Flat File - Mimecast Email V 2.0 : Email Logs
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: Email Logs | Base Rule | Email Handling Message | Information |
V 2.0: Anti-Spoofing Lockout Messages | Sub Rule | Failed Spoofing Activity | Failed Attack |
V 2.0: Connection Attempt Messages | Sub Rule | Connection Information | Information |
V 2.0: Envelope Rejected Messages | Sub Rule | Couldn't Get Envelope Of Message In Inbox Folder | Error |
V 2.0: Invalid Recipient Address Messages | Sub Rule | Blocked Message No Valid Recipients | Failed Activity |
V 2.0: IP Found In RBL Messages | Sub Rule | Blocked Message RBL Match | Failed Activity |
V 2.0: Manual Envelope Rejection Messages | Sub Rule | ReadFromMessage: Unable To Get Message Envelope | Error |
V 2.0: Message Loop Detected Messages | Sub Rule | Infinite Loop Detected | Warning |
V 2.0: Virus Signature Detection Messages | Sub Rule | Suspicious E-mail Activity | Suspicious |
V 2.0: DMARC Sender Invalid Messages | Sub Rule | Blocked Message Sender Address Rejected | Failed Activity |
V 2.0: Email Accepted | Sub Rule | Email Accepted | Information |
V 2.0: Email Rejected | Sub Rule | Email Session Disposed - Reject | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
datetime | N/A | N/A | The date and time that the email was received by the Mimecast MTA. |
aCode | <vmid> | Text/String | The unique ID, used to track the email through the different log types. |
acc | <vendorinfo> | Text/String | The Mimecast account code for your account. |
MimecastIP | N/A | N/A | The source IP is one of the Mimecast IPs e.g. Mimecast Personal Portal |
reason | <reason> | Text/String | The reason that the click was blocked. |
fileName | <objectname> | Text/String | N/A |
Sender | <sender> | Text/String | The sender of the email. |
SpamLimit | <quantity> | Number | The Spam limit is defined for the given sender and recipient. |
HLD | N/A | N/A | The reason the email was held for review (quarantined), if applicable. |
Delivered | <status> | Text/String | If the email was delivered successfully or not. |
URL | <url> | Text/String | The URL clicked. |
SHA256 | <hash> | Text/String | SHA256 hash. |
IP | <sip> | IP Address | The source IP of the sending mail server. |
Source IP | <snatip> | IP Address | The source IP of the original message. |
AttSize | <size> | Number | The total size of all attachments on the email. |
UrlCategory | N/A | N/A | The category of the URL that was clicked. |
Receipient | <recipient> | Text/String | The recipient of the original message. |
Size | N/A | N/A | Size. |
Act | <action> | Text/String | N/A |
DIR | N/A | N/A | The direction of the email is based on the sending and receiving domains. |
AttCnt | N/A | N/A | The number of attachments on the email. |
ScanResultInfo | N/A | N/A | The reason that the click was blocked. |
MsgId | <object> | Text/String | The internet message ID of the email. |
IPNewDomain | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain. |
SenderDomain | <domainorigin> | Text/String | The sender domain. |
Subject | <subject> | Text/String | The subject’s address is found in the from header of the email. |
Hits | N/A | N/A | A number of items flagged for the message. |
fileExt | <objecttype> | Text/String | The file extension. |
IPInternalName | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name. |
Route | <policy> | Text/String | The Mimecast delivery route was used. |
Action | N/A | N/A | The action was taken for this message. |
sha1 | N/A | N/A | SHA1 hash. |
Rcpt | <recipient> | Text/String | The recipient of the email. |
AttNames | N/A | N/A | The filenames of all attachments on the email |
Latency | <amount> | Number | The time in milliseconds that the delivery attempt took. |
TaggedExternal | N/A | N/A | The message has been tagged as originating from an external source. |
SpamInfo | N/A | N/A | Information from Mimecast Spam scanners for messages found to be Spam. |
MsgSize | N/A | N/A | The total size of the email. |
TaggedMalicious | N/A | N/A | The message has been tagged as malicious. |
fileMime | N/A | N/A | The file Mime type. |
TlsVer | <protname> | Text/String | The TLS version is used if the email was received using TLS. |
IPThreadDict | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. |
Virus | <threatname> | Text/String | The name of the virus found on the email, if applicable. |
InternalName | N/A | N/A | The email was detected to be from an internal user name. |
md5 | N/A | N/A | MD5 Hash. |
Cphr | N/A | N/A | The TLS Cipher is used if the email was received using TLS. |
IPSimilarDomain | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a similar domain to any domain you have registered as an Internal Domain. |
Attempt | N/A | N/A | The count of attempts that the Mimecast MTA has made to deliver the email. |
CustomName | N/A | N/A | The message has matched a custom name. |
SpamProcessingDetail | N/A | N/A | The Spam processing details for DKIM, SPF, DMARC |
SenderDomainInternal | N/A | N/A | The sender domain is a registered internal domain. |
NewDomain | N/A | N/A | The email was detected to be from a new domain |
SpamScore | N/A | N/A | The Spam score the email was given. |
SimilarInternalDomain | N/A | N/A | The sender's domain is similar to a registered internal domain. |
Error | N/A | N/A | Information about any errors that occurred during receipt. |
Snt | <bytesout> | Number | The amount of data in bytes that were delivered. |
CustomerIP | N/A | N/A | The source IP is one of the account's authorised IPs or one of the authorised IPs belonging to an Umbrella Account if the Account uses an Umbrella Account. |
SimilarCustomExternalDomain | N/A | N/A | The sender's domain is similar to a custom external domain list. |
RejCode | <responsecode> | Number | The rejection code, for messages rejected by the receiving mail server. |
UseTls | N/A | N/A | N/A |
SimilarMimecastExternalDomain | N/A | N/A | The sender's domain is similar to a Mimecast-managed list of domains. |
RejInfo | N/A | N/A | The rejection information if the email was rejected at the receipt stage. |
ReplyMismatch | N/A | N/A | The reply address does not correspond to the sender's address. |
RejType | <result> | Text/String | The rejection type is if the email was rejected at the receipt stage. |
Err | N/A | N/A | Information about any errors that occurred during receipt. |
ThreatDictionary | N/A | N/A | The content of the email was detected to contain words in the Mimecast threat dictionary. |
CustomThreatDictionary | N/A | N/A | The content of the email was detected to contain words in a custom threat dictionary. |