Email Detection Event

Vendor Documentation

Rule Name	Rule Type	Classification	Common Event
Email Detection Event	Base Rule	Activity	General Threat Message
Email Detection Event : Email Quarantined	Sub Rule	Failed Activity	Quarantined Message
Email Detection Event : Email Deleted	Sub Rule	Failed Activity	Threat Deleted
Email Detection Event : Email File Sanitized	Sub Rule	Failed Activity	Threat Deleted

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version
Header (vendor)	N/A	N/A	Appliance vendor
Header (pname)	N/A	N/A	Appliance product
Header (pver)	N/A	N/A	Appliance version
Header (eventid)	N/A	N/A	Signature ID
Header (eventName)	<vendorinfo>	Text/String	Description
Header (severity)	<severity>	Number	Severity
act	<action> <tag1>	Text/String	The action in the event Examples: • quarantined • passed • stripped • analyzed • stamped • subjectsTagged • deleted • delivered directly • cleaned up • file sanitized
cn1	N/A	N/A	Threat type
cn1label	N/A	N/A	Threat type label
cn2	<size>	Number	Email Size
cn2Label	N/A	N/A	Email Size label
cs1	<threatname>	Text/String	Names of threats in the email
cs1Label	N/A	N/A	Names of threats in the email label
cs2	N/A	N/A	Internal email ID
cs2Label	N/A	N/A	Internal email ID label
cs3	N/A	N/A	Email ID
cs3Label	N/A	N/A	Email ID label
cs4	N/A	N/A	Sender email address
cs4Label	N/A	N/A	Sender email address label
cs5	N/A	N/A	Recipient email address
cs5Label	N/A	N/A	Recipient email address label
deviceExternalId	N/A	N/A	Appliance GUID
duser	<recipient>	Text/String	Email recipients
dvc	N/A	N/A	Appliance IP address
dvchost	N/A	N/A	Appliance host name
dvcmac	N/A	N/A	Appliance MAC Address
msg	<subject>	Text/String	Email subject
rt	N/A	N/A	Log generation time Format: Unix timestamp (number of milliseconds since Jan 01 1970 UTC)
src	<sip>	IP	Source IP address
suser	<sender>	Text/String	Email sender