimecast.product}, %{mimecast.provider}, %{mimecast.rest_of_event_info}" @@ -100,7 +96,6 @@ processors: value_split: ": " target_field: mimecast.event_info_parts ignore_failure: true -# if: 'ctx?.event?.action == "threat-intel-feed-download" || ctx?.event?.action == "existing-archive-task-changed" || ctx?.event?.action == "case-action" || ctx?.event?.action == "user-logged-on" || ctx?.event?.action == "logon-authentication-failed" || ctx?.event?.action == "archive-mailbox-restore" || ctx?.event?.action == "archive-mailbox-export-download" || ctx?.event?.action == "logon-requires-challenge" || ctx?.event?.action=="message-action" || ctx?.event?.action=="search-action" || ctx?.event?.action=="remediation-incident-adjustment" || ctx?.event?.action=="connectors-management" || ctx?.event?.action=="review-set-action"' ignore_missing: true - rename: field: mimecast.event_info_parts.Date @@ -131,10 +126,6 @@ processors: target_field: mimecast.filename ignore_missing: true if: 'ctx?.event?.action == "threat-intel-feed-download"' - - rename: - field: mimecast.event_info_parts.From - target_field: mimecast.from - ignore_missing: true - rename: field: mimecast.event_info_parts.Processed target_field: email.origination_timestamp @@ -147,18 +138,14 @@ processors: field: mimecast.event_info_parts.2FA target_field: mimecast.2FA ignore_missing: true - - rename: - field: mimecast.event_info_parts.To - target_field: mimecast.to - ignore_missing: true - dissect: - field: mimecast.from + field: mimecast.event_info_parts.From pattern: "<%{mimecast.name.from}> %{email.from.address}" if: 'ctx?.event?.action=="message-action"' ignore_missing: true ignore_failure: true - dissect: - field: mimecast.to + field: mimecast.event_info_parts.To pattern: "<%{mimecast.name.to}> %{email.to.address}" if: 'ctx?.event?.action=="message-action"' ignore_missing: true From 1eb9251b3232cfa8a0c7c14b5aa567f7df40aa01 Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 14:58:53 +0100 Subject: [PATCH 09/14] Remove more unnecassary code from pipeline for audit-events --- .../test/pipeline/test-audit-events.log-expected.json | 2 -- .../elasticsearch/ingest_pipeline/default.yml | 8 -------- 2 files changed, 10 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 8146e34e735..51c8f32bc42 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -972,7 +972,6 @@ "ingested": "2021-12-14T14:48:19.342451340Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", - "type": "type : manual", "created": "2021-10-12T19:49:30.000Z" }, "user": { @@ -1223,7 +1222,6 @@ "ingested": "2021-12-14T14:48:19.342453242Z", "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", - "type": "type : restore", "created": "2021-10-12T15:38:05.000Z" }, "user": { diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 99d9cb1b5ab..69cd397a8f1 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -64,14 +64,6 @@ processors: # We can do this by parsing mimecast.eventInfo differently based on # what event.action is, etc. ### - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{event.type}, %{mimecast.search}, %{mimecast.rest_of_event_info}" - if: 'ctx?.event?.action == "remediation-incident-adjustment"' - - dissect: - field: mimecast.eventInfo - pattern: "%{mimecast.info}, %{mimecast.description}, %{mimecast.product}, %{mimecast.provider}, %{mimecast.rest_of_event_info}" - if: 'ctx?.event?.action == "connectors-management"' - dissect: field: mimecast.eventInfo pattern: "%{mimecast.info}, %{?key}:%{mimecast.email.address}[%{mimecast.email.metadata}] %{?key}: %{client.ip} %{?key}: %{mimecast.application}" From f03a4c9229a6a0bb069da6430dd77318a3814a2f Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 15:13:16 +0100 Subject: [PATCH 10/14] Removing unused fields from remove list in the pipeline --- .../audit_events/elasticsearch/ingest_pipeline/default.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 69cd397a8f1..f0147ec651b 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -268,8 +268,6 @@ processors: - mimecast.organization_name - mimecast.event_info_parts - mimecast.rest_of_event_info - - mimecast.from - - mimecast.to ignore_missing: true - remove: From 6c62990d60fa732e37dd6612a0e64746f7f36c5c Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 15:29:18 +0100 Subject: [PATCH 11/14] Cleaning pipeline even more --- .../_dev/test/pipeline/test-audit-events.log-expected.json | 1 - .../audit_events/elasticsearch/ingest_pipeline/default.yml | 6 ++---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 51c8f32bc42..2989bb7cafc 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -418,7 +418,6 @@ "preserve_original_event" ], "mimecast": { - "name": {}, "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", "application": "mimecast-case-review", "category": "case_review_logs" diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index f0147ec651b..c92cbd3bac0 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -132,13 +132,13 @@ processors: ignore_missing: true - dissect: field: mimecast.event_info_parts.From - pattern: "<%{mimecast.name.from}> %{email.from.address}" + pattern: "<%{?drop}> %{email.from.address}" if: 'ctx?.event?.action=="message-action"' ignore_missing: true ignore_failure: true - dissect: field: mimecast.event_info_parts.To - pattern: "<%{mimecast.name.to}> %{email.to.address}" + pattern: "<%{?drop}> %{email.to.address}" if: 'ctx?.event?.action=="message-action"' ignore_missing: true ignore_failure: true @@ -252,8 +252,6 @@ processors: - mimecast.provider - mimecast.filename - mimecast.criteria - - mimecast.name.to - - mimecast.name.from - mimecast.viewed - mimecast.timezone - mimecast.byuser From 5d6732e8bb0f142ce141de74694805996e7ecafc Mon Sep 17 00:00:00 2001 From: djordje-adzemovic-devtech Date: Tue, 22 Feb 2022 16:03:36 +0100 Subject: [PATCH 12/14] Updating ecs version --- packages/mimecast/_dev/build/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/mimecast/_dev/build/build.yml b/packages/mimecast/_dev/build/build.yml index 08d85edcf9a..7ee6808095f 100644 --- a/packages/mimecast/_dev/build/build.yml +++ b/packages/mimecast/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@1.12 + reference: git@8.0.0 From 7f96b294d32e69c7e8a9c0c06107093d784897d8 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 22 Feb 2022 16:47:21 +0100 Subject: [PATCH 13/14] Update ecs version and re-generate test files --- packages/mimecast/_dev/build/build.yml | 2 +- .../test-audit-events.log-expected.json | 1369 ++++++++--------- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../audit_events/sample_event.json | 88 +- .../pipeline/test-dlp-logs.log-expected.json | 20 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/dlp_logs/sample_event.json | 18 +- .../pipeline/test-siem-logs.log-expected.json | 14 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/siem_logs/sample_event.json | 68 +- ...t-intel-malware-customer.log-expected.json | 14 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../sample_event.json | 80 +- ...hreat-intel-malware-grid.log-expected.json | 14 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../sample_event.json | 81 +- .../test-ttp-ap-logs.log-expected.json | 6 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/ttp_ap_logs/sample_event.json | 80 +- .../test-ttp-ip-logs.log-expected.json | 6 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../data_stream/ttp_ip_logs/sample_event.json | 89 +- .../test-ttp-url-logs.log-expected.json | 6 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../ttp_url_logs/sample_event.json | 105 +- packages/mimecast/docs/README.md | 5 +- 26 files changed, 1088 insertions(+), 993 deletions(-) diff --git a/packages/mimecast/_dev/build/build.yml b/packages/mimecast/_dev/build/build.yml index 7ee6808095f..809e76063e9 100644 --- a/packages/mimecast/_dev/build/build.yml +++ b/packages/mimecast/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@8.0.0 + reference: git@8.0 diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 2989bb7cafc..7bb1eeb7f92 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -2,915 +2,906 @@ "expected": [ { "@timestamp": "2021-10-18T08:45:02.000Z", - "file": { - "name": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip", - "extension": "zip" - }, - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-14T14:48:19.342442297Z", - "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}", + "created": "2021-10-18T08:45:02.000Z", "id": "eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48", - "created": "2021-10-18T08:45:02.000Z" + "original": "{\"auditType\":\"Threat Intel Feed Download\",\"category\":\"reporting_logs\",\"eventInfo\":\"Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations\",\"eventTime\":\"2021-10-18T08:45:02+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJS8im3dA5NjAxJTPP0svD1jioo9IsINgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxpbmRhoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACCXK48\",\"user\":\"johndoe@example.com\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Integrations", "category": "reporting_logs", "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20211018094502564.zip, Date: 2021-10-18, Time: 08:45:02+0000, IP: 67.43.156.15, Application: Integrations" - } - }, - { - "@timestamp": "2021-10-10T22:51:57.000Z", - "file": { - "name": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip", - "extension": "zip" - }, - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-10T22:51:57.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "threat-intel-feed-download", - "ingested": "2021-12-14T14:48:19.342444278Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}", + "created": "2021-10-10T22:51:57.000Z", "id": "eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70", - "created": "2021-10-10T22:51:57.000Z" + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJS8nbx8CoyTPFN9akM9K5KqnQyi8z2DgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxoaG5grKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADbWK70\",\"auditType\": \"Threat Intel Feed Download\",\"user\": \"johndoe@example\",\"eventTime\": \"2021-10-10T22:51:57+0000\",\"eventInfo\": \"Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel\",\"category\": \"reporting_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example", - "domain": "example" + "file": { + "extension": "zip", + "name": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Azure Sentinel", "category": "reporting_logs", "eventInfo": "Threat intel multiple feeds download - malware_grid_csv_20211010235157027.zip, Date: 2021-10-10, Time: 22:51:57+0000, IP: 67.43.156.15, Application: Azure Sentinel" - } - }, - { - "@timestamp": "2021-10-11T17:17:30.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example", + "email": "johndoe@example", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T17:17:30.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "user-logged-on", - "ingested": "2021-12-14T14:48:19.342444686Z", - "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}", + "created": "2021-10-11T07:17:30.000Z", "id": "eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A", - "created": "2021-10-11T07:17:30.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\": \"eNqrVipOTS4tSs1MUbJSivD0cisuyAirMgpxDy12dPNMMcn1zQlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhiqKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADo9K8A\",\"auditType\": \"User Logged On\",\"user\": \"johndoe@example.com\",\"eventTime\": \"2021-10-11T17:17:30+0000\",\"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP\",\"category\": \"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "2FA": "TOTP", "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:30 BST, IP: 67.43.156.15, Application: Administration Console, Method: Two Step Auth, 2FA: TOTP", - "method": "Two Step Auth", - "2FA": "TOTP" - } - }, - { - "@timestamp": "2021-10-11T17:17:26.000Z", - "ecs": { - "version": "1.12.0" + "method": "Two Step Auth" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T17:17:26.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "logon-requires-challenge", - "ingested": "2021-12-14T14:48:19.342445056Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}", + "created": "2021-10-11T07:17:26.000Z", "id": "eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60", - "created": "2021-10-11T07:17:26.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSsos9DMJTPLyMA6NcCt2TA1OCwjLcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkamhsqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAC8tK60\",\"auditType\":\"Logon Requires Challenge\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T17:17:26+0000\",\"eventInfo\":\"Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP\",\"category\":\"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { + "2FA": "TOTP", "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Intermediate authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 18:17:26 BST, IP: 67.43.156.15, Application: Administration Console, Method: Office 365, 2FA: TOTP", - "method": "Office 365", - "2FA": "TOTP" - } - }, - { - "@timestamp": "2021-10-11T16:03:38.000Z", - "ecs": { - "version": "1.12.0" + "method": "Office 365" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T16:03:38.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "user-logged-on", - "ingested": "2021-12-14T14:48:19.342445417Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}", + "created": "2021-10-11T06:03:38.000Z", "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", - "created": "2021-10-11T06:03:38.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud\", \"category\": \"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "authentication_logs", "eventInfo": "Successful authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-11, Time: 17:03:38 BST, IP: 67.43.156.15, Application: Administration Console, Method: Cloud", "method": "Cloud" - } - }, - { - "@timestamp": "2021-10-11T15:39:17.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johdoe", - "johdoe@example.local" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T15:39:17.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-14T14:48:19.342445779Z", - "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}", + "created": "2021-10-11T16:39:17.000Z", "id": "eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu", - "created": "2021-10-11T16:39:17.000Z" - }, - "user": { - "name": "johdoe", - "email": "johdoe@example.local", - "domain": "example.local" + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJSCkg09A93r0rNi9FPynHJ9gwJzyrzT8sJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGJsaqyjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCMPCxu\", \"auditType\": \"Mimecast Support Login\", \"user\": \"johdoe@example.local\", \"eventTime\": \"2021-10-11T15:39:17+0000\", \"eventInfo\": \"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console\", \"category\": \"mimecast_access_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-11 Time: 16:39:17 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-19T11:46:40.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johdoe", "johdoe@example.local" - ], - "ip": [ - "67.43.156.15" ] }, - "client": { - "geo": { - "continent_name": "Asia", - "country_name": "Bhutan", - "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johdoe@example.local", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-19T11:46:40.000Z", + "client": { "as": { "number": 35908 }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "mimecast-support-login", - "ingested": "2021-12-14T14:48:19.342446134Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}", + "created": "2021-10-19T12:46:40.000Z", "id": "eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK", - "created": "2021-10-19T12:46:40.000Z" - }, - "user": { - "name": "johdoe", - "email": "johdoe@example.local", - "domain": "example.local" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynStcDUudE51LQtJKc-M0TfwMjas8nQLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGliZGhgYqSjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBLJCvK\",\"auditType\":\"Mimecast Support Login\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-19T11:46:40+0000\",\"eventInfo\":\"Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"mimecast_access_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "mimecast_access_logs", "eventInfo": "Action Performed - johdoe@example.local logged into this account. by johdoe@example.local\u003cjohdoe@example.local\u003e Date: 2021-10-19 Time: 12:46:40 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-11T15:36:01.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johdoe", + "johdoe@example.local" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johdoe@example.local", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-11T15:36:01.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, - "event": { - "action": "message-action", - "ingested": "2021-12-14T14:48:19.342446500Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", - "created": "2021-10-11T15:36:01.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "ecs": { + "version": "8.0.0" }, "email": { - "origination_timestamp": "2021-09-28 07:59:23+0000", "from": { "address": "johndoe@example.com" }, + "origination_timestamp": "2021-09-28 07:59:23+0000", + "subject": "Test on Tues 28th Sept", "to": { "address": "johndoe@example.com" - }, - "subject": "Test on Tues 28th Sept" + } + }, + "event": { + "action": "message-action", + "created": "2021-10-11T15:36:01.000Z", + "id": "eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0nYKziswMy_18smyMDAs9w8P8PPNNAxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxopqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAOifKw8\",\"auditType\":\"Message Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:36:01+0000\",\"eventInfo\":\"Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review", "application": "mimecast-case-review", - "category": "case_review_logs" - } - }, - { - "@timestamp": "2021-10-11T15:35:53.000Z", - "ecs": { - "version": "1.12.0" + "category": "case_review_logs", + "eventInfo": "Viewed Message - Source: Search, From: \u003cJohn Done\u003e johndoe@example.com, To: \u003cjohndoe@example.com\u003e johndoe@example.com, Subject: Test on Tues 28th Sept, Processed: 2021-09-28 07:59:23+0000, Viewed Content: True, Date: 2021-10-11, Time: 15:36:01+0000, IP: 67.43.156.15, Application: mimecast-case-review" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T15:35:53.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "search-action", - "ingested": "2021-12-14T14:48:19.342446860Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-11T15:35:53.000Z", "id": "eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw", - "created": "2021-10-11T15:35:53.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS0i5MNHQtiqoo9Q53S0yu8sov8AszyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmxorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAFqzLAw\",\"auditType\":\"Search Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T15:35:53+0000\",\"eventInfo\":\"Executed Search - Source: Search, Search Criteria: {\\\"keywords\\\":\\\"test\\\",\\\"mailboxes\\\":[\\\"johndoe@example.com\\\"],\\\"route\\\":\\\"ALL\\\",\\\"start\\\":\\\"2021-04-11T16:34:45+0100\\\",\\\"end\\\":\\\"2021-10-11T16:34:45+0100\\\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Executed Search - Source: Search, Search Criteria: {\"keywords\":\"test\",\"mailboxes\":[\"johndoe@example.com\"],\"route\":\"ALL\",\"start\":\"2021-04-11T16:34:45+0100\",\"end\":\"2021-10-11T16:34:45+0100\"}, Date: 2021-10-11, Time: 15:35:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-11T14:46:10.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T14:46:10.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "logon-authentication-failed", - "ingested": "2021-12-14T14:48:19.342447313Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "id": "eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMk9PdXYMzywJrLLMzdT2TfVN8S8zNgxL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbGFmoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWACyMK6M\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T14:46:10+0000\",\"eventInfo\":\"Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS\",\"category\":\"authentication_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { - "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS", "application": "LFS", "category": "authentication_logs", "email": { - "metadata": "accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}", - "address": "com.example.sdk.address.Address@4a3bcd11" - } + "address": "com.example.sdk.address.Address@4a3bcd11", + "metadata": "accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}" + }, + "eventInfo": "Creating the auditLog entry for failed authentication, emailAddress :com.example.sdk.address.Address@4a3bcd11[accountCode=ABC123,accountId=75,internal=false,emailAddress=johndoe@gmail.com,domainName=gmail.com,name=johndoe@gmail.com,aliasFor=0,type=0,journalService=false,id=275078533,aliases={},alternateAddresses={},alternateAliases={}] remote IP : 67.43.156.15 application : LFS" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } }, { "@timestamp": "2021-10-11T13:21:06.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "action": "completed-directory-sync", + "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}" + }, + "mimecast": { + "category": "account_logs", + "eventInfo": "No changes found." }, "related": { "user": [ "" ] }, - "event": { - "action": "completed-directory-sync", - "ingested": "2021-12-14T14:48:19.342447674Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys\",\"auditType\":\"Completed Directory Sync\",\"user\":\"\",\"eventTime\":\"2021-10-11T13:21:06+0000\",\"eventInfo\":\"No changes found.\",\"category\":\"account_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSKnU29DVI9XJJMs6wMC9LqnAMccoxcwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkZGZqoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPQMKys" - }, - "user": { - "email": "" - }, "tags": [ "preserve_original_event" ], - "mimecast": { - "category": "account_logs", - "eventInfo": "No changes found." + "user": { + "email": "" } }, { "@timestamp": "2021-10-12T09:19:53.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "case-action", - "ingested": "2021-12-14T14:48:19.342448171Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-12T09:19:53.000Z", "id": "eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo", - "created": "2021-10-12T09:19:53.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSiwLM8srLCvJzg8s8HbydCpz0Y6oCAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaG5ooKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAHTYLDo\",\"auditType\":\"Case Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T09:19:53+0000\",\"eventInfo\":\"Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Viewed Case - Case: Class Action, Date: 2021-10-12, Time: 09:19:53+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-12T08:47:55.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:55.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { - "reason": "Wrong password", "action": "logon-authentication-failed", - "ingested": "2021-12-14T14:48:19.342448528Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", + "created": "2021-10-11T22:47:55.000Z", "id": "eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg", - "created": "2021-10-11T22:47:55.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg\",\"auditType\":\"Logon Authentication Failed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:55+0000\",\"eventInfo\":\"Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password\",\"category\":\"authentication_logs\"}", + "reason": "Wrong password" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-moa", "category": "authentication_logs", "eventInfo": "Failed authentication for johndoe@example.com \u003cJohn Doe\u003e, Date: 2021-10-12, Time: 09:47:55 BST, IP: 67.43.156.15, Application: mimecast-moa, Method: Office 365, Reason: Wrong password", "method": "Office 365" - } - }, - { - "@timestamp": "2021-10-12T08:47:54.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johdoe", - "johdoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:54.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "existing-archive-task-changed", - "ingested": "2021-12-14T14:48:19.342448913Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T08:47:54.000Z", "id": "eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w", - "created": "2021-10-12T08:47:54.000Z" - }, - "user": { - "name": "johdoe", - "email": "johdoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSnJMinKNMMtyDg3xKw2rDM91DC-JdAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRooaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAEQYK9w\",\"auditType\":\"Existing Archive Task Changed\",\"user\":\"johdoe@example.com\",\"eventTime\":\"2021-10-12T08:47:54+0000\",\"eventInfo\":\"Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\\\"365\\\") to new migrated connector (\\\"Sync and Recover - 365\\\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Successfully updated 3 'Sync and Recover' tasks associated with legacy connection (\"365\") to new migrated connector (\"Sync and Recover - 365\"), Date: 2021-10-12, Time: 08:47:54+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T08:47:53.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johdoe", + "johdoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johdoe@example.com", + "name": "johdoe" + } + }, + { + "@timestamp": "2021-10-12T08:47:53.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "connectors-management", - "ingested": "2021-12-14T14:48:19.342449302Z", - "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}", + "created": "2021-10-12T08:47:53.000Z", "id": "eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM", - "created": "2021-10-12T08:47:53.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNoVzc0KgkAUQOF3uVsFuZma7qQ0UqiFqChuZH7M0iZmHMOid8_2h-98QDGiJespBDBgYwn-4orcHMrr_JqUWdjFBb8YThbF5bE6le_ardLGitJqnHF39w7YGuLsL5g8l7wAE1pN-2kQ3V-00bdt3KBrAtFqEiOTRFC2rvZbN_ScNZ-ZVL14QIDfH41XLGM\",\"auditType\":\"Connectors Management\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T08:47:53+0000\",\"eventInfo\":\"Connector creation for Microsoft O365\\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"integrations_and_apis\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "integrations_and_apis", "eventInfo": "Connector creation for Microsoft O365\nName: Sync and Recover - 365, Description: null, Product: Sync and Recover, App (provider): Microsoft O365\nSuccess: true, Date: 2021-10-12, Time: 08:47:53+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T02:27:18.000Z", - "file": { - "size": 6864, - "name": "export_at_watchlist_view_1634005638160.xlsx", - "extension": ".xlsx" - }, - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T02:27:18.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "page-data-exports", - "ingested": "2021-12-14T14:48:19.342449695Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}", + "created": "2021-10-12T02:27:18.000Z", "id": "eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U", - "created": "2021-10-12T02:27:18.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSynAJ8yuoyA4z9ygMNyv21C42MC9IDwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkbmFhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADk2K8U\",\"auditType\":\"Page Data Exports\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T02:27:18+0000\",\"eventInfo\":\"[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe\",\"category\":\"account_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "file": { + "extension": ".xlsx", + "name": "export_at_watchlist_view_1634005638160.xlsx", + "size": 6864 }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-matfe", "category": "account_logs", "eventInfo": "[Export type : Download,Name :watchlist_view,Requested By :johndoe@example.com,Export time :Tue Oct 12 03:27:18 BST 2021,IP Address :67.43.156.15,Columns exported :Name|Email|Department|Number of Videos|,File name : export_at_watchlist_view_1634005638160.xlsx,File Size: 6864,File type : .xlsx], Date: 2021-10-12, Time: 02:27:18+0000, IP: 67.43.156.15, Application: mimecast-matfe" - } - }, - { - "@timestamp": "2021-10-11T19:53:41.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.local" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T19:53:41.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "custom-report-definition-created", - "ingested": "2021-12-14T14:48:19.342450168Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}", + "created": "2021-10-11T20:53:41.000Z", "id": "eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF", - "created": "2021-10-11T20:53:41.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSMi8zSc3J8M4Od_NwjdHPMDYzdfGO8MkJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGppaKajlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAmqSuF\",\"auditType\":\"Custom Report Definition Created\",\"user\":\"johndoe@example.local\",\"eventTime\":\"2021-10-11T19:53:41+0000\",\"eventInfo\":\"Action Performed - Custom Report Definition Created with name \\\"Terri test\\\" and description \\\"all user - per email report\\\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"reporting_logs\"}" }, - "user": { - "name": "johndoe", - "email": "johndoe@example.local", - "domain": "example.local" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "reporting_logs", "eventInfo": "Action Performed - Custom Report Definition Created with name \"Terri test\" and description \"all user - per email report\" by johndoe@example.local\u003cjohndoe@example.local\u003e Date: 2021-10-11 Time: 20:53:41 +0100 IP: 67.43.156.15 Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-11T18:23:10.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "John Doe" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.local" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.local", + "email": "johndoe@example.local", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-11T18:23:10.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "folder-log-entry", - "ingested": "2021-12-14T14:48:19.342450570Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}", + "created": "2021-10-11T19:23:10.000Z", "id": "eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh", - "created": "2021-10-11T19:23:10.000Z" - }, - "user": { - "email": "John Doe" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCij080lzDChMMjXw8o3IjnCLDIrRT8wJS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsZGpiYaqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgBNvCvh\",\"auditType\":\"Folder Log Entry\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-11T18:23:10+0000\",\"eventInfo\":\"Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console\",\"category\":\"profile_group_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "profile_group_logs", "eventInfo": "Action Performed - Deleted New Folder by johndoe@example.com\u003cJohn Doe\u003e Date: 2021-10-11 Time: 19:23:10 +0100 IP: 67.43.156.15 Application: Administration Console" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "John Doe" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "John Doe" } }, { "@timestamp": "2021-10-12T19:56:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "event": { + "action": "user-password-changed", + "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR", + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}" + }, + "mimecast": { + "category": "user_account_and_role_logs", + "eventInfo": "Password reset for user: johndoe@example.com User Password Changed, Remote IP is null" }, "related": { "user": [ @@ -918,323 +909,307 @@ "johndoe@example.com" ] }, - "event": { - "action": "user-password-changed", - "ingested": "2021-12-14T14:48:19.342450983Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR\",\"auditType\":\"User Password Changed\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:56:55+0000\",\"eventInfo\":\"Password reset for user: johndoe@example.com User Password Changed, Remote IP is null\",\"category\":\"user_account_and_role_logs\"}", - "id": "eNqrVipOTS4tSs1MUbJSCtF28jc2DDLwd_d1NM7ULnLzdnPzdwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiCAQ6SsmlxSX5ualFyfkpqUCbnE3MHM1NgcrLUouKM_PzlKwMawGTZipR" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" - }, "tags": [ "preserve_original_event" ], - "mimecast": { - "category": "user_account_and_role_logs", - "eventInfo": "Password reset for user: johndoe@example.com User Password Changed, Remote IP is null" + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } }, { "@timestamp": "2021-10-12T19:49:30.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" - ] - }, "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-14T14:48:19.342451340Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "created": "2021-10-12T19:49:30.000Z", "id": "eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w", - "created": "2021-10-12T19:49:30.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSSgwpLctzzah00TbMTTawdC4NDPAzzwlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiaGBhoqOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWADOfK6w\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:49:30+0000\",\"eventInfo\":\"Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\\\"fileHash\\\":\\\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\\\",\\\"start\\\":\\\"2021-09-12T19:48:59+0000\\\",\\\"end\\\":\\\"2021-10-12T19:48:59+0000\\\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "account_logs", "eventInfo": "Remediation Incident Created - TR-C46A75-01420-M, type : manual, search criteria : {\"fileHash\":\"9e6011844705292d5abfe0aa38d8aff02f6d8f69689c2e7cb2338f9484774bb3\",\"start\":\"2021-09-12T19:48:59+0000\",\"end\":\"2021-10-12T19:48:59+0000\"}, Date: 2021-10-12, Time: 19:49:30+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T19:20:01.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T19:20:01.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-14T14:48:19.342451694Z", - "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T19:20:01.000Z", "id": "eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw", - "created": "2021-10-12T19:20:01.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNoVzdEKgjAYQOF3-W8Vaps69S7KooSEJGXSzdAVMtdi04FF757dH77zASvayYi-gxQIcbI0HEtcRI5aRS7SxkN1L7ywzPb1gR3rdxOx_LbKcqYciiXdIe7pczKj02u-VuADn7p-HPTjDxKUkGCdUOxDO9lRK2Fa3YnltA2iDQ2X3Alje_2EFH1_LYQrrw\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T19:20:01+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Archive mailbox restore created. Restored data from johdoe@example.com to johndoe@example.com by johndoe@example.com, Date: 2021-10-12, Time: 19:20:01+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T18:19:33.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoejr", - "johndoejr@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T18:19:33.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "archive-mailbox-restore", - "ingested": "2021-12-14T14:48:19.342452056Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T18:19:33.000Z", "id": "eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84", - "created": "2021-10-12T18:19:33.000Z" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSigzJC_ZNzg-vcjYKcwz3icotC0nVdgtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYG5kqaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAD-SK84\",\"auditType\":\"Archive Mailbox Restore\",\"user\":\"johndoejr@example.com\",\"eventTime\":\"2021-10-12T18:19:33+0000\",\"eventInfo\":\"Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "user": { - "name": "johndoejr", - "email": "johndoejr@example.com", - "domain": "example.com" - }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Archive mailbox restore created. Restored data from johndoe@example.com to johndoejr@example.com by johndoejr@example.com, Date: 2021-10-12, Time: 18:19:33+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T17:55:14.000Z", - "ecs": { - "version": "1.12.0" }, "related": { - "user": [ - "johndoe", - "johndoe@example.com" - ], "ip": [ "67.43.156.15" + ], + "user": [ + "johndoejr", + "johndoejr@example.com" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoejr@example.com", + "name": "johndoejr" + } + }, + { + "@timestamp": "2021-10-12T17:55:14.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "archive-mailbox-export-download", - "ingested": "2021-12-14T14:48:19.342452408Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}", + "created": "2021-10-12T17:55:14.000Z", "id": "eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0", - "created": "2021-10-12T17:55:14.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJScjMvyjIxr6yoLDY2qQopLq3yDnM1dwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxiYGZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAE5dK-0\",\"auditType\":\"Archive Mailbox Export Download\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:55:14+0000\",\"eventInfo\":\"Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"archive_service_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "archive_service_logs", "eventInfo": "Mailbox export downloaded. Download filename (HTML Report recovery id): eNqrVipOTS4tSs1MUbJSyo3RDw81rTCpynMpdiuICMopyihxynZztcisDMoN9zWLSCrPzAjz9PALNzFwySrLMNQ2yUs38g9zS860cHKNMExR0lFKLi0uyc9NLUrOT0kFGulsYuZobgoUL0pNzi9LLarULUksztYFWWdpaKqjBBQqzszPU7IyrAUAsSEteA by johndoe@example.com, Date: 2021-10-12, Time: 17:55:14+0000, IP: 67.43.156.15, Application: Administration Console" - } - }, - { - "@timestamp": "2021-10-12T17:07:00.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T17:07:00.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "review-set-action", - "ingested": "2021-12-14T14:48:19.342452886Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}", + "created": "2021-10-12T17:07:00.000Z", "id": "eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul", - "created": "2021-10-12T17:07:00.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul\",\"auditType\":\"Review Set Action\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T17:07:00+0000\",\"eventInfo\":\"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review\",\"category\":\"case_review_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "mimecast-case-review", "category": "case_review_logs", "eventInfo": "Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review" - } - }, - { - "@timestamp": "2021-10-12T15:38:05.000Z", - "ecs": { - "version": "1.12.0" }, "related": { + "ip": [ + "67.43.156.15" + ], "user": [ "johndoe", "johndoe@example.com" - ], - "ip": [ - "67.43.156.15" ] }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } + }, + { + "@timestamp": "2021-10-12T15:38:05.000Z", "client": { + "as": { + "number": 35908 + }, "geo": { "continent_name": "Asia", + "country_iso_code": "BT", "country_name": "Bhutan", "location": { - "lon": 90.5, - "lat": 27.5 - }, - "country_iso_code": "BT" - }, - "as": { - "number": 35908 + "lat": 27.5, + "lon": 90.5 + } }, "ip": "67.43.156.15" }, + "ecs": { + "version": "8.0.0" + }, "event": { "action": "remediation-incident-adjustment", - "ingested": "2021-12-14T14:48:19.342453242Z", - "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}", + "created": "2021-10-12T15:38:05.000Z", "id": "eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38", - "created": "2021-10-12T15:38:05.000Z" - }, - "user": { - "name": "johndoe", - "email": "johndoe@example.com", - "domain": "example.com" + "original": "{\"id\":\"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38\",\"auditType\":\"Remediation Incident Adjustment\",\"user\":\"johndoe@example.com\",\"eventTime\":\"2021-10-12T15:38:05+0000\",\"eventInfo\":\"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\\\"unremediateCode\\\":\\\"TR-C46A75-01419-M\\\",\\\"from\\\":\\\"gmail.com\\\",\\\"start\\\":\\\"2021-10-10T15:33:49+0000\\\",\\\"end\\\":\\\"2021-10-12T15:33:49+0000\\\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console\",\"category\":\"account_logs\"}" }, - "tags": [ - "preserve_original_event" - ], "mimecast": { "application": "Administration Console", "category": "account_logs", "eventInfo": "Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" } }, { @@ -1255,7 +1230,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "logon-authentication-failed", @@ -1305,7 +1280,7 @@ "ip": "67.43.156.15" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "event": { "action": "logon-authentication-failed", diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index ccfcd1ab1c7..3f4c32f1ef4 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # # Generic event/ecs fields we always want to populate - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/audit_events/sample_event.json b/packages/mimecast/data_stream/audit_events/sample_event.json index 644d774860d..0790fcddb71 100644 --- a/packages/mimecast/data_stream/audit_events/sample_event.json +++ b/packages/mimecast/data_stream/audit_events/sample_event.json @@ -1,60 +1,56 @@ { - "@timestamp": "2022-02-09T02:45:01.000Z", - "file": { - "extension": "zip", - "name": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip" + "@timestamp": "2021-11-16T12:01:37.000Z", + "agent": { + "ephemeral_id": "fa35babb-45a8-4537-b7e9-037256a9d3e5", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.audit_events", + "namespace": "ep", + "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "search-action", + "agent_id_status": "verified", + "created": "2022-02-22T15:33:36.764Z", + "dataset": "mimecast.audit_events", + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-02-22T15:33:37Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "category": "case_review_logs", + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" }, "related": { - "ip": [ - "8.8.8.8" - ], "user": [ "johndoe", "johndoe@example.com" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.audit_events" - }, - "client": { - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "geo": { - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 37.751, - "lon": -97.822 - } - }, - "ip": "8.8.8.8" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T09:45:25Z", - "created": "2022-02-09T02:45:01.000Z", - "action": "threat-intel-feed-download", - "id": "eNqrVipOTS4tSs1MUbJSyvMxyknzzcqN0S9Nzs_PqCoNCTE2j3ILS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsZGhobmJkYKKjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCY1Sx4", - "dataset": "mimecast.audit_events" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-audit-events" + ], "user": { "domain": "example.com", - "name": "johdoe", - "email": "johndoe@example.com" - }, - "mimecast": { - "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip, Date: 2022-02-09, Time: 02:45:01+0000, IP: 8.8.8.8, Application: Integrations", - "application": "Integrations", - "category": "reporting_logs" + "email": "johndoe@example.com", + "name": "johndoe" } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json index 9b4d7b4b982..b85334758a1 100644 --- a/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json +++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/pipeline/test-dlp-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-15T20:41:25.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -31,7 +31,7 @@ { "@timestamp": "2021-10-15T20:41:25.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -59,7 +59,7 @@ { "@timestamp": "2021-10-15T20:41:22.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -87,7 +87,7 @@ { "@timestamp": "2021-10-15T20:41:22.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -115,7 +115,7 @@ { "@timestamp": "2021-10-15T20:41:21.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -143,7 +143,7 @@ { "@timestamp": "2021-10-15T20:41:21.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -171,7 +171,7 @@ { "@timestamp": "2021-10-15T20:41:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -199,7 +199,7 @@ { "@timestamp": "2021-10-15T20:41:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -227,7 +227,7 @@ { "@timestamp": "2021-10-15T20:41:17.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -255,7 +255,7 @@ { "@timestamp": "2021-10-15T20:41:17.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index c8b887e596e..3d3ea2ed289 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/dlp_logs/sample_event.json b/packages/mimecast/data_stream/dlp_logs/sample_event.json index e6b6e217321..ed66b44bab2 100644 --- a/packages/mimecast/data_stream/dlp_logs/sample_event.json +++ b/packages/mimecast/data_stream/dlp_logs/sample_event.json @@ -1,17 +1,25 @@ { "@timestamp": "2021-11-18T21:41:18.000Z", + "agent": { + "ephemeral_id": "351662e4-0671-45fc-978c-613243b6b7fe", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, "data_stream": { "dataset": "mimecast.dlp_logs", "namespace": "ep", "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "direction": "inbound", @@ -29,7 +37,7 @@ "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2021-11-24T15:39:49Z", + "ingested": "2022-02-22T15:34:19Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index 2495457b799..edda7ab9aea 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-18T08:02:43.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -38,7 +38,7 @@ { "@timestamp": "2021-10-19T06:06:40.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -91,7 +91,7 @@ { "@timestamp": "2021-10-19T06:04:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -125,7 +125,7 @@ { "@timestamp": "2021-10-19T06:04:55.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -170,7 +170,7 @@ { "@timestamp": "2021-11-08T12:09:18.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "Internal", @@ -200,7 +200,7 @@ { "@timestamp": "2021-11-08T12:10:19.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "Internal", @@ -235,7 +235,7 @@ { "@timestamp": "2021-11-29T15:13:58.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index 88766e31edc..77f82f98c88 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index 5b5ec9b3bb2..7b72a41118c 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,38 +1,56 @@ { - "@timestamp": "2022-02-03T18:17:38.000Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d60af43e-84dc-4f3b-b6c9-7616ac605053", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.siem_logs" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T09:58:25Z", - "created": "2022-02-03T18:17:38+0000", - "action": "Acc", "dataset": "mimecast.siem_logs", - "outcome": "unknown" + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "attachments": { - "file": { - "size": 0 - } - }, - "local_id": "23e26c29-14fa-4a31-a6a1-474ba8fa7943", - "subject": "You've been sent a secure message: hello world", - "message_id": "\u003c151821003-1643912257257@uk-mta-93.uk.example.lan\u003e", + "direction": "Internal", "from": { "address": "johndoe@example.com" }, - "message_size": 27677 + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-02-22T15:34:56Z", + "original": "{\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" }, "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json index 6340ded082e..87a8c644373 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/pipeline/test-threat-intel-malware-customer.log-expected.json @@ -4,7 +4,7 @@ { "@timestamp": "2021-10-29T15:07:26.653Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-29T15:07:22.595Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -92,7 +92,7 @@ { "@timestamp": "2021-10-29T15:07:17.538Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -136,7 +136,7 @@ { "@timestamp": "2021-10-29T15:07:14.044Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -180,7 +180,7 @@ { "@timestamp": "2021-10-29T15:07:07.295Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -224,7 +224,7 @@ { "@timestamp": "2021-10-29T15:07:00.555Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -268,7 +268,7 @@ { "@timestamp": "2021-10-29T15:07:00.259Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml index 6ad7bbc4bd5..4f43e923e13 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: #################### - set: field: ecs.version - value: "1.12" + value: "8.0.0" - set: field: event.kind value: enrichment diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json index 9463a5cefab..f2171989640 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json @@ -1,46 +1,68 @@ { - "@timestamp": "2022-02-02T16:07:13.213Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "ed2b1a30-7f2d-4dee-a2c1-2d8cf54981ef", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:35:42.813Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-02-22T15:35:43Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { "hash": [ - "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.threat_intel_malware_customer" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2022-02-02T16:07:13.213Z", "file": { "hash": { - "sha256": "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2022-02-02T16:07:13.213Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:10:24Z", - "created": "2022-02-09T08:10:24.724Z", - "kind": "enrichment", - "category": "threat", - "type": "indicator", - "dataset": "mimecast.threat_intel_malware_customer" - }, - "mimecast": { - "log_type": "malware_customer", - "pattern": "[file:hashes.'SHA-256' = 'f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d']", - "id": "indicator--17be7188-db80-4f6e-84cf-7fcb016f45de", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json index ca72d64d8f6..f76cea121c4 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/pipeline/test-threat-intel-malware-grid.log-expected.json @@ -4,7 +4,7 @@ { "@timestamp": "2021-10-29T15:07:26.653Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-29T15:07:22.595Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -92,7 +92,7 @@ { "@timestamp": "2021-10-29T15:07:17.538Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -136,7 +136,7 @@ { "@timestamp": "2021-10-29T15:07:14.044Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -180,7 +180,7 @@ { "@timestamp": "2021-10-29T15:07:07.295Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -224,7 +224,7 @@ { "@timestamp": "2021-10-29T15:07:00.555Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", @@ -268,7 +268,7 @@ { "@timestamp": "2021-10-29T15:07:00.259Z", "ecs": { - "version": "1.12" + "version": "8.0.0" }, "event": { "category": "threat", diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml index 16d618c6c19..13f140e554f 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml @@ -6,7 +6,7 @@ processors: #################### - set: field: ecs.version - value: "1.12" + value: "8.0.0" - set: field: event.kind value: enrichment diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json index 7cfd47b864a..0419ce66ba0 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json @@ -1,47 +1,68 @@ { - "@timestamp": "2022-02-02T08:29:59.677Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "1cf099da-bb55-4fba-8b4d-d4cc5a3c3c72", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:36:21.369Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-02-22T15:36:22Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { "hash": [ - "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.threat_intel_malware_grid" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2022-02-02T08:29:59.677Z", "file": { "hash": { - "sha256": "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2022-02-02T08:29:59.677Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:41:44Z", - "original": "{\"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20220202083530775.stix\\\"\",\"created\":\"2022-02-02T08:29:59.677Z\",\"id\":\"indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1\",\"labels\":[\"malicious-activity\"],\"modified\":\"2022-02-02T08:29:59.677Z\",\"pattern\":\"[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']\",\"type\":\"indicator\",\"valid_from\":\"2022-02-02T08:29:59.677Z\"}", - "created": "2022-02-09T08:41:43.956Z", - "kind": "enrichment", - "category": "threat", - "type": "indicator", - "dataset": "mimecast.threat_intel_malware_grid" - }, - "mimecast": { - "log_type": "malware_grid", - "pattern": "[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']", - "id": "indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json index c6171bc1b99..df58c04da5a 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/pipeline/test-ttp-ap-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-14T18:54:32.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -48,7 +48,7 @@ { "@timestamp": "2021-10-14T11:24:23.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { @@ -93,7 +93,7 @@ { "@timestamp": "2021-10-14T11:24:23.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "attachments": { diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index cc55251a5f6..29681b778a0 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json index 6cd153d9552..a6e1a0e6b64 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json @@ -1,47 +1,71 @@ { - "@timestamp": "2022-02-01T17:27:48.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" - ] + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04477e86-6c35-45fb-84c1-3369e6841252", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_ap_logs" + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:45:45Z", - "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2022-02-01T17:27:48+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 32 sec\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c20200806044148.F35F813B435@mail.example.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\"}", - "created": "2022-02-01T17:27:48+0000", - "action": "user_release_none", - "dataset": "mimecast.ttp_ap_logs" + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "attachments": { "file": { "extension": "pdf", "mime_type": "application/pdf", - "name": "numbers.pdf" + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" }, - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "hash": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" }, - "subject": "Important Updated Numbers from the Center for Disease Control", + "direction": "inbound", "from": { "address": "\u003c\u003e" }, - "message_id": "\u003c20200806044148.F35F813B435@mail.example.com\u003e", + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", "to": { - "address": "johndoe@example.com" - }, - "direction": "inbound" + "address": "johndoe@emample.com" + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-02-22T15:37:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" }, "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 32 sec" - } + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json index b936d1f469c..fff88ea7f22 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/pipeline/test-ttp-ip-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-15T17:10:46.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { @@ -55,7 +55,7 @@ { "@timestamp": "2021-10-15T06:16:34.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { @@ -107,7 +107,7 @@ { "@timestamp": "2021-10-13T16:12:07.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "from": { diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index 578e4fb6dab..b461bdcddcf 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json index d9feed9206a..95c63d6e38d 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json @@ -1,63 +1,78 @@ { - "rule": { - "name": "IP - 1 hit (Tag email)" - }, - "source": { - "ip": "8.8.8.8" + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "c3429d44-3582-45ff-9a45-240e99753ecc", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "tags": [ - "forwarded", - "mimecast-ttp-ip" - ], - "input": { - "type": "httpjson" + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" }, - "@timestamp": "2022-02-08T17:21:45.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, - "related": { - "ip": [ - "8.8.8.8" - ] - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_ip_logs" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T10:09:19Z", - "created": "2022-02-08T17:21:45+0000", - "action": "none", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyNjAxtzQz0FEqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGPlEhM", - "dataset": "mimecast.ttp_ip_logs" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "subject": "FW: Subject | Training", "from": { "address": "johndoe@example.com" }, - "message_id": "\u003cAS8P194MB1544675B724095ACB49F2338A82D9@AS8P194MB1544.EURP194.PROD.OUTLOOK.COM\u003e", + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", "to": { - "address": "janedoe@example.com" + "address": "johndoe@example.com" } }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-02-22T15:37:59Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" + }, "mimecast": { "hits": 1, - "taggedMalicious": true, "identifiers": [ "internal_user_name" ], "impersonationResults": [ { "checkerResult": "hit", - "similarDomain": "John Doe \u003cjohndoe@example.com\u003e", "impersonationDomainSource": "internal_user_name", + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", "stringSimilarToDomain": "John Doe" } ], - "taggedExternal": false - } + "taggedExternal": false, + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index 1d0f4f1d27f..b665d814b15 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2021-10-16T14:45:34.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -60,7 +60,7 @@ { "@timestamp": "2021-10-16T14:07:38.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", @@ -117,7 +117,7 @@ { "@timestamp": "2021-10-16T13:31:56.000Z", "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "email": { "direction": "inbound", diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index a8685b2d7f5..82c559ab44c 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -4,7 +4,7 @@ processors: # Generic event/ecs fields we always want to populated - set: field: ecs.version - value: "1.12.0" + value: "8.0.0" - rename: field: message target_field: event.original diff --git a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json index 01092b8b1e7..1727a303ff0 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json @@ -1,23 +1,56 @@ { - "rule": { - "name": "Inbound URL 'Aggressive'" + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "32e43233-fc59-4b6d-97c4-bc2d0647f8a0", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "source": { - "ip": "8.8.8.8" + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" }, - "url": { - "original": "https://link.buzzfeed.com/click/26642507.136718/aHR0cHM6Ly93d3cuYnV6emZlZWQuY29tL25lZ2VzdGlrYXVkby9zZXgtdG95cy10by1naWZ0LXlvdXJzZWxmLWZvci12YWxlbnRpbmVzLWRheS1hbmQtZmVlbD9vcmlnaW49c2hvcHBpbmdubA/5d81de1940f8667f86011339B2d1592db" + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": "googlealerts-noreply@google.com" + }, + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china" + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-02-22T15:38:37Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" }, - "tags": [ - "forwarded", - "mimecast-ttp-url" - ], "input": { "type": "httpjson" }, - "@timestamp": "2022-02-09T01:39:36.000Z", - "ecs": { - "version": "1.12.0" + "mimecast": { + "action": "allow", + "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", + "creationMethod": "User Click", + "emailPartsDescription": [ + "Body" + ], + "scanResult": "clean", + "userOverride": "None" }, "related": { "ip": [ @@ -28,41 +61,23 @@ "johndoe@example.com" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_url_logs" + "rule": { + "name": "Inbound URL 'Aggressive'" }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T10:13:06Z", - "created": "2022-02-09T01:39:36+0000", - "action": "Continue", - "dataset": "mimecast.ttp_url_logs" + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" }, "user": { "domain": "example.com", - "name": "johndoe", - "email": "johndoe@example.com" - }, - "email": { - "subject": "\"Why don't I own that already?\"", - "message_id": "\u003c20220208203837.26642507.136718@example.com\u003e", - "from": { - "address": "newsletter@buzzfeed.com" - }, - "direction": "inbound" - }, - "mimecast": { - "userOverride": "None", - "action": "allow", - "adminOverride": "N/A", - "category": "Entertainment", - "scanResult": "clean", - "actions": "Allow", - "creationMethod": "User Click", - "emailPartsDescription": [ - "Body" - ] + "email": "johndoe@example.com", + "name": "johndoe" } } \ No newline at end of file diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index be073364c2f..f5f6938cc0f 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -144,6 +144,7 @@ An example event for `audit_events` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| mimecast.2FA | Info about two-factor authentication. | keyword | | mimecast.application | The Mimecast unique id of the event. | keyword | | mimecast.category | The category of the event. | keyword | | mimecast.email.address | Email address from event info. | keyword | @@ -428,7 +429,7 @@ An example event for `siem` looks as following: | mimecast.msgid | The internet message id of the email. | keyword | | mimecast.urlCategory | The category of the URL that was clicked. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | | tls.cipher | String indicating the cipher used during the current connection. | keyword | @@ -577,7 +578,7 @@ An example event for `ttp_ip` looks as following: | mimecast.taggedMalicious | Whether the message was tagged as malicious. | boolean | | related.ip | All of the IPs seen on your event. | ip | | rule.name | The name of the rule or signature generating the event. | keyword | -| source.domain | Source domain. | keyword | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | From 9cb3a4d1711ae95ba8505a1107f3a0370f303598 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 23 Feb 2022 09:26:37 +0100 Subject: [PATCH 14/14] Generate README.md --- packages/mimecast/docs/README.md | 609 ++++++++++++++++++------------- 1 file changed, 364 insertions(+), 245 deletions(-) diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index f5f6938cc0f..d11658b3662 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -19,63 +19,59 @@ An example event for `audit_events` looks as following: ```json { - "@timestamp": "2022-02-09T02:45:01.000Z", - "file": { - "extension": "zip", - "name": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip" + "@timestamp": "2021-11-16T12:01:37.000Z", + "agent": { + "ephemeral_id": "fa35babb-45a8-4537-b7e9-037256a9d3e5", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.audit_events", + "namespace": "ep", + "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "search-action", + "agent_id_status": "verified", + "created": "2022-02-22T15:33:36.764Z", + "dataset": "mimecast.audit_events", + "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", + "ingested": "2022-02-22T15:33:37Z", + "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "category": "case_review_logs", + "eventInfo": "Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review" }, "related": { - "ip": [ - "8.8.8.8" - ], "user": [ "johndoe", "johndoe@example.com" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.audit_events" - }, - "client": { - "as": { - "number": 15169, - "organization": { - "name": "Google LLC" - } - }, - "geo": { - "continent_name": "North America", - "country_iso_code": "US", - "country_name": "United States", - "location": { - "lat": 37.751, - "lon": -97.822 - } - }, - "ip": "8.8.8.8" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T09:45:25Z", - "created": "2022-02-09T02:45:01.000Z", - "action": "threat-intel-feed-download", - "id": "eNqrVipOTS4tSs1MUbJSyvMxyknzzcqN0S9Nzs_PqCoNCTE2j3ILS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsZGhobmJkYKKjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgCY1Sx4", - "dataset": "mimecast.audit_events" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-audit-events" + ], "user": { "domain": "example.com", - "name": "johdoe", - "email": "johndoe@example.com" - }, - "mimecast": { - "eventInfo": "Threat intel multiple feeds download - malware_customer_csv_20220209024500934.zip, Date: 2022-02-09, Time: 02:45:01+0000, IP: 8.8.8.8, Application: Integrations", - "application": "Integrations", - "category": "reporting_logs" + "email": "johndoe@example.com", + "name": "johndoe" } } ``` @@ -168,18 +164,26 @@ An example event for `dlp` looks as following: ```json { "@timestamp": "2021-11-18T21:41:18.000Z", + "agent": { + "ephemeral_id": "351662e4-0671-45fc-978c-613243b6b7fe", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, "data_stream": { "dataset": "mimecast.dlp_logs", "namespace": "ep", "type": "logs" }, "ecs": { - "version": "1.12.0" + "version": "8.0.0" }, "elastic_agent": { - "id": "eb7f38a3-c00c-4d87-9c69-fddb3d650fab", - "snapshot": true, - "version": "7.16.0" + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "direction": "inbound", @@ -197,7 +201,7 @@ An example event for `dlp` looks as following: "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2021-11-24T15:39:49Z", + "ingested": "2022-02-22T15:34:19Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { @@ -282,42 +286,60 @@ An example event for `siem` looks as following: ```json { - "@timestamp": "2022-02-03T18:17:38.000Z", - "ecs": { - "version": "1.12.0" + "@timestamp": "2021-11-12T12:15:46.000Z", + "agent": { + "ephemeral_id": "d60af43e-84dc-4f3b-b6c9-7616ac605053", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.siem_logs" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T09:58:25Z", - "created": "2022-02-03T18:17:38+0000", - "action": "Acc", "dataset": "mimecast.siem_logs", - "outcome": "unknown" + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "attachments": { - "file": { - "size": 0 - } - }, - "local_id": "23e26c29-14fa-4a31-a6a1-474ba8fa7943", - "subject": "You've been sent a secure message: hello world", - "message_id": "\u003c151821003-1643912257257@uk-mta-93.uk.example.lan\u003e", + "direction": "Internal", "from": { "address": "johndoe@example.com" }, - "message_size": 27677 + "local_id": "fjihpfEgM_iRwemxhe3t_w", + "to": { + "address": "o365_service_account@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "created": "2021-11-12T12:15:46+0000", + "dataset": "mimecast.siem_logs", + "ingested": "2022-02-22T15:34:56Z", + "original": "{\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", + "outcome": "unknown" + }, + "input": { + "type": "httpjson" }, "mimecast": { + "RcptActType": "Jnl", + "RcptHdrType": "Unknown", "acc": "ABC123", - "log_type": "process", - "AttCnt": 0 - } + "log_type": "" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-siem-logs" + ] } ``` @@ -447,67 +469,82 @@ An example event for `ttp_ip` looks as following: ```json { - "rule": { - "name": "IP - 1 hit (Tag email)" + "@timestamp": "2021-11-12T15:27:04.000Z", + "agent": { + "ephemeral_id": "c3429d44-3582-45ff-9a45-240e99753ecc", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "source": { - "ip": "8.8.8.8" - }, - "tags": [ - "forwarded", - "mimecast-ttp-ip" - ], - "input": { - "type": "httpjson" + "data_stream": { + "dataset": "mimecast.ttp_ip_logs", + "namespace": "ep", + "type": "logs" }, - "@timestamp": "2022-02-08T17:21:45.000Z", "ecs": { - "version": "1.12.0" - }, - "related": { - "ip": [ - "8.8.8.8" - ] - }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_ip_logs" + "version": "8.0.0" }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T10:09:19Z", - "created": "2022-02-08T17:21:45+0000", - "action": "none", - "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyNjAxtzQz0FEqSy0qzszPU7Iy1FEqyQMrNDAwVqoFAGPlEhM", - "dataset": "mimecast.ttp_ip_logs" + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { - "subject": "FW: Subject | Training", "from": { "address": "johndoe@example.com" }, - "message_id": "\u003cAS8P194MB1544675B724095ACB49F2338A82D9@AS8P194MB1544.EURP194.PROD.OUTLOOK.COM\u003e", + "message_id": "\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\u003e", + "subject": "Don't read, just fill out!", "to": { - "address": "janedoe@example.com" + "address": "johndoe@example.com" } }, + "event": { + "action": "none", + "agent_id_status": "verified", + "created": "2021-11-12T15:27:04+0000", + "dataset": "mimecast.ttp_ip_logs", + "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", + "ingested": "2022-02-22T15:37:59Z", + "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" + }, + "input": { + "type": "httpjson" + }, "mimecast": { "hits": 1, - "taggedMalicious": true, "identifiers": [ "internal_user_name" ], "impersonationResults": [ { "checkerResult": "hit", - "similarDomain": "John Doe \u003cjohndoe@example.com\u003e", "impersonationDomainSource": "internal_user_name", + "similarDomain": "John Doe \u003cjohndoe_cdw@example.com\u003e", "stringSimilarToDomain": "John Doe" } ], - "taggedExternal": false - } + "taggedExternal": false, + "taggedMalicious": true + }, + "related": { + "ip": [ + "8.8.8.8" + ] + }, + "rule": { + "name": "IP - 1 hit (Tag email)" + }, + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ip" + ] } ``` @@ -591,51 +628,75 @@ An example event for `ttp_ap` looks as following: ```json { - "@timestamp": "2022-02-01T17:27:48.000Z", - "ecs": { - "version": "1.12.0" - }, - "related": { - "hash": [ - "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" - ] + "@timestamp": "2021-11-24T11:54:27.000Z", + "agent": { + "ephemeral_id": "04477e86-6c35-45fb-84c1-3369e6841252", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_ap_logs" + "dataset": "mimecast.ttp_ap_logs", + "namespace": "ep", + "type": "logs" }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:45:45Z", - "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2022-02-01T17:27:48+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 32 sec\",\"fileHash\":\"eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3\",\"fileName\":\"numbers.pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003c20200806044148.F35F813B435@mail.example.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Important Updated Numbers from the Center for Disease Control\"}", - "created": "2022-02-01T17:27:48+0000", - "action": "user_release_none", - "dataset": "mimecast.ttp_ap_logs" + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" }, "email": { "attachments": { "file": { "extension": "pdf", "mime_type": "application/pdf", - "name": "numbers.pdf" + "name": "Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf" }, - "hash": "eaeef09b60a59b913e9bfc0a4373e25d6182beff388957473fba517cc09345e3" + "hash": "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" }, - "subject": "Important Updated Numbers from the Center for Disease Control", + "direction": "inbound", "from": { "address": "\u003c\u003e" }, - "message_id": "\u003c20200806044148.F35F813B435@mail.example.com\u003e", + "message_id": "\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\u003e", + "subject": "Test Files", "to": { - "address": "johndoe@example.com" - }, - "direction": "inbound" + "address": "johndoe@emample.com" + } + }, + "event": { + "action": "user_release_none", + "agent_id_status": "verified", + "created": "2021-11-24T11:54:27+0000", + "dataset": "mimecast.ttp_ap_logs", + "ingested": "2022-02-22T15:37:02Z", + "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" + }, + "input": { + "type": "httpjson" }, "mimecast": { - "result": "safe", - "details": "Safe \r\nTime taken: 0 hrs, 0 min, 32 sec" - } + "details": "Safe \r\nTime taken: 0 hrs, 0 min, 7 sec", + "result": "safe" + }, + "related": { + "hash": [ + "cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254" + ] + }, + "rule": { + "name": "Inbound - Safe file with On-Demand Sandbox" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-ap" + ] } ``` @@ -717,25 +778,58 @@ An example event for `ttp_url` looks as following: ```json { - "rule": { - "name": "Inbound URL 'Aggressive'" + "@timestamp": "2021-11-10T03:49:53.000Z", + "agent": { + "ephemeral_id": "32e43233-fc59-4b6d-97c4-bc2d0647f8a0", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" }, - "source": { - "ip": "8.8.8.8" + "data_stream": { + "dataset": "mimecast.ttp_url_logs", + "namespace": "ep", + "type": "logs" }, - "url": { - "original": "https://link.buzzfeed.com/click/26642507.136718/aHR0cHM6Ly93d3cuYnV6emZlZWQuY29tL25lZ2VzdGlrYXVkby9zZXgtdG95cy10by1naWZ0LXlvdXJzZWxmLWZvci12YWxlbnRpbmVzLWRheS1hbmQtZmVlbD9vcmlnaW49c2hvcHBpbmdubA/5d81de1940f8667f86011339B2d1592db" + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "direction": "inbound", + "from": { + "address": "googlealerts-noreply@google.com" + }, + "message_id": "\u003c000000000000a02a0a05d0671c06@google.com\u003e", + "subject": "Google Alert - china" + }, + "event": { + "action": "Continue", + "agent_id_status": "verified", + "created": "2021-11-10T03:49:53+0000", + "dataset": "mimecast.ttp_url_logs", + "ingested": "2022-02-22T15:38:37Z", + "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" }, - "tags": [ - "forwarded", - "mimecast-ttp-url" - ], "input": { "type": "httpjson" }, - "@timestamp": "2022-02-09T01:39:36.000Z", - "ecs": { - "version": "1.12.0" + "mimecast": { + "action": "allow", + "actions": "Allow", + "adminOverride": "N/A", + "category": "Search Engines \u0026 Portals", + "creationMethod": "User Click", + "emailPartsDescription": [ + "Body" + ], + "scanResult": "clean", + "userOverride": "None" }, "related": { "ip": [ @@ -746,42 +840,24 @@ An example event for `ttp_url` looks as following: "johndoe@example.com" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.ttp_url_logs" + "rule": { + "name": "Inbound URL 'Aggressive'" }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T10:13:06Z", - "created": "2022-02-09T01:39:36+0000", - "action": "Continue", - "dataset": "mimecast.ttp_url_logs" + "source": { + "ip": "8.8.8.8" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-ttp-url" + ], + "url": { + "original": "https://www.google.co.za/alerts/share?hl=en\u0026gl=US\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\u0026ss=tw\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg" }, "user": { "domain": "example.com", - "name": "johndoe", - "email": "johndoe@example.com" - }, - "email": { - "subject": "\"Why don't I own that already?\"", - "message_id": "\u003c20220208203837.26642507.136718@example.com\u003e", - "from": { - "address": "newsletter@buzzfeed.com" - }, - "direction": "inbound" - }, - "mimecast": { - "userOverride": "None", - "action": "allow", - "adminOverride": "N/A", - "category": "Entertainment", - "scanResult": "clean", - "actions": "Allow", - "creationMethod": "User Click", - "emailPartsDescription": [ - "Body" - ] + "email": "johndoe@example.com", + "name": "johndoe" } } ``` @@ -870,49 +946,71 @@ An example event for `threat_intel_malware_customer` looks as following: ```json { - "@timestamp": "2022-02-02T16:07:13.213Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "ed2b1a30-7f2d-4dee-a2c1-2d8cf54981ef", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_customer", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:35:42.813Z", + "dataset": "mimecast.threat_intel_malware_customer", + "ingested": "2022-02-22T15:35:43Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { "hash": [ - "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.threat_intel_malware_customer" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-customer", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2022-02-02T16:07:13.213Z", "file": { "hash": { - "sha256": "f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2022-02-02T16:07:13.213Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:10:24Z", - "created": "2022-02-09T08:10:24.724Z", - "kind": "enrichment", - "category": "threat", - "type": "indicator", - "dataset": "mimecast.threat_intel_malware_customer" - }, - "mimecast": { - "log_type": "malware_customer", - "pattern": "[file:hashes.'SHA-256' = 'f074c46bb36cc48f36359d9847def630a4bd405d654e7db9b2b8ea1ce4e2528d']", - "id": "indicator--17be7188-db80-4f6e-84cf-7fcb016f45de", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } ``` @@ -993,50 +1091,71 @@ An example event for `threat_intel_malware_grid` looks as following: ```json { - "@timestamp": "2022-02-02T08:29:59.677Z", + "@timestamp": "2021-11-19T01:28:37.099Z", + "agent": { + "ephemeral_id": "1cf099da-bb55-4fba-8b4d-d4cc5a3c3c72", + "hostname": "docker-fleet-agent", + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "mimecast.threat_intel_malware_grid", + "namespace": "ep", + "type": "logs" + }, "ecs": { - "version": "1.12" + "version": "8.0.0" + }, + "elastic_agent": { + "id": "1e76e2b6-7664-4905-9a0b-11e1d4dc6fa9", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "agent_id_status": "verified", + "category": "threat", + "created": "2022-02-22T15:36:21.369Z", + "dataset": "mimecast.threat_intel_malware_grid", + "ingested": "2022-02-22T15:36:22Z", + "kind": "enrichment", + "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", + "type": "indicator" + }, + "input": { + "type": "httpjson" + }, + "mimecast": { + "id": "indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd", + "labels": [ + "malicious-activity" + ], + "pattern": "[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']", + "type": "indicator" }, "related": { "hash": [ - "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "mimecast.threat_intel_malware_grid" - }, + "tags": [ + "preserve_original_event", + "forwarded", + "mimecast-threat-intel-feed-malware-grid", + "malicious-activity" + ], "threat": { "indicator": { - "first_seen": "2022-02-02T08:29:59.677Z", "file": { "hash": { - "sha256": "7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0" + "sha256": "ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be" } }, - "modified_at": "2022-02-02T08:29:59.677Z", + "first_seen": "2021-11-19T01:28:37.099Z", + "modified_at": "2021-11-19T01:28:37.099Z", "type": "file" } - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-02-09T08:41:44Z", - "original": "{\"Content-Disposition\":\"attachment; filename=\\\"malware_grid_stix_20220202083530775.stix\\\"\",\"created\":\"2022-02-02T08:29:59.677Z\",\"id\":\"indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1\",\"labels\":[\"malicious-activity\"],\"modified\":\"2022-02-02T08:29:59.677Z\",\"pattern\":\"[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']\",\"type\":\"indicator\",\"valid_from\":\"2022-02-02T08:29:59.677Z\"}", - "created": "2022-02-09T08:41:43.956Z", - "kind": "enrichment", - "category": "threat", - "type": "indicator", - "dataset": "mimecast.threat_intel_malware_grid" - }, - "mimecast": { - "log_type": "malware_grid", - "pattern": "[file:hashes.'SHA-256' = '7120d1338e2fac743e50cbafc5f6de37c97890678f35e15a21cd17384f2f78d0']", - "id": "indicator--12dbac84-90a0-4896-a6aa-96d1f7b723f1", - "type": "indicator", - "labels": [ - "malicious-activity" - ] } } ```