Syslog event mapping
The following tables show ESET Mail Security event mapping to ArcSight data fields. You can use these tables as a reference of what is being fed to ArcSight via SmartConnector.
Header |
||
---|---|---|
Device Vendor |
"ESET" |
|
Device Product |
"EMSX" |
"EMSX" or "ESET Mail Security for MS Exchange Server" |
Device Version |
e.g. "7.1.10005.0" |
|
Device Event Class ID |
e.g. "101" |
Device Event Category unique identifier: |
Event Name |
e.g. "MailScanResult: malware" |
A brief description of what happened in the event: |
CEF Key Name |
CEF Key Full Name (Size) |
Field Description |
Detailed Field Description |
---|---|---|---|
rt |
deviceReceiptTime |
Time event was generated |
The time at which the event was generated, in milliseconds since Jan 1st 1970 |
src |
sourceAddress |
Sender's IP |
IP address of the sending mail server |
shost |
sourceHostName (1023) |
Sender's HELO domain |
HELO domain of the sending mail server |
flexString1 |
flexString1 |
Message-ID |
Message-ID header from the email |
dhost |
destinationHostName (1023) |
Receiving server |
Hostname of the machine that received the communication |
msg |
message (1023) |
Message subject |
Subject of the message, from the RFC5233 header "Subject:" |
suser |
sourceUserName (1023) |
SMTP sender |
SMTP sender of the email (MAIL FROM) |
duser |
destinationUserName (1023) |
SMTP recipient(s) |
SMTP recipient(s) of the email (RCPT TO) |
act |
deviceAction (63) |
Action taken |
Action taken (cleaned, quarantined, etc.) |
cat |
deviceEventCategory (1023) |
Detection category |
Most significant detection (malware >> phish >> spam >> SPF/DKIM >> policy) |
sourceServiceName |
sourceServiceName |
Type of protection |
SMTP Transport agent, On-demand database scan |
deviceExternalId |
deviceExternalId |
Engine version |
Anti-Malware engine version, Antispam engine version, e.g. "18620,7730" |
cs1 |
deviceCustomString1 |
Anti-Malware result |
Result of Anti-Malware scan, including threat name |
cs1Label |
deviceCustomString1Label |
"Anti-Malware result" |
|
cs2 |
deviceCustomString2 |
Antispam result |
Result of Antispam scan, including reason for marking as spam |
cs2Label |
deviceCustomString2Label |
"Antispam result" |
|
cs3 |
deviceCustomString3 |
Anti-Phishing result |
Result of Anti-Phishing scan, including detected URL |
cs3Label |
deviceCustomString3Label |
"Anti-Phishing result" |
|
cs4 |
deviceCustomString4 |
SPF/DKIM/DMARC result |
Result of SPF/DKIM/DMARC check, in RFC7601 format |
cs4Label |
deviceCustomString4Label |
"SPF/DKIM/DMARC result" |
|
cs5 |
deviceCustomString5 |
"From:" sender |
Sender address from RFC5322 header "From:" |
cs5Label |
deviceCustomString5Label |
"From header" |
|
cs6 |
deviceCustomString6 |
"To:" and "Cc:" recipients |
Recipients addresses from RFC5322 headers "To:" and "Cc:" |
cs6Label |
deviceCustomString6Label |
"To and Cc headers" |
|
fname |
filename (1023) |
Attachment name |
Name of the first detected attachment |
fileHash |
fileHash (255) |
Attachment hash |
Hash of the first detected attachment |
fsize |
fileSize |
Attachment size |
Size of the first detected attachment |
reason |
reason (1023) |
Rule/policy activated |
Name of the policy triggered by the email or it's content |
ESETEMSXFileDetails |
ESETEMSXFileDetails |
File details |
Information about all detected attachments, their names, hashes and sizes |
Optional
CEF Key Name |
CEF Key Full Name (Size) |
Field Description |
Detailed Field Description |
---|---|---|---|
end |
endTime |
Time event has ended |
The time at which the activity ended, in milliseconds, since January 1, 1970. Useful only if sandboxing technology is used ESET LiveGuard Advanced. |
dtz |
deviceTimeZone (255) |
Timezone of the server |
|
request |
requestURL |
Detected URL |
Malign or blacklisted URL extracted from mail body or mail headers. ESET Mail Security does not provide a single URL in logs because various detection components can detect multiple URLs in email messages. |