Skip to main content
Skip table of contents

LSO Mimecast Email - General Blocked Event

Vendor Documentation

https://integrations.mimecast.com/documentation/tutorials/understanding-siem-logs/

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log Field

LogRhythm Default

LogRhythm Default v2.0

datetime

N/A

N/A

aCode

N/A

<vmid>

acc

N/A

N/A

MimecastIP

N/A

N/A

reason

<reason>

<reason>

fileName

N/A

<objectname>

Sender

<sender>

<sender>

SpamLimit

N/A

<quantity>

HLD

N/A

N/A

Delivered

N/A

<status>

URL

<url>

<url>

SHA256

N/A

<hash>

IP

N/A

<sip>

Source IP

<dip>
<dname>

<snatip>

AttSize

N/A

<size>

UrlCategory

N/A

N/A

Receipient

<recipient>

<recipient>

Size

N/A

N/A

Act

N/A

<action>
<tag1>

DIR

N/A

N/A

AttCnt

N/A

N/A

ScanResultInfo

N/A

N/A

MsgId

N/A

<object>

IPNewDomain

N/A

N/A

SenderDomain

<domainorigin>

<domainorigin>

Subject

N/A

<subject>

IPReplyMismatch

N/A

N/A

ReceiptAck

N/A

N/A

Definition

N/A

N/A

headerFrom

N/A

<login>

Hits

N/A

N/A

fileExt

N/A

<objecttype>

IPInternalName

N/A

N/A

Route

<status>

<policy>

Action

N/A

N/A

sha1

N/A

N/A

Rcpt

N/A

<recipient>

AttNames

N/A

N/A

Latency

N/A

<amount>

TaggedExternal

N/A

N/A

SpamInfo

N/A

N/A

MsgSize

N/A

N/A

TaggedMalicious

N/A

N/A

fileMime

N/A

N/A

TlsVer

N/A

<protname>

IPThreadDict

N/A

N/A

Virus

N/A

<threatname>

InternalName

N/A

N/A

md5

N/A

N/A

Cphr

N/A

N/A

IPSimilarDomain

N/A

N/A

Attempt

N/A

N/A

CustomName

N/A

N/A

SpamProcessingDetail

N/A

N/A

SenderDomainInternal

N/A

N/A

NewDomain

N/A

N/A

SpamScore

N/A

N/A

SimilarInternalDomain

N/A

N/A

Error

N/A

N/A

Snt

N/A

<bytesout>

CustomerIP

N/A

N/A

SimilarCustomExternalDomain

N/A

N/A

RejCode

N/A

<responsecode>

UseTls

N/A

N/A

SimilarMimecastExternalDomain

N/A

N/A

RejInfo

N/A

N/A

ReplyMismatch

N/A

N/A

RejType

N/A

<result>
<tag2>

Err

N/A

N/A

ThreatDictionary

N/A

N/A

CustomThreatDictionary

N/A

N/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex ID

Rule Name

Rule Type

Common Event

Classification

1009437

General Blocked Event

Base Rule

Blocked Message

Failed Activity

LogRhythm Default v2.0

Regex ID

Rule Name

Rule Type

Common Event

Classification

1013288

V 2.0 : Email Logs

Base Rule

Email Handling Message

Information

V 2.0 : Anti-Spoofing Lockout Messages

Sub Rule

Failed Spoofing Activity

Failed Attack

V 2.0 : Connection Attempt Messages

Sub Rule

Connection Information

Information

V 2.0 : Envelope Rejected Messages

Sub Rule

Couldn't Get Envelope Of Message In Inbox Folder

Error

V 2.0 : Invalid Recipient Address Messages

Sub Rule

Blocked Message No Valid Recipients

Failed Activity

V 2.0 : IP Found In RBL Messages

Sub Rule

Blocked Message RBL Match

Failed Activity

V 2.0 : Manual Envelope Rejection Messages

Sub Rule

ReadFromMessage : Unable To Get Message Envelope

Error

V 2.0 : Message Loop Detected Messages

Sub Rule

Infinite Loop Detected

Warning

V 2.0 : Virus Signature Detection Messages

Sub Rule

Suspicious E-mail Activity

Suspicious

V 2.0 : DMARC Sender Invalid Messages

Sub Rule

Blocked Message Sender Address Rejected

Failed Activity

V 2.0 : Email Accepted

Sub Rule

Email Accepted

Information

V 2.0 : Email Rejected

Sub Rule

Email Session Disposed - Reject

Information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close