Интернет-справка ESET

Выберите тему

Сопоставление событий системного журнала

В следующих таблицах показано сопоставление событий ESET Mail Security с полями данных ArcSight. Эти таблицы можно использовать в качестве справочного материала о том, что передается в ArcSight через SmartConnector.

Header

Device Vendor

"ESET"

 

Device Product

"EMSX"

"EMSX" or "ESET Mail Security for MS Exchange Server"

Device Version

e.g. "7.1.10005.0"

 

Device Event Class ID

e.g. "101"

Device Event Category unique identifier:
100-199 malware
200-299 phish
300-399 spam
400-499 policy

Event Name

e.g. "MailScanResult: malware"

A brief description of what happened in the event:
MailScanResult: malware
MailScanResult: phishing link
MailScanResult: spam
MailScanResult: policy

CEF Key Name

CEF Key Full Name (Size)

Field Description

Detailed Field Description

rt

deviceReceiptTime

Time event was generated

The time at which the event was generated, in milliseconds since Jan 1st 1970

src

sourceAddress

Sender's IP

IP address of the sending mail server

shost

sourceHostName (1023)

Sender's HELO domain

HELO domain of the sending mail server

flexString1

flexString1

Message-ID

Message-ID header from the email

dhost

destinationHostName (1023)

Receiving server

Hostname of the machine that received the communication

msg

message (1023)

Message subject

Subject of the message, from the RFC5233 header "Subject:"

suser

sourceUserName (1023)

SMTP sender

SMTP sender of the email (MAIL FROM)

duser

destinationUserName (1023)

SMTP recipient(s)

SMTP recipient(s) of the email (RCPT TO)

act

deviceAction (63)

Action taken

Action taken (cleaned, quarantined, etc.)

cat

deviceEventCategory (1023)

Detection category

Most significant detection (malware >> phish >> spam >> SPF/DKIM >> policy)

sourceServiceName

sourceServiceName

Type of protection

SMTP Transport agent, On-demand database scan

deviceExternalId

deviceExternalId

Engine version

Anti-Malware engine version, Antispam engine version, e.g. "18620,7730"

cs1

deviceCustomString1

Anti-Malware result

Result of Anti-Malware scan, including threat name

cs1Label

deviceCustomString1Label

"Anti-Malware result"

 

cs2

deviceCustomString2

Antispam result

Result of Antispam scan, including reason for marking as spam

cs2Label

deviceCustomString2Label

"Antispam result"

 

cs3

deviceCustomString3

Anti-Phishing result

Result of Anti-Phishing scan, including detected URL

cs3Label

deviceCustomString3Label

"Anti-Phishing result"

 

cs4

deviceCustomString4

SPF/DKIM/DMARC result

Result of SPF/DKIM/DMARC check, in RFC7601 format

cs4Label

deviceCustomString4Label

"SPF/DKIM/DMARC result"

 

cs5

deviceCustomString5

"From:" sender

Sender address from RFC5322 header "From:"

cs5Label

deviceCustomString5Label

"From header"

 

cs6

deviceCustomString6

"To:" and "Cc:" recipients

Recipients addresses from RFC5322 headers "To:" and "Cc:"

cs6Label

deviceCustomString6Label

"To and Cc headers"

 

fname

filename (1023)

Attachment name

Name of the first detected attachment

fileHash

fileHash (255)

Attachment hash

Hash of the first detected attachment

fsize

fileSize

Attachment size

Size of the first detected attachment

reason

reason (1023)

Rule/policy activated

Name of the policy triggered by the email or it's content

ESETEMSXFileDetails

ESETEMSXFileDetails

File details

Information about all detected attachments, their names, hashes and sizes

Optional

CEF Key Name

CEF Key Full Name (Size)

Field Description

Detailed Field Description

end

endTime

Time event has ended

The time at which the activity ended, in milliseconds, since January 1, 1970. Useful only if sandboxing technology is used ESET LiveGuard Advanced.

dtz

deviceTimeZone (255)

Timezone of the server

 

request

requestURL

Detected URL

Malign or blacklisted URL extracted from mail body or mail headers. ESET Mail Security does not provide a single URL in logs because various detection components can detect multiple URLs in email messages.