diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index 234619ac673..9d9cb413a84 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.0.10" + changes: + - description: Add more use cases to audit-events pipeline, implent geo.ip for siem logs, remove user part for ttp-url logs and add email.to.address for recipient + type: enhancement + link: https://github.com/elastic/integrations/pull/2917 - version: "0.0.9" changes: - description: Update ecs to version 8.2.0 and implement better practice for email ECS fields. @@ -45,4 +50,4 @@ changes: - description: Initial draft of the package type: enhancement - link: https://github.com/elastic/integrations/pull/2157 + link: https://github.com/elastic/integrations/pull/2157 \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log index c8284127bd8..b6698effd13 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log @@ -24,4 +24,5 @@ {"id":"eNqrVipOTS4tSs1MUbJSitH39gl1cS509PT1MSnw90l0CinPCQgLS_PXNg12dQt3j_QMr4oyi_SO0Xf1jswtM7TINncxTNTO97OsNPQqqAwNU9JRSixNySzJyU8HmWhsaGlsYmBsYqqjlFxaXJKfm1qUnJ-SCrTK2cTM0dwUqLwstag4Mz9PycqwFgAxASul","auditType":"Review Set Action","user":"johndoe@example.com","eventTime":"2021-10-12T17:07:00+0000","eventInfo":"Viewed Review Set Details - Case: Class Action, Review Set: Contracts, Date: 2021-10-12, Time: 17:07:00+0000, IP: 67.43.156.15, Application: mimecast-case-review","category":"case_review_logs"} {"id":"eNqrVipOTS4tSs1MUbJS8vDNLCt0DHEKS4xICvNJqzQ1MjOyyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaWJurKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAByMK38","auditType":"Remediation Incident Adjustment","user":"johndoe@example.com","eventTime":"2021-10-12T15:38:05+0000","eventInfo":"Restore Remediation Incident Created - TR-C46A75-01419-R, type : restore, search criteria : {\"unremediateCode\":\"TR-C46A75-01419-M\",\"from\":\"gmail.com\",\"start\":\"2021-10-10T15:33:49+0000\",\"end\":\"2021-10-12T15:33:49+0000\"}, Date: 2021-10-12, Time: 15:38:05+0000, IP: 67.43.156.15, Application: Administration Console","category":"account_logs"} {"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 22:54:04 GMT, IP: 67.43.156.15, Application: POP-POP2, Reason: Account Locked","category":"authentication_logs"} -{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password","category":"authentication_logs"} \ No newline at end of file +{"id":"eNqrVipOTS4tSs1MUbJSMvCrMHX2MzL1yLFITjJNd8rO9wiJyAlL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxsaGRkoKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAPktKzg","auditType":"Logon Authentication Failed","user":"johndoe@example.com","eventTime":"2021-10-12T08:47:55+0000","eventInfo":"Failed authentication for johndoe@example.com , Date: 2022-01-11, Time: 21:48:01 GMT, IP: 67.43.156.15, Application: POP-POP2, Method: Cloud, Reason: Wrong Password","category":"authentication_logs"} +{ "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", "auditType": "User Logged On", "user": "johndoe@example.com", "eventTime": "2021-10-11T16:03:38+0000", "eventInfo": "Succesfully enrolled user for user device enrollment, Remote IP is 67.43.156.15", "category": "authentication_logs"} \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json index 1081a6ef055..49d42db89ab 100644 --- a/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json +++ b/packages/mimecast/data_stream/audit_events/_dev/test/pipeline/test-audit-events.log-expected.json @@ -1316,6 +1316,53 @@ "email": "johndoe@example.com", "name": "johndoe" } + }, + { + "@timestamp": "2021-10-11T16:03:38.000Z", + "client": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "user-logged-on", + "id": "eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI", + "original": "{ \"id\": \"eNqrVipOTS4tSs1MUbJS8o0ILw8pL_cyqQosLi-MzKjKcvMzCwtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWxkYmZorKOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAIqvLHI\", \"auditType\": \"User Logged On\", \"user\": \"johndoe@example.com\", \"eventTime\": \"2021-10-11T16:03:38+0000\", \"eventInfo\": \"Succesfully enrolled user for user device enrollment, Remote IP is 67.43.156.15\", \"category\": \"authentication_logs\"}" + }, + "mimecast": { + "category": "authentication_logs", + "eventInfo": "Succesfully enrolled user for user device enrollment, Remote IP is 67.43.156.15" + }, + "related": { + "ip": [ + "67.43.156.15" + ], + "user": [ + "johndoe", + "johndoe@example.com" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + } } ] } \ No newline at end of file diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index e96746f644d..2920080b883 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -86,6 +86,13 @@ processors: target_field: mimecast.event_info_parts ignore_failure: true ignore_missing: true + - grok: + field: mimecast.eventInfo + patterns: + - "%{IP:mimecast.event_info_parts.IP}" + ignore_missing: true + ignore_failure: true + if: 'ctx?.event?.action=="user-logged-on"' - rename: field: mimecast.event_info_parts.Date target_field: mimecast.date @@ -252,6 +259,9 @@ processors: value: "{{user.email}}" allow_duplicates: false if: ctx?.user?.email != null + - lowercase: + field: email.direction + ignore_missing: true # Cleanup - remove: description: Cleanup of repeated/unwanted/temporary fields. diff --git a/packages/mimecast/data_stream/audit_events/sample_event.json b/packages/mimecast/data_stream/audit_events/sample_event.json index 21387605945..3c798d51d0c 100644 --- a/packages/mimecast/data_stream/audit_events/sample_event.json +++ b/packages/mimecast/data_stream/audit_events/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-16T12:01:37.000Z", "agent": { - "ephemeral_id": "b2833ed3-e047-442e-945f-291f7d6ace9d", + "ephemeral_id": "2be73539-59e1-4458-a099-3d97c4d3e261", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,17 +17,17 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "action": "search-action", "agent_id_status": "verified", - "created": "2022-04-01T12:35:03.501Z", + "created": "2022-04-10T21:21:57.926Z", "dataset": "mimecast.audit_events", "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", - "ingested": "2022-04-01T12:35:04Z", + "ingested": "2022-04-10T21:21:58Z", "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" }, "input": { diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index 1faac1f0b70..4115c5f27fe 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -69,7 +69,9 @@ processors: field: event.created value: "{{mimecast.eventTime}}" if: 'ctx?.mimecast?.eventTime != null' - + - lowercase: + field: email.direction + ignore_missing: true # Cleanup - remove: description: Cleanup of repeated/unwanted/temporary fields. diff --git a/packages/mimecast/data_stream/dlp_logs/sample_event.json b/packages/mimecast/data_stream/dlp_logs/sample_event.json index e2678192311..a18121ab648 100644 --- a/packages/mimecast/data_stream/dlp_logs/sample_event.json +++ b/packages/mimecast/data_stream/dlp_logs/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-18T21:41:18.000Z", "agent": { - "ephemeral_id": "4a1c8c13-aee6-49b9-afc3-a2e62a310761", + "ephemeral_id": "8998934e-54d0-4749-82f4-be92de17c892", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,7 +17,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -41,7 +41,7 @@ "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2022-04-01T12:35:41Z", + "ingested": "2022-04-10T21:22:42Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log index 70cbfff0565..a4320268c9c 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log @@ -3,5 +3,5 @@ {"acc":"ABC123","Sender":"postmaster@twotoeight.com","datetime":"2021-10-19T07:04:55+0100","AttSize":0,"Content-Disposition":"attachment; filename=\"process_20211018093329655.json\"","Act":"Acc","aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","AttCnt":0,"AttNames":null,"MsgSize":49025,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages"} {"acc":"ABC123","Delivered":true,"IP":"67.43.156.15","AttCnt":0,"Dir":"Internal","ReceiptAck":"250 SmtpInternalThread-19194240-1634623495703@uk-mta-151.uk.mimecast.lan Received OK [61dfe7da-4c6d-34e1-9667-69b04f0d564f.uk151]","MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":null,"Latency":1090,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:55+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"Snt":51666,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"No", "Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""},{"acc":"ABC123","Delivered":false,"IP":"67.43.156.15","RejType":"Recipient email address is possibly incorrect","RejCode":"550","AttCnt":0,"Dir":"Internal","ReceiptAck":null,"MsgId":"<137188507-1634623494888@uk-mta-151.uk.mimecast.lan>","Subject":"You have new held messages","Latency":1534,"Sender":"johndoe@example.com","datetime":"2021-10-19T07:04:56+0100","Rcpt":"johndoejr@example.com","AttSize":0,"Attempt":1,"RejInfo":"5.4.1 Recipient address rejected: Access denied. AS(201806281) [CWLGBR01FT010.eop-gbr01.prod.protection.outlook.com]","TlsVer":"TLSv1.2","Cphr":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","Snt":147,"aCode":"61dfe7da-4c6d-34e1-9667-69b04f0d564f","UseTls":"Yes","Route":"Office365","Content-Disposition":"attachment; filename=\"delivery_20211018093329655.json\""} {"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:09:18+0000","Rcpt":"o365_service_account@example.com","RcptActType":"Jnl","aCode":"CYSuuaBUMjOpk3k1Xhvy_Q","Dir":"Internal","RcptHdrType":"Unknown", "Content-Disposition":"attachment; filename=\"jrnl_20211018093329655.json\""} -{"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:10:19+0000","Rcpt":"johndoejr@example.com","Act":"Acc","IP":"81.2.69.193","aCode":"3dbe9918-f91f-3043-b61f-d3164badfe50","Dir":"Internal","Subject":"You have new held messages","MsgId":"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>","headerFrom":"johndoe@example.com", "Content-Disposition":"attachment; filename=\"receipt_20211018093329655.json\""} -{"acc":"C46A75","reason":"malicious","subject":"DocuSign- Contract #45576744333","msgid":null,"url":"http:\/\/docusign.swrodgods.x10.mx\/Docun\/Docu\/index2.php","datetime":"2021-11-29T15:13:58+0000","route":"inbound","sourceIp":"81.2.69.193","sender":"docusign-services@zenz.us","recipient":"aorchard@twotoeight.com","action":"Block","urlCategory":"Phishing & Fraud","credentialTheft":null,"senderDomain":"zenz.us", "Content-Disposition":"attachment; filename=\"ttp_url_20211129153015541.json\""} +{"acc":"C46A75","Sender":"johndoe@example.com","datetime":"2021-11-08T12:10:19+0000","Rcpt":"johndoejr@example.com","Act":"Acc","IP":"67.43.156.15","aCode":"3dbe9918-f91f-3043-b61f-d3164badfe50","Dir":"Internal","Subject":"You have new held messages","MsgId":"<140943948-1636373419265@uk-mta-286.uk.mimecast.lan>","headerFrom":"johndoe@example.com", "Content-Disposition":"attachment; filename=\"receipt_20211018093329655.json\""} +{"acc":"C46A75","reason":"malicious","subject":"DocuSign- Contract #45576744333","msgid":null,"url":"http:\/\/docusign.swrodgods.x10.mx\/Docun\/Docu\/index2.php","datetime":"2021-11-29T15:13:58+0000","route":"inbound","sourceIp":"67.43.156.15","sender":"docusign-services@zenz.us","recipient":"aorchard@twotoeight.com","action":"Block","urlCategory":"Phishing & Fraud","credentialTheft":null,"senderDomain":"zenz.us", "Content-Disposition":"attachment; filename=\"ttp_url_20211129153015541.json\""} diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json index caa4b034ee1..b7353d13df3 100644 --- a/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json +++ b/packages/mimecast/data_stream/siem_logs/_dev/test/pipeline/test-siem-logs.log-expected.json @@ -48,7 +48,7 @@ "size": 0 } }, - "direction": "Inbound", + "direction": "inbound", "from": { "address": [ "\u003c\u003e" @@ -56,7 +56,9 @@ }, "local_id": "29be076e-44cd-354d-a7c2-083d4a312371", "to": { - "address": "johndoe@example.com" + "address": [ + "johndoe@example.com" + ] } }, "error": { @@ -81,7 +83,19 @@ "name": "Office365" }, "source": { - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "as": { + "asn": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + } }, "tags": [ "preserve_original_event" @@ -139,7 +153,7 @@ "size": 0 } }, - "direction": "Internal", + "direction": "internal", "from": { "address": [ "johndoe@example.com" @@ -148,7 +162,9 @@ "local_id": "61dfe7da-4c6d-34e1-9667-69b04f0d564f", "message_id": "\u003c137188507-1634623494888@uk-mta-151.uk.mimecast.lan\u003e", "to": { - "address": "johndoejr@example.com" + "address": [ + "johndoejr@example.com" + ] } }, "event": { @@ -166,7 +182,19 @@ "log_type": "delivery" }, "source": { - "ip": "67.43.156.15" + "ip": "67.43.156.15", + "as": { + "asn": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + } }, "tags": [ "preserve_original_event" @@ -181,7 +209,7 @@ "version": "8.2.0" }, "email": { - "direction": "Internal", + "direction": "internal", "from": { "address": [ "johndoe@example.com" @@ -189,7 +217,9 @@ }, "local_id": "CYSuuaBUMjOpk3k1Xhvy_Q", "to": { - "address": "o365_service_account@example.com" + "address": [ + "o365_service_account@example.com" + ] } }, "event": { @@ -213,7 +243,7 @@ "version": "8.2.0" }, "email": { - "direction": "Internal", + "direction": "internal", "from": { "address": [ "johndoe@example.com" @@ -224,13 +254,15 @@ "message_id": "\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e", "subject": "You have new held messages", "to": { - "address": "johndoejr@example.com" + "address": [ + "johndoejr@example.com" + ] } }, "event": { "action": "Acc", "created": "2021-11-08T12:10:19+0000", - "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"81.2.69.193\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", + "original": "{\"acc\":\"C46A75\",\"Sender\":\"johndoe@example.com\",\"datetime\":\"2021-11-08T12:10:19+0000\",\"Rcpt\":\"johndoejr@example.com\",\"Act\":\"Acc\",\"IP\":\"67.43.156.15\",\"aCode\":\"3dbe9918-f91f-3043-b61f-d3164badfe50\",\"Dir\":\"Internal\",\"Subject\":\"You have new held messages\",\"MsgId\":\"\u003c140943948-1636373419265@uk-mta-286.uk.mimecast.lan\u003e\",\"headerFrom\":\"johndoe@example.com\", \"Content-Disposition\":\"attachment; filename=\\\"receipt_20211018093329655.json\\\"\"}", "outcome": "unknown" }, "mimecast": { @@ -238,7 +270,19 @@ "log_type": "receipt" }, "source": { - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "as": { + "asn": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + } }, "tags": [ "preserve_original_event" @@ -258,13 +302,15 @@ }, "subject": "DocuSign- Contract #45576744333", "to": { - "address": "aorchard@twotoeight.com" + "address": [ + "aorchard@twotoeight.com" + ] } }, "event": { "action": "Block", "created": "2021-11-29T15:13:58+0000", - "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"81.2.69.193\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", + "original": "{\"acc\":\"C46A75\",\"reason\":\"malicious\",\"subject\":\"DocuSign- Contract #45576744333\",\"msgid\":null,\"url\":\"http:\\/\\/docusign.swrodgods.x10.mx\\/Docun\\/Docu\\/index2.php\",\"datetime\":\"2021-11-29T15:13:58+0000\",\"route\":\"inbound\",\"sourceIp\":\"67.43.156.15\",\"sender\":\"docusign-services@zenz.us\",\"recipient\":\"aorchard@twotoeight.com\",\"action\":\"Block\",\"urlCategory\":\"Phishing \u0026 Fraud\",\"credentialTheft\":null,\"senderDomain\":\"zenz.us\", \"Content-Disposition\":\"attachment; filename=\\\"ttp_url_20211129153015541.json\\\"\"}", "outcome": "unknown", "reason": "malicious" }, @@ -275,7 +321,19 @@ }, "source": { "domain": "zenz.us", - "ip": "81.2.69.193" + "ip": "67.43.156.15", + "as": { + "asn": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + } }, "tags": [ "preserve_original_event" diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index f2c6d9ea667..3f071c813fd 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -308,6 +308,25 @@ processors: field: event.outcome value: "unknown" if: 'ctx?.event?.outcome ==null' + - lowercase: + field: email.direction + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - set: + field: email.to.address + value: ["{{{email.to.address}}}"] + if: "ctx?.email?.to?.address != null" - dissect: field: email.from.address pattern: "<%{email.from.address}>" diff --git a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml index 9dd7efeec0d..d59d753c5cf 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml @@ -95,3 +95,29 @@ name: url.full - external: ecs name: event.outcome +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- description: Longitude and latitude. + level: core + name: source.geo.location + type: geo_point +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- description: Client ASN number. + name: source.as.asn + type: long +- description: Client Organization name. + name: source.as.organization_name + type: keyword +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name diff --git a/packages/mimecast/data_stream/siem_logs/sample_event.json b/packages/mimecast/data_stream/siem_logs/sample_event.json index 7301835d8a7..9d814bc68e6 100644 --- a/packages/mimecast/data_stream/siem_logs/sample_event.json +++ b/packages/mimecast/data_stream/siem_logs/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-12T12:15:46.000Z", "agent": { - "ephemeral_id": "503077e3-a489-4d55-9c64-4e965385d30f", + "ephemeral_id": "30199e2a-13bf-4aea-9d42-17af8093fc35", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,7 +17,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -37,7 +37,7 @@ "agent_id_status": "verified", "created": "2021-11-12T12:15:46+0000", "dataset": "mimecast.siem_logs", - "ingested": "2022-04-01T12:36:24Z", + "ingested": "2022-04-10T21:23:27Z", "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", "outcome": "unknown" }, diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json index 98f944e955f..456d51ed962 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-19T01:28:37.099Z", "agent": { - "ephemeral_id": "57a36b7d-5e1c-4bc5-8f10-962cfe2948f5", + "ephemeral_id": "f8b7f5ea-3de3-4ded-804b-1cbfd3c07d29", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,16 +17,16 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-01T12:37:06.220Z", + "created": "2022-04-10T21:24:16.370Z", "dataset": "mimecast.threat_intel_malware_customer", - "ingested": "2022-04-01T12:37:07Z", + "ingested": "2022-04-10T21:24:17Z", "kind": "enrichment", "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", "type": "indicator" diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json index 40a311b0753..5a637408cbd 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-19T01:28:37.099Z", "agent": { - "ephemeral_id": "b8e44907-6bc2-4c8b-9aad-67e6a9319a10", + "ephemeral_id": "3fb6e70c-a69d-4bbb-8b59-c4d0be2c8a68", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,16 +17,16 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-01T12:37:51.296Z", + "created": "2022-04-10T21:24:56.126Z", "dataset": "mimecast.threat_intel_malware_grid", - "ingested": "2022-04-01T12:37:52Z", + "ingested": "2022-04-10T21:24:56Z", "kind": "enrichment", "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", "type": "indicator" diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index dc3de4196fd..331ef2acc52 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -109,6 +109,9 @@ processors: value: "{{email.attachments.hash}}" allow_duplicates: false if: 'ctx?.email?.attachments?.hash !=null' + - lowercase: + field: email.direction + ignore_missing: true ### Cleanup - remove: description: Cleanup of repeated/unwanted/temporary fields. diff --git a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json index 64202acea92..6dd6b3417fc 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ap_logs/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-24T11:54:27.000Z", "agent": { - "ephemeral_id": "97a110e6-9e9b-40f0-abfe-6053fadbfc61", + "ephemeral_id": "5c36b586-6e78-434a-aa4c-a9e1178982d4", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,7 +17,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -49,7 +49,7 @@ "agent_id_status": "verified", "created": "2021-11-24T11:54:27+0000", "dataset": "mimecast.ttp_ap_logs", - "ingested": "2022-04-01T12:38:36Z", + "ingested": "2022-04-10T21:25:37Z", "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" }, "input": { diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index 88d4a52a28a..cc2e396a1ff 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -68,6 +68,9 @@ processors: value: "{{source.ip}}" allow_duplicates: false if: 'ctx?.source?.ip != null' + - lowercase: + field: email.direction + ignore_missing: true - dissect: field: email.from.address pattern: "<%{email.from.address}>" diff --git a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json index 8885ab2f8f9..0b5599aece6 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_ip_logs/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-12T15:27:04.000Z", "agent": { - "ephemeral_id": "4df4bba6-bacf-4bc8-9637-6c43d41d059d", + "ephemeral_id": "5693a713-4b98-40bd-8f33-c60f3194a19e", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,7 +17,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -41,7 +41,7 @@ "created": "2021-11-12T15:27:04+0000", "dataset": "mimecast.ttp_ip_logs", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", - "ingested": "2022-04-01T12:39:16Z", + "ingested": "2022-04-10T21:26:23Z", "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" }, "input": { diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json index 0c3d34e3f31..ce9fa88ab2c 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json +++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/pipeline/test-ttp-url-logs.log-expected.json @@ -12,6 +12,11 @@ "bestbuyinfo@emailinfo.bestbuy.com" ] }, + "to": { + "address": [ + "johndoe@example.com" + ] + }, "message_id": "\u003c31b43097-94f9-4f64-8e37-8ad23650c692@ind1s01mta1292.xt.local\u003e", "subject": "Today only: Save $100 on Tineco Pure One S12 smart cordless stick vacuum, plus more." }, @@ -35,10 +40,6 @@ "related": { "ip": [ "67.43.156.15" - ], - "user": [ - "johndoe", - "johndoe@example.com" ] }, "rule": { @@ -52,11 +53,6 @@ ], "url": { "original": "https://click.emailinfo2.bestbuy.com/?qs=5c47c91aeb44fac857370c26ddf09c3f484431e1ccfa636fc64e26e40dd87efdb43d4deeeab8c2e727ebfa079e8cf1404c095c511152e4b09e7d00bf8377f32d" - }, - "user": { - "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" } }, { @@ -71,6 +67,11 @@ "noreply@r.livingsocial.com" ] }, + "to": { + "address": [ + "johndoe@example.com" + ] + }, "message_id": "\u003c803962655.28921622.1634393221485.JavaMail.rocketman@push-dispatcher65.sac1\u003e", "subject": "Jump Pass + Mega Sale" }, @@ -94,10 +95,6 @@ "related": { "ip": [ "67.43.156.15" - ], - "user": [ - "johndoe", - "johndoe@example.com" ] }, "rule": { @@ -111,11 +108,6 @@ ], "url": { "original": "https://www.livingsocial.com/browse/?locale=en_US\u0026topCategory=all-deals\u0026p=14\u0026utm_source=newsletter_im\u0026utm_medium=email\u0026t_division=boston\u0026date=20211016\u0026uu=1bea09ca-8a29-11e9-b7f7-0242ac120002\u0026CID=US\u0026tx=0\u0026s=body\u0026c=banner\u0026d=dynamic-banner-4\u0026utm_campaign=194d1bb8-dc74-4bed-b470-0154e934bfb3_0_20211016_treatment0" - }, - "user": { - "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" } }, { @@ -130,6 +122,11 @@ "nflshop.com@eml.nflshop.com" ] }, + "to": { + "address": [ + "johndoe@example.com" + ] + }, "message_id": "\u003c28ad4be3-2d3a-491d-9aa7-a5a907123da1@ind1s01mta1115.xt.local\u003e", "subject": "25% Off Tees to Give During Early Gifting Sale" }, @@ -153,10 +150,6 @@ "related": { "ip": [ "67.43.156.15" - ], - "user": [ - "johndoe", - "johndoe@example.com" ] }, "rule": { @@ -170,11 +163,6 @@ ], "url": { "original": "https://www.nflshop.com/how-can-i-contact-customer-service/ch-2244" - }, - "user": { - "domain": "example.com", - "email": "johndoe@example.com", - "name": "johndoe" } } ] diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index e817b3b44ec..f00801f796d 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -22,10 +22,6 @@ processors: - yyyy-MM-dd'T'HH:mm:ssZ ### - - rename: - field: mimecast.userEmailAddress - target_field: user.email - ignore_missing: true - rename: field: mimecast.url target_field: url.original @@ -50,9 +46,9 @@ processors: field: mimecast.messageId target_field: email.message_id ignore_missing: true - - append: + - set: field: email.from.address - value: "{{{mimecast.fromUserEmailAddress}}}" + value: ["{{{mimecast.fromUserEmailAddress}}}"] if: "ctx?.mimecast?.fromUserEmailAddress != null" ignore_failure: true - rename: @@ -63,24 +59,19 @@ processors: field: event.created value: "{{mimecast.date}}" if: 'ctx?.mimecast?.date != null' - - split: - field: user.email - separator: "@" - target_field: user.parts - if: 'ctx?.user?.email != null' - - set: - field: user.name - copy_from: user.parts.0 - if: 'ctx?.user?.parts !=null && ctx?.user?.parts.length > 1' - - set: - field: user.domain - copy_from: user.parts.1 - if: 'ctx?.user?.parts !=null && ctx?.user?.parts.length > 1' - append: field: related.ip value: "{{source.ip}}" allow_duplicates: false if: 'ctx?.source?.ip !=null' + - lowercase: + field: email.direction + ignore_missing: true + - set: + field: email.to.address + value: ["{{{mimecast.userEmailAddress}}}"] + if: "ctx?.mimecast?.userEmailAddress != null" + ignore_failure: true - append: field: related.user value: "{{user.name}}" @@ -106,10 +97,8 @@ processors: description: Cleanup of repeated/unwanted/temporary fields. field: - mimecast.date - - user.parts - - user.parts.0 - - user.parts.1 - mimecast.fromUserEmailAddress + - mimecast.userEmailAddress ignore_missing: true - remove: description: Remove 'event.original' if 'preserve_original_event' is not set. diff --git a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml index a66f558190d..ad68eb26323 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml @@ -13,7 +13,7 @@ - description: Stores the from email address from the RFC5322 From - header field. type: keyword name: email.from.address -- description: Stores the from email address to the RFC5322 From - header field. +- description: Email of the recipient/user who click the link. type: keyword name: email.to.address - description: A brief summary of the topic of the message @@ -42,11 +42,5 @@ name: user.email - external: ecs name: url.original -- external: ecs - name: user.name -- external: ecs - name: user.domain - external: ecs name: related.ip -- external: ecs - name: related.user diff --git a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json index c0d23679162..5d2cb31469b 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/sample_event.json +++ b/packages/mimecast/data_stream/ttp_url_logs/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2021-11-10T03:49:53.000Z", "agent": { - "ephemeral_id": "9ef77b02-4979-44aa-97af-54ae4e5612f4", + "ephemeral_id": "23663742-273e-4a13-9e56-c94459117a7a", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -17,7 +17,7 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -39,7 +39,7 @@ "agent_id_status": "verified", "created": "2021-11-10T03:49:53+0000", "dataset": "mimecast.ttp_url_logs", - "ingested": "2022-04-01T12:40:05Z", + "ingested": "2022-04-10T21:27:12Z", "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" }, "input": { diff --git a/packages/mimecast/docs/README.md b/packages/mimecast/docs/README.md index a7d7ba620a5..db849b3fe18 100644 --- a/packages/mimecast/docs/README.md +++ b/packages/mimecast/docs/README.md @@ -21,9 +21,9 @@ An example event for `audit_events` looks as following: { "@timestamp": "2021-11-16T12:01:37.000Z", "agent": { - "ephemeral_id": "b2833ed3-e047-442e-945f-291f7d6ace9d", + "ephemeral_id": "4fa34b5f-73a4-4463-a1db-32a8a7f50a11", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -37,17 +37,17 @@ An example event for `audit_events` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "action": "search-action", "agent_id_status": "verified", - "created": "2022-04-01T12:35:03.501Z", + "created": "2022-04-09T21:21:29.198Z", "dataset": "mimecast.audit_events", "id": "eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o", - "ingested": "2022-04-01T12:35:04Z", + "ingested": "2022-04-09T21:21:30Z", "original": "{\"auditType\":\"Search Action\",\"category\":\"case_review_logs\",\"eventInfo\":\"Inspected Review Set Messages - Source: Review Set - Supervision - hot words, Case - GDPR/CCPA, Message Status: Pending, Date: 2021-11-16, Time: 12:01:37+0000, IP: 8.8.8.8, Application: mimecast-case-review\",\"eventTime\":\"2021-11-16T12:01:37+0000\",\"id\":\"eNqrVipOTS4tSs1MUbJSSg_xMDJPNkisSDdISQ00j0gzz44wDAtL89c2DXZ1C3eP9AyvijKL9I7Rd_WOzC0ztMg2dzFM1M73s6w09CqoDA1T0lFKLE3JLMnJTwcZaGxoaWFsYmhkoaOUXFpckp-bWpScn5IKtMnZxMzR3BSovCy1qDgzP0_JyrAWAAjKK1o\",\"user\":\"johndoe@example.com\"}" }, "input": { @@ -169,9 +169,9 @@ An example event for `dlp` looks as following: { "@timestamp": "2021-11-18T21:41:18.000Z", "agent": { - "ephemeral_id": "4a1c8c13-aee6-49b9-afc3-a2e62a310761", + "ephemeral_id": "279cfe48-6673-4b5e-a2f5-2063af9bbf29", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -185,7 +185,7 @@ An example event for `dlp` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -209,7 +209,7 @@ An example event for `dlp` looks as following: "agent_id_status": "verified", "created": "2021-11-18T21:41:18+0000", "dataset": "mimecast.dlp_logs", - "ingested": "2022-04-01T12:35:41Z", + "ingested": "2022-04-09T21:22:27Z", "original": "{\"action\":\"notification\",\"eventTime\":\"2021-11-18T21:41:18+0000\",\"messageId\":\"\\u003c20211118214115.B346F10021D@mail.emailsec.ninja\\u003e\",\"policy\":\"Content Inspection - Watermark\",\"recipientAddress\":\"johndoe@example.com\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Undelivered Mail Returned to Sender\"}" }, "input": { @@ -299,9 +299,9 @@ An example event for `siem` looks as following: { "@timestamp": "2021-11-12T12:15:46.000Z", "agent": { - "ephemeral_id": "503077e3-a489-4d55-9c64-4e965385d30f", + "ephemeral_id": "ca12b93e-d5f2-480c-80db-bd7db18e156b", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -315,7 +315,7 @@ An example event for `siem` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -335,7 +335,7 @@ An example event for `siem` looks as following: "agent_id_status": "verified", "created": "2021-11-12T12:15:46+0000", "dataset": "mimecast.siem_logs", - "ingested": "2022-04-01T12:36:24Z", + "ingested": "2022-04-09T21:23:16Z", "original": "{\"Content-Disposition\":\"attachment; filename=\\\"jrnl_20211018093329655.json\\\"\",\"Dir\":\"Internal\",\"Rcpt\":\"o365_service_account@example.com\",\"RcptActType\":\"Jnl\",\"RcptHdrType\":\"Unknown\",\"Sender\":\"johndoe@example.com\",\"aCode\":\"fjihpfEgM_iRwemxhe3t_w\",\"acc\":\"ABC123\",\"datetime\":\"2021-11-12T12:15:46+0000\"}", "outcome": "unknown" }, @@ -467,7 +467,19 @@ An example event for `siem` looks as following: | mimecast.msgid | The internet message id of the email. | keyword | | mimecast.urlCategory | The category of the URL that was clicked. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | +| source.as.asn | Client ASN number. | long | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.as.organization_name | Client Organization name. | keyword | | source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | | tls.cipher | String indicating the cipher used during the current connection. | keyword | @@ -488,9 +500,9 @@ An example event for `ttp_ip` looks as following: { "@timestamp": "2021-11-12T15:27:04.000Z", "agent": { - "ephemeral_id": "4df4bba6-bacf-4bc8-9637-6c43d41d059d", + "ephemeral_id": "a1668840-d3af-4dc0-a8db-b7c65d43810c", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -504,7 +516,7 @@ An example event for `ttp_ip` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -528,7 +540,7 @@ An example event for `ttp_ip` looks as following: "created": "2021-11-12T15:27:04+0000", "dataset": "mimecast.ttp_ip_logs", "id": "MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8", - "ingested": "2022-04-01T12:39:16Z", + "ingested": "2022-04-09T21:26:34Z", "original": "{\"action\":\"none\",\"definition\":\"IP - 1 hit (Tag email)\",\"eventTime\":\"2021-11-12T15:27:04+0000\",\"hits\":1,\"id\":\"MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnI2MXM0N1XSUcpMUbIyMjM3MzAw0FEqSy0qzszPU7Iy1FEqyQMrNDAwV6oFAGMiEg8\",\"identifiers\":[\"internal_user_name\"],\"impersonationResults\":[{\"checkerResult\":\"hit\",\"impersonationDomainSource\":\"internal_user_name\",\"similarDomain\":\"John Doe \\u003cjohndoe_cdw@example.com\\u003e\",\"stringSimilarToDomain\":\"John Doe\"}],\"messageId\":\"\\u003cMN2PR16MB2719879CA4DB60C265F7FD8FB0959@MN2PR16MB2719.namprd16.prod.outlook.com\\u003e\",\"recipientAddress\":\"johndoe@example.com\",\"senderAddress\":\"johndoe@example.com\",\"senderIpAddress\":\"8.8.8.8\",\"subject\":\"Don't read, just fill out!\",\"taggedExternal\":false,\"taggedMalicious\":true}" }, "input": { @@ -654,9 +666,9 @@ An example event for `ttp_ap` looks as following: { "@timestamp": "2021-11-24T11:54:27.000Z", "agent": { - "ephemeral_id": "97a110e6-9e9b-40f0-abfe-6053fadbfc61", + "ephemeral_id": "94a46754-0f92-4e4c-8dd4-e0b717a9ae3d", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -670,7 +682,7 @@ An example event for `ttp_ap` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -702,7 +714,7 @@ An example event for `ttp_ap` looks as following: "agent_id_status": "verified", "created": "2021-11-24T11:54:27+0000", "dataset": "mimecast.ttp_ap_logs", - "ingested": "2022-04-01T12:38:36Z", + "ingested": "2022-04-09T21:25:43Z", "original": "{\"actionTriggered\":\"user release, none\",\"date\":\"2021-11-24T11:54:27+0000\",\"definition\":\"Inbound - Safe file with On-Demand Sandbox\",\"details\":\"Safe \\r\\nTime taken: 0 hrs, 0 min, 7 sec\",\"fileHash\":\"cabd7cb6e1822fd9e1fc9bcf144ee26ee6bfc855c4574ca967dd53dcc36a1254\",\"fileName\":\"Datasheet_Mimecast Targeted Threat Protection + Internal Email Protect (2).pdf\",\"fileType\":\"application/pdf\",\"messageId\":\"\\u003cCAKUQxhimsCd1bvWQVs14Amuh1+Hnw_bmSuA7ot8hy4eDa9_ziQ@mail.gmail.com\\u003e\",\"recipientAddress\":\"johndoe@emample.com\",\"result\":\"safe\",\"route\":\"inbound\",\"senderAddress\":\"\\u003c\\u003e\",\"subject\":\"Test Files\"}" }, "input": { @@ -811,9 +823,9 @@ An example event for `ttp_url` looks as following: { "@timestamp": "2021-11-10T03:49:53.000Z", "agent": { - "ephemeral_id": "9ef77b02-4979-44aa-97af-54ae4e5612f4", + "ephemeral_id": "a5dfeba6-bf03-4714-95a9-521261881327", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -827,7 +839,7 @@ An example event for `ttp_url` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, @@ -849,7 +861,7 @@ An example event for `ttp_url` looks as following: "agent_id_status": "verified", "created": "2021-11-10T03:49:53+0000", "dataset": "mimecast.ttp_url_logs", - "ingested": "2022-04-01T12:40:05Z", + "ingested": "2022-04-09T21:27:21Z", "original": "{\"action\":\"allow\",\"actions\":\"Allow\",\"adminOverride\":\"N/A\",\"category\":\"Search Engines \\u0026 Portals\",\"creationMethod\":\"User Click\",\"date\":\"2021-11-10T03:49:53+0000\",\"emailPartsDescription\":[\"Body\"],\"fromUserEmailAddress\":\"googlealerts-noreply@google.com\",\"messageId\":\"\\u003c000000000000a02a0a05d0671c06@google.com\\u003e\",\"route\":\"inbound\",\"scanResult\":\"clean\",\"sendingIp\":\"8.8.8.8\",\"subject\":\"Google Alert - china\",\"ttpDefinition\":\"Inbound URL 'Aggressive'\",\"url\":\"https://www.google.co.za/alerts/share?hl=en\\u0026gl=US\\u0026ru=https://www.wsj.com/articles/u-s-tests-israels-iron-dome-in-guam-as-defense-against-chinese-cruise-missiles-11636455224\\u0026ss=tw\\u0026rt=U.S.+Tests+Israel%27s+Iron+Dome+in+Guam+as+Defense+Against+Chinese+Cruise+Missiles+-+WSJ\\u0026cd=KhQxNzg2NTc5NDQ3ODIzODUyNjI5NzIcZmQ4N2VjYzkxMGIxMWE4Yzpjby56YTplbjpVUw\\u0026ssp=AMJHsmW3CCK1S4TNPifSXszcyaNMwd6TDg\",\"userAwarenessAction\":\"Continue\",\"userEmailAddress\":\"johndoe@example.com\",\"userOverride\":\"None\"}" }, "input": { @@ -918,7 +930,7 @@ An example event for `ttp_url` looks as following: | email.message_id.text | Multi-field of `email.message_id`. | text | | email.subject | A brief summary of the topic of the message | keyword | | email.subject.text | Multi-field of `email.subject`. | text | -| email.to.address | Stores the from email address to the RFC5322 From - header field. | keyword | +| email.to.address | Email of the recipient/user who click the link. | keyword | | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | @@ -960,16 +972,12 @@ An example event for `ttp_url` looks as following: | mimecast.userEmailAddress | The email address of the user who clicked the link. | keyword | | mimecast.userOverride | The action requested by the user. | keyword | | related.ip | All of the IPs seen on your event. | ip | -| related.user | All the user names or other user identifiers seen on the event. | keyword | | rule.name | The name of the rule or signature generating the event. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | tags | List of keywords used to tag each event. | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | -| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.email | User email address. | keyword | -| user.name | Short name or login of the user. | keyword | -| user.name.text | Multi-field of `user.name`. | match_only_text | ### Threat Intel Feed Malware: Customer @@ -982,9 +990,9 @@ An example event for `threat_intel_malware_customer` looks as following: { "@timestamp": "2021-11-19T01:28:37.099Z", "agent": { - "ephemeral_id": "57a36b7d-5e1c-4bc5-8f10-962cfe2948f5", + "ephemeral_id": "11dbcd56-4eaa-42e1-adf4-cde4c1ea97c3", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -998,16 +1006,16 @@ An example event for `threat_intel_malware_customer` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-01T12:37:06.220Z", + "created": "2022-04-09T21:24:05.464Z", "dataset": "mimecast.threat_intel_malware_customer", - "ingested": "2022-04-01T12:37:07Z", + "ingested": "2022-04-09T21:24:06Z", "kind": "enrichment", "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", "type": "indicator" @@ -1128,9 +1136,9 @@ An example event for `threat_intel_malware_grid` looks as following: { "@timestamp": "2021-11-19T01:28:37.099Z", "agent": { - "ephemeral_id": "b8e44907-6bc2-4c8b-9aad-67e6a9319a10", + "ephemeral_id": "6331b09b-b9b9-4f2b-8dce-dad9a9cc195e", "hostname": "docker-fleet-agent", - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "name": "docker-fleet-agent", "type": "filebeat", "version": "7.16.0" @@ -1144,16 +1152,16 @@ An example event for `threat_intel_malware_grid` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "755dd553-bc87-4d8b-9736-61e8bbd15a3d", + "id": "4a72bf66-d0fb-4afd-8824-5fbe877771d8", "snapshot": true, "version": "7.16.0" }, "event": { "agent_id_status": "verified", "category": "threat", - "created": "2022-04-01T12:37:51.296Z", + "created": "2022-04-09T21:24:53.690Z", "dataset": "mimecast.threat_intel_malware_grid", - "ingested": "2022-04-01T12:37:52Z", + "ingested": "2022-04-09T21:24:54Z", "kind": "enrichment", "original": "{\"created\":\"2021-11-19T01:28:37.099Z\",\"id\":\"indicator--456ac916-4c4e-43be-b7a9-6678f6a845cd\",\"labels\":[\"malicious-activity\"],\"modified\":\"2021-11-19T01:28:37.099Z\",\"pattern\":\"[file:hashes.'SHA-256' = 'ec5a6c52acdc187fc6c1187f14cd685c686c2b283503a023c4a9d3a977b491be']\",\"type\":\"indicator\",\"valid_from\":\"2021-11-19T01:28:37.099Z\"}", "type": "indicator" diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index b7d0b41cdb9..6b27772d972 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: mimecast title: "Mimecast" -version: 0.0.9 +version: 0.0.10 license: basic description: "Fetching logs from Mimecast API and ingest into Elasticsearch" type: integration