ESET 联机帮助

搜索 简体字
选择主题

系统日志事件映射

下表显示了映射到 ArcSight 数据字段的 ESET Mail Security 事件。可以将这些表用作通过 SmartConnector 提供给 ArcSight 的内容参考。

Header

Device Vendor

"ESET"

 

Device Product

"EMSX"

"EMSX" or "ESET Mail Security for MS Exchange Server"

Device Version

e.g. "7.1.10005.0"

 

Device Event Class ID

e.g. "101"

Device Event Category unique identifier:
100-199 malware
200-299 phish
300-399 spam
400-499 policy

Event Name

e.g. "MailScanResult: malware"

A brief description of what happened in the event:
MailScanResult: malware
MailScanResult: phishing link
MailScanResult: spam
MailScanResult: policy

CEF Key Name

CEF Key Full Name (Size)

Field Description

Detailed Field Description

rt

deviceReceiptTime

Time event was generated

The time at which the event was generated, in milliseconds since Jan 1st 1970

src

sourceAddress

Sender's IP

IP address of the sending mail server

shost

sourceHostName (1023)

Sender's HELO domain

HELO domain of the sending mail server

flexString1

flexString1

Message-ID

Message-ID header from the email

dhost

destinationHostName (1023)

Receiving server

Hostname of the machine that received the communication

msg

message (1023)

Message subject

Subject of the message, from the RFC5233 header "Subject:"

suser

sourceUserName (1023)

SMTP sender

SMTP sender of the email (MAIL FROM)

duser

destinationUserName (1023)

SMTP recipient(s)

SMTP recipient(s) of the email (RCPT TO)

act

deviceAction (63)

Action taken

Action taken (cleaned, quarantined, etc.)

cat

deviceEventCategory (1023)

Detection category

Most significant detection (malware >> phish >> spam >> SPF/DKIM >> policy)

sourceServiceName

sourceServiceName

Type of protection

SMTP Transport agent, On-demand database scan

deviceExternalId

deviceExternalId

Engine version

Anti-Malware engine version, Antispam engine version, e.g. "18620,7730"

cs1

deviceCustomString1

Anti-Malware result

Result of Anti-Malware scan, including threat name

cs1Label

deviceCustomString1Label

"Anti-Malware result"

 

cs2

deviceCustomString2

Antispam result

Result of Antispam scan, including reason for marking as spam

cs2Label

deviceCustomString2Label

"Antispam result"

 

cs3

deviceCustomString3

Anti-Phishing result

Result of Anti-Phishing scan, including detected URL

cs3Label

deviceCustomString3Label

"Anti-Phishing result"

 

cs4

deviceCustomString4

SPF/DKIM/DMARC result

Result of SPF/DKIM/DMARC check, in RFC7601 format

cs4Label

deviceCustomString4Label

"SPF/DKIM/DMARC result"

 

cs5

deviceCustomString5

"From:" sender

Sender address from RFC5322 header "From:"

cs5Label

deviceCustomString5Label

"From header"

 

cs6

deviceCustomString6

"To:" and "Cc:" recipients

Recipients addresses from RFC5322 headers "To:" and "Cc:"

cs6Label

deviceCustomString6Label

"To and Cc headers"

 

fname

filename (1023)

Attachment name

Name of the first detected attachment

fileHash

fileHash (255)

Attachment hash

Hash of the first detected attachment

fsize

fileSize

Attachment size

Size of the first detected attachment

reason

reason (1023)

Rule/policy activated

Name of the policy triggered by the email or it is content

ESETEMSXFileDetails

ESETEMSXFileDetails

File details

Information about all detected attachments, their names, hashes and sizes

Optional

CEF Key Name

CEF Key Full Name (Size)

Field Description

Detailed Field Description

end

endTime

Time event has ended

自 1970 年 1 月 1 日以来活动结束的时间(以毫秒为单位)。仅当 ESET LiveGuard Advanced 使用沙盒技术时有用。

dtz

deviceTimeZone (255)

Timezone of the server

 

request

requestURL

Detected URL

从邮件正文或邮件标头中提取的恶意或被列入黑名单的 URL。ESET Mail Security 不在日志中提供单个 URL,因为各种检测组件可以检测电子邮件中的多个 URL。