Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Email Logs |
Base Rule |
Email Handling Message |
Information |
|
Anti-Spoofing Lockout Messages |
Sub Rule |
Failed Spoofing Activity |
Failed Attack |
|
Connection Attempt Messages |
Sub Rule |
Connection Information |
Information |
|
Envelope Rejected Messages |
Sub Rule |
Couldn't Get Envelope Of Message In Inbox Folder |
Error |
|
Invalid Recipient Address Messages |
Sub Rule |
Blocked Message No Valid Recipients |
Failed Activity |
|
IP Found In RBL Messages |
Sub Rule |
Blocked Message RBL Match |
Failed Activity |
|
Manual Envelope Rejection Messages |
Sub Rule |
ReadFromMessage : Unable To Get Message Envelope |
Error |
|
Message Loop Detected Messages |
Sub Rule |
Infinite Loop Detected |
Warning |
|
Virus Signature Detection Messages |
Sub Rule |
Suspicious E-mail Activity |
Suspicious |
|
DMARC Sender Invalid Messages |
Sub Rule |
Blocked Message Sender Address Rejected |
Failed Activity |
|
Email Accepted |
Sub Rule |
Email Accepted |
Information |
|
Email Rejected |
Sub Rule |
Email Session Disposed - Reject |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
N/A |
<severity> |
Text/String |
level |
|
datetime |
N/A |
N/A |
The date and time that the email was received by the Mimecast MTA. |
|
aCode |
<vmid> |
Text/String |
The unique ID used to track the email through the different log types. |
|
acc |
N/A |
N/A |
The Mimecast account code for your account. |
|
MimecastIP |
N/A |
N/A |
The source IP is one of the Mimecast IPs e.g. Mimecast Personal Portal |
|
reason |
<reason> |
Text/String |
The reason that the click was blocked. |
|
fileName |
<objectname> |
Text/String |
N/A |
|
Sender |
<sender> |
Text/String |
The sender of the email. |
|
SpamLimit |
<quantity> |
Number |
The Spam limit defined for the given sender and recipient. |
|
HLD |
N/A |
N/A |
The reason the email was held for review (quarantined), if applicable. |
|
Delivered |
<status> |
Text/String |
Whether the email was delivered successfully or not. |
|
URL |
<url> |
Text/String |
The URL clicked. |
|
SHA256 |
<hash> |
Text/String |
SHA256 hash. |
|
IP |
<sip> |
IP Address |
The source IP of the sending mail server. |
|
Source IP |
<snatip> |
IP Address |
The source IP of the original message. |
|
AttSize |
<size> |
Number |
The total size of all attachments on the email. |
|
UrlCategory |
N/A |
N/A |
The category of the URL that was clicked. |
|
Receipient |
<recipient> |
Text/String |
The recipient of the original message. |
|
Size |
N/A |
N/A |
Size. |
|
Act |
<action>
|
Text/String |
N/A |
|
DIR |
N/A |
N/A |
The direction of the email based on the sending and receiving domains. |
|
AttCnt |
N/A |
N/A |
The number of attachments on the email. |
|
ScanResultInfo |
N/A |
N/A |
The reason that the click was blocked. |
|
MsgId |
<object> |
Text/String |
The internet message ID of the email. |
|
IPNewDomain |
N/A |
N/A |
For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from a new domain. |
|
SenderDomain |
<domainorigin> |
Text/String |
The sender domain. |
|
Subject |
<subject> |
Text/String |
The subject of the email, limited to 150 characters. |
|
IPReplyMismatch |
N/A |
N/A |
For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to have a mismatch in the reply to address. |
|
ReceiptAck |
N/A |
N/A |
The receipt acknowledgment message received by Mimecast from the receiving mail server. |
|
Definition |
N/A |
N/A |
The definition |
|
headerFrom |
<login> |
Text/String |
The sender address found in the from header of the email. |
|
Hits |
N/A |
N/A |
Number of items flagged for the message. |
|
fileExt |
<objecttype> |
Text/String |
The file extention. |
|
IPInternalName |
N/A |
N/A |
For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detected to be from an internal user name. |
|
Route |
<policy> |
Text/String |
The Mimecast delivery route used. |
|
Action |
N/A |
N/A |
The action taken for this message. |
|
sha1 |
N/A |
N/A |
SHA1 hash. |
|
Rcpt |
<recipient> |
Text/String |
The recipient of the email. |
|
AttNames |
N/A |
N/A |
The filenames of all attachments on the email. |
|
Latency |
<amount> |
Number |
The time in milliseconds that the delivery attempt took. |
|
TaggedExternal |
N/A |
N/A |
The message has been tagged as originating from a external source. |
|
SpamInfo |
N/A |
N/A |
Information from Mimecast Spam scanners for messages found to be Spam. |
|
MsgSize |
N/A |
N/A |
The total size of the email. |
|
TaggedMalicious |
N/A |
N/A |
The message has been tagged as malicious. |
|
fileMime |
N/A |
N/A |
The file Mime type. |
|
TlsVer |
<protname> |
Text/String |
The TLS version used if the email was received using TLS. |
|
IPThreadDict |
N/A |
N/A |
For emails subject to Targeted Threat Protection: Impersonation Protect, if the content of the email was detected to contain words in the Mimecast threat dictionary. |
|
Virus |
<threatname> |
Text/String |
The name of the virus found on the email, if applicable. |
|
InternalName |
N/A |
N/A |
The email was detected to be from an internal user name. |
|
md5 |
N/A |
N/A |
MD5 Hash. |
|
Cphr |
N/A |
N/A |
The TLS Cipher used if the email was received using TLS. |
|
IPSimilarDomain |
N/A |
N/A |
For emails subject to Targeted Threat Protection: Impersonation Protect, if the email was detetced to be from a similar domain to any domain you have registered as an Internal Domain. |
|
Attempt |
N/A |
N/A |
The count of attempts that the Mimecast MTA has made to deliver the email. |
|
CustomName |
N/A |
N/A |
The message has matched a custom name. |
|
SpamProcessingDetail |
N/A |
N/A |
The Spam processing details for DKIM, SPF, DMARC |
|
SenderDomainInternal |
N/A |
N/A |
The sender domain is a registered internal domain. |
|
NewDomain |
N/A |
N/A |
The email was detected to be from a new domain. |
|
SpamScore |
N/A |
N/A |
The Spam score the email was given. |
|
SimilarInternalDomain |
N/A |
N/A |
The senders domain is similar to a registered internal domain. |
|
Error |
N/A |
N/A |
Information about any errors that occurred during receipt. |
|
Snt |
<bytesout> |
Number |
The amount of data in bytes that were delivered. |
|
CustomerIP |
N/A |
N/A |
The source IP is one of the accounts authorised IPs or one of the authorised IPs belonging to an Umbrella Account, if the Account uses an Umbrella Account. |
|
SimilarCustomExternalDomain |
N/A |
N/A |
The senders domain is similar to a custom external domain list. |
|
RejCode |
<responsecode> |
Number |
The rejection code, for messages rejected by the receiving mail server. |
|
UseTls |
N/A |
N/A |
N/A |
|
SimilarMimecastExternalDomain |
N/A |
N/A |
The senders domain is similar to a Mimecast managed list of domains. |
|
RejInfo |
N/A |
N/A |
The rejection information if the email was rejected at the receipt stage. |
|
ReplyMismatch |
N/A |
N/A |
The reply address does not correspond to the senders address. |
|
RejType |
<result>
|
Text/String |
The rejection type if the email was rejected at the receipt stage. |
|
Err |
N/A |
N/A |
Information about any errors that occurred during receipt. |
|
ThreatDictionary |
N/A |
N/A |
The content of the email was detected to contain words in the Mimecast threat dictionary. |
|
CustomThreatDictionary |
N/A |
N/A |
The content of the email was detected to contain words in a custom threat dictionary. |