Syslog - Mimecast Email - Email Logs
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Email Logs | Base Rule | Email Handling Message | Information |
Anti-Spoofing Lockout Messages | Sub Rule | Failed Spoofing Activity | Failed Attack |
Connection Attempt Messages | Sub Rule | Connection Information | Information |
Envelope Rejected Messages | Sub Rule | Couldn't Get Envelope Of Message In Inbox Folder | Error |
Invalid Recipient Address Messages | Sub Rule | Blocked Message No Valid Recipients | Failed Activity |
IP Found In RBL Messages | Sub Rule | Blocked Message RBL Match | Failed Activity |
Manual Envelope Rejection Messages | Sub Rule | ReadFromMessage : Unable To Get Message Envelope | Error |
Message Loop Detected Messages | Sub Rule | Infinite Loop Detected | Warning |
Virus Signature Detection Messages | Sub Rule | Suspicious E-mail Activity | Suspicious |
DMARC Sender Invalid Messages | Sub Rule | Blocked Message Sender Address Rejected | Failed Activity |
Email Accepted | Sub Rule | Email Accepted | Information |
Email Rejected | Sub Rule | Email Session Disposed - Reject | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
N/A | <severity> | Text/String | level |
datetime | N/A | N/A | The date and time that the email was received by the Mimecast MTA. |
aCode | <vmid> | Text/String | The unique ID used to track the email through the different log types. |
acc | N/A | N/A | The Mimecast account code for your account. |
MimecastIP | N/A | N/A | The source IP is one of the Mimecast IPs e.g. Mimecast Personal Portal |
reason | <reason> | Text/String | The reason that the click was blocked. |
fileName | <objectname> | Text/String | N/A |
Sender | <sender> | Text/String | The sender of the email. |
SpamLimit | <quantity> | Number | The Spam limit defined for the given sender and recipient. |
HLD | N/A | N/A | The reason the email was held for review (quarantined), if applicable. |
Delivered | <status> | Text/String | Whether the email was delivered successfully or not. |
URL | <url> | Text/String | The URL clicked. |
SHA256 | <hash> | Text/String | SHA256 hash. |
IP | <sip> | IP Address | The source IP of the sending mail server. |
Source IP | <snatip> | IP Address | The source IP of the original message. |
AttSize | <size> | Number | The total size of all attachments on the email. |
UrlCategory | N/A | N/A | The category of the URL that was clicked. |
Receipient | <recipient> | Text/String | The recipient of the original message. |
Size | N/A | N/A | Size. |
Act | <action> | Text/String | N/A |
DIR | N/A | N/A | The direction of the email based on the sending and receiving domains. |
AttCnt | N/A | N/A | The number of attachments on the email. |
ScanResultInfo | N/A | N/A | The reason that the click was blocked. |
MsgId | <object> | Text/String | The internet message ID of the email. |
IPNewDomain | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain. |
SenderDomain | <domainorigin> | Text/String | The sender domain. |
Subject | <subject> | Text/String | The subject of the email, limited to 150 characters. |
IPReplyMismatch | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. |
ReceiptAck | N/A | N/A | The receipt acknowledgment message received by Mimecast from the receiving mail server. |
Definition | N/A | N/A | The definition |
headerFrom | <login> | Text/String | The sender address found in the from header of the email. |
Hits | N/A | N/A | Number of items flagged for the message. |
fileExt | <objecttype> | Text/String | The file extention. |
IPInternalName | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name. |
Route | <policy> | Text/String | The Mimecast delivery route used. |
Action | N/A | N/A | The action taken for this message. |
sha1 | N/A | N/A | SHA1 hash. |
Rcpt | <recipient> | Text/String | The recipient of the email. |
AttNames | N/A | N/A | The filenames of all attachments on the email. |
Latency | <amount> | Number | The time in milliseconds that the delivery attempt took. |
TaggedExternal | N/A | N/A | The message has been tagged as originating from a external source. |
SpamInfo | N/A | N/A | Information from Mimecast Spam scanners for messages found to be Spam. |
MsgSize | N/A | N/A | The total size of the email. |
TaggedMalicious | N/A | N/A | The message has been tagged as malicious. |
fileMime | N/A | N/A | The file Mime type. |
TlsVer | <protname> | Text/String | The TLS version used if the email was received using TLS. |
IPThreadDict | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. |
Virus | <threatname> | Text/String | The name of the virus found on the email, if applicable. |
InternalName | N/A | N/A | The email was detected to be from an internal user name. |
md5 | N/A | N/A | MD5 Hash. |
Cphr | N/A | N/A | The TLS Cipher used if the email was received using TLS. |
IPSimilarDomain | N/A | N/A | For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. |
Attempt | N/A | N/A | The count of attempts that the Mimecast MTA has made to deliver the email. |
CustomName | N/A | N/A | The message has matched a custom name. |
SpamProcessingDetail | N/A | N/A | The Spam processing details for DKIM, SPF, DMARC |
SenderDomainInternal | N/A | N/A | The sender domain is a registered internal domain. |
NewDomain | N/A | N/A | The email was detected to be from a new domain. |
SpamScore | N/A | N/A | The Spam score the email was given. |
SimilarInternalDomain | N/A | N/A | The senders domain is similar to a registered internal domain. |
Error | N/A | N/A | Information about any errors that occurred during receipt. |
Snt | <bytesout> | Number | The amount of data in bytes that were delivered. |
CustomerIP | N/A | N/A | The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. |
SimilarCustomExternalDomain | N/A | N/A | The senders domain is similar to a custom external domain list. |
RejCode | <responsecode> | Number | The rejection code, for messages rejected by the receiving mail server. |
UseTls | N/A | N/A | N/A |
SimilarMimecastExternalDomain | N/A | N/A | The senders domain is similar to a Mimecast managed list of domains. |
RejInfo | N/A | N/A | The rejection information if the email was rejected at the receipt stage. |
ReplyMismatch | N/A | N/A | The reply address does not correspond to the senders address. |
RejType | <result> | Text/String | The rejection type if the email was rejected at the receipt stage. |
Err | N/A | N/A | Information about any errors that occurred during receipt. |
ThreatDictionary | N/A | N/A | The content of the email was detected to contain words in the Mimecast threat dictionary. |
CustomThreatDictionary | N/A | N/A | The content of the email was detected to contain words in a custom threat dictionary. |