Skip to content

Retarus Email Security

Overview

Protection solution for user and technical messaging.

  • Vendor: Retarus
  • Supported environment: Cloud
  • Detection based on: Telemetry / Alert
  • Supported application or feature: Email gateway

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "direction": "OUTBOUND",
    "class": "EVENT",
    "version": "1.0",
    "type": "MTA",
    "ts": "2021-05-18 16:50:30 +0200",
    "host": "events.retarus.com",
    "customer": "45987FR",
    "metaData": {},
    "sender": "utilisateur@mail.fr",
    "status": "ACCEPTED",
    "mimeId": "<d12b9brrfd3c89723ee5@STZE007.super.corp>",
    "rmxId": "20210518-32464-yvrfukcZEcd-0@out33.fg",
    "sourceIp": "255.255.255.1",
    "recipient": "recepient@mail.com"
}
{
    "customer": "CuNo",
    "metaData": {
        "authentication": {
            "dkim": {
                "status": "dkim=none",
                "details": "dkim=none reason=\"no signature\""
            }
        },
        "transportEncryption": {
            "requested": false,
            "established": false
        },
        "header": {
            "subject": "This is a test mail",
            "from": "sender@example.com"
        },
        "contentEncryption": false
    },
    "host": "events.retarus.com",
    "ts": "2021-07-11 14:58:43 +0200",
    "version": "1.0",
    "sourceIp": "xxx.xxx.xxx.xxx",
    "sender": "xxxxxxx@retarus.com",
    "type": "MTA",
    "subtype": "INCOMING",
    "direction": "INBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
    "status": "ACCEPTED",
    "class": "EVENT",
    "rmxId": "20210711-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
    "version": "1.0",
    "rmxId": "20220912-000000-111111111111-0@example",
    "sender": "",
    "ts": "2022-09-12 16:30:58 +0200",
    "metaData": {
        "transportEncryption": {
            "protocol": "TLSv1.2",
            "cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
            "established": true,
            "requested": true
        },
        "authentication": {
            "dkim": {
                "status": "dkim=none",
                "details": "dkim=none reason=\"no signature\""
            },
            "spf": {
                "status": "spf=none",
                "details": "spf=none smtp.helo=mailer.com"
            }
        },
        "header": {
            "from": "MAILER-DAEMON (Mail Delivery System)",
            "subject": "Undelivered Mail Returned to Sender"
        },
        "contentEncryption": false
    },
    "recipient": "user@example.org",
    "sourceIp": "1.2.3.4",
    "type": "MTA",
    "subtype": "INCOMING",
    "host": "events.retarus.com",
    "direction": "INBOUND",
    "status": "ACCEPTED",
    "customer": "15752FR",
    "class": "EVENT",
    "mimeId": "<00000000@mailer.com>"
}
{
    "customer": "CuNo",
    "metaData": {
        "transportEncryption": {
            "requested": true,
            "established": true,
            "protocol": "TLSv1.2",
            "cipherSuite": "ECDHE-RSA-AES128-SHA256(128/128bits)"
        },
        "header": {
            "subject": "This is a test mail",
            "from": "sender@example.com"
        }
    },
    "host": "events.retarus.com",
    "ts": "2021-07-11 14:58:43 +0200",
    "version": "1.0",
    "sourceIp": "255.255.255.1",
    "sender": "xxxxxxx@retarus.com",
    "type": "MTA",
    "subtype": "INCOMING",
    "direction": "OUTBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
    "status": "ACCEPTED",
    "class": "EVENT",
    "rmxId": "20210711-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
    "class": "EVENT",
    "rmxId": "0001",
    "sourceIp": "1.1.1.1",
    "metaData": {
        "header": {
            "from": "sender <sender@senderdomain.fr>",
            "subject": "This is a subject"
        },
        "transportEncryption": {
            "requested": true,
            "established": true,
            "protocol": "TLSv1.2",
            "cipherSuite": "ecdhe-ecdsa-aes128-gcm-sha256"
        }
    },
    "recipient": "recipient@recipientdomain.fr",
    "mimeId": "<11111111>",
    "sender": "sender@senderdomain.fr",
    "version": "1.0",
    "customer": "1",
    "host": "host.fr",
    "subtype": "INCOMING",
    "type": "AAA",
    "ts": "2021-10-1 09:00:00 +0200",
    "direction": "OUTBOUND",
    "status": "ACCEPTED"
}
{
    "customer": "CuNo",
    "metaData": {},
    "host": "events.retarus.com",
    "ts": "2018-10-16 14:58:18 +0200",
    "version": "1.0",
    "sourceIp": "xxx.xxx.xxx.xxx",
    "sender": "xxxxxxx@retarus.com",
    "type": "CxO",
    "direction": "INBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<164D6G96.xxxxxxx@retarus.net>",
    "status": "DETECTED",
    "class": "THREAT",
    "rmxId": "20181016-145817-42ZFjPxxxxxx-0@mailin01"
}
{
    "customer": "CuNo",
    "metaData": {
        "details": "EICAR-AV-Test"
    },
    "host": "events.retarus.com",
    "ts": "2018-10-16 14:58:43 +0200",
    "version": "1.0",
    "sourceIp": "xxx.xxx.xxx.xxx",
    "sender": "xxxxxxx@retarus.com",
    "type": "MultiScan",
    "direction": "OUTBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
    "status": "INFECTED",
    "class": "THREAT",
    "rmxId": "20181016-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
    "customer": "CuNo",
    "metaData": {
        "hashFunction": "sha256",
        "threatType": "VIRUS",
        "checksum": "6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd",
        "mimeType": "applicationx-dosexec",
        "details": "EICAR-Test-File"
    },
    "host": "events.retarus.com",
    "ts": "2018-10-16 14:58:56 +0200",
    "version": "1.0",
    "sourceIp": "xxx.xxx.xxx.xxx",
    "sender": "xxxxxx@retarus.de",
    "type": "PZD",
    "direction": "INBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<56168B42.xxxxxxx@retarus.net>",
    "status": "DETECTED",
    "class": "THREAT",
    "rmxId": "20181016-145852-xxxxxx-xxxxxx-0@mailin01"
}
{
    "customer": "CuNo",
    "metaData": {
        "hashFunction": "sha256",
        "checksum": "cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434"
    },
    "host": "events.retarus.com",
    "ts": "2018-10-16 15:03:43 +0200",
    "version": "1.0",
    "sourceIp": "xxx.xxx.xxx.xxx",
    "sender": "xxxxxxx@retarus.com",
    "type": "Sandboxing",
    "direction": "INBOUND",
    "recipient": "xxxxxxx@retarus.de",
    "mimeId": "<37357C96.xxxxxxx@retarus.net>",
    "status": "SUSPICIOUS",
    "class": "THREAT",
    "rmxId": "20181016-145902-xxxxxx-0@mailin08"
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Email gateway Retarus Email Security solution.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category email, malware, web
Type info

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"direction\": \"OUTBOUND\", \"class\": \"EVENT\", \"version\": \"1.0\", \"type\": \"MTA\", \"ts\": \"2021-05-18 16:50:30 +0200\", \"host\": \"events.retarus.com\", \"customer\": \"45987FR\", \"metaData\": {}, \"sender\": \"utilisateur@mail.fr\", \"status\": \"ACCEPTED\", \"mimeId\": \"<d12b9brrfd3c89723ee5@STZE007.super.corp>\", \"rmxId\": \"20210518-32464-yvrfukcZEcd-0@out33.fg\", \"sourceIp\": \"255.255.255.1\", \"recipient\": \"recepient@mail.com\"}",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "EVENT",
        "outcome": "success",
        "outcome_reason": "ACCEPTED"
    },
    "destination": {
        "address": "mail.com",
        "domain": "mail.com",
        "registered_domain": "mail.com",
        "top_level_domain": "com"
    },
    "email": {
        "from": {
            "address": [
                "null"
            ]
        },
        "sender": {
            "address": [
                "recepient@mail.com"
            ]
        }
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "45987FR"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "mail.com",
            "mail.fr"
        ],
        "ip": [
            "255.255.255.1"
        ]
    },
    "retarus": {
        "class": "EVENT",
        "email_direction": "OUTBOUND",
        "message_id": "20210518-32464-yvrfukcZEcd-0@out33.fg",
        "mime_message_id": "<d12b9brrfd3c89723ee5@STZE007.super.corp>",
        "recipient": "recepient@mail.com",
        "sender": "utilisateur@mail.fr",
        "status": "ACCEPTED",
        "timestamp": "2021-05-18 16:50:30 +0200",
        "type": "MTA"
    },
    "source": {
        "address": "mail.fr",
        "domain": "mail.fr",
        "ip": "255.255.255.1",
        "registered_domain": "mail.fr",
        "top_level_domain": "fr"
    }
}
{
    "message": "{\"customer\": \"CuNo\",\"metaData\": {\"authentication\": {\"dkim\": {\"status\": \"dkim=none\",\"details\": \"dkim=none reason=\\\"no signature\\\"\"}},\"transportEncryption\": {\"requested\": false,\"established\": false},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"},\"contentEncryption\": false},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"xxx.xxx.xxx.xxx\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"INBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "EVENT",
        "outcome": "success",
        "outcome_reason": "ACCEPTED"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "sender@example.com"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        },
        "subject": "This is a test mail"
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "retarus.com",
            "retarus.de"
        ]
    },
    "retarus": {
        "class": "EVENT",
        "dkim": {
            "result": "dkim=none reason=\"no signature\""
        },
        "email_direction": "INBOUND",
        "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
        "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxxx@retarus.com",
        "status": "ACCEPTED",
        "timestamp": "2021-07-11 14:58:43 +0200",
        "type": "MTA"
    },
    "source": {
        "address": "retarus.com",
        "domain": "retarus.com",
        "registered_domain": "retarus.com",
        "top_level_domain": "com"
    }
}
{
    "message": "{\"version\":\"1.0\",\"rmxId\":\"20220912-000000-111111111111-0@example\",\"sender\":\"\",\"ts\":\"2022-09-12 16:30:58 +0200\",\"metaData\":{\"transportEncryption\":{\"protocol\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)\",\"established\":true,\"requested\":true},\"authentication\":{\"dkim\":{\"status\":\"dkim=none\",\"details\":\"dkim=none reason=\\\"no signature\\\"\"},\"spf\":{\"status\":\"spf=none\",\"details\":\"spf=none smtp.helo=mailer.com\"}},\"header\":{\"from\":\"MAILER-DAEMON (Mail Delivery System)\",\"subject\":\"Undelivered Mail Returned to Sender\"},\"contentEncryption\":false},\"recipient\":\"user@example.org\",\"sourceIp\":\"1.2.3.4\",\"type\":\"MTA\",\"subtype\":\"INCOMING\",\"host\":\"events.retarus.com\",\"direction\":\"INBOUND\",\"status\":\"ACCEPTED\",\"customer\":\"15752FR\",\"class\":\"EVENT\",\"mimeId\":\"<00000000@mailer.com>\"}\n",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "EVENT",
        "outcome": "success",
        "outcome_reason": "ACCEPTED"
    },
    "destination": {
        "address": "example.org",
        "domain": "example.org",
        "registered_domain": "example.org",
        "top_level_domain": "org"
    },
    "email": {
        "from": {
            "address": [
                "MAILER-DAEMON (Mail Delivery System)"
            ]
        },
        "sender": {
            "address": [
                "user@example.org"
            ]
        },
        "subject": "Undelivered Mail Returned to Sender"
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "15752FR"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "example.org"
        ],
        "ip": [
            "1.2.3.4"
        ]
    },
    "retarus": {
        "class": "EVENT",
        "dkim": {
            "result": "dkim=none reason=\"no signature\""
        },
        "email_direction": "INBOUND",
        "message_id": "20220912-000000-111111111111-0@example",
        "mime_message_id": "<00000000@mailer.com>",
        "recipient": "user@example.org",
        "spf": {
            "status": "spf=none"
        },
        "status": "ACCEPTED",
        "timestamp": "2022-09-12 16:30:58 +0200",
        "type": "MTA"
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    }
}
{
    "message": "{\"customer\": \"CuNo\",\"metaData\": {\"transportEncryption\": {\"requested\": true,\"established\": true,\"protocol\": \"TLSv1.2\",\"cipherSuite\": \"ECDHE-RSA-AES128-SHA256(128/128bits)\"},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"}},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"255.255.255.1\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"OUTBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
    "event": {
        "category": [
            "email"
        ],
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "EVENT",
        "outcome": "success",
        "outcome_reason": "ACCEPTED"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "sender@example.com"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        },
        "subject": "This is a test mail"
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "retarus.com",
            "retarus.de"
        ],
        "ip": [
            "255.255.255.1"
        ]
    },
    "retarus": {
        "class": "EVENT",
        "email_direction": "OUTBOUND",
        "message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
        "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxxx@retarus.com",
        "status": "ACCEPTED",
        "timestamp": "2021-07-11 14:58:43 +0200",
        "type": "MTA"
    },
    "source": {
        "address": "retarus.com",
        "domain": "retarus.com",
        "ip": "255.255.255.1",
        "registered_domain": "retarus.com",
        "top_level_domain": "com"
    }
}
{
    "message": "{\"class\": \"EVENT\", \"rmxId\": \"0001\", \"sourceIp\": \"1.1.1.1\", \"metaData\": {\"header\": {\"from\": \"sender <sender@senderdomain.fr>\", \"subject\": \"This is a subject\"}, \"transportEncryption\": {\"requested\": true, \"established\": true, \"protocol\": \"TLSv1.2\", \"cipherSuite\": \"ecdhe-ecdsa-aes128-gcm-sha256\"}}, \"recipient\": \"recipient@recipientdomain.fr\", \"mimeId\": \"<11111111>\", \"sender\": \"sender@senderdomain.fr\", \"version\": \"1.0\", \"customer\": \"1\", \"host\": \"host.fr\", \"subtype\": \"INCOMING\", \"type\": \"AAA\", \"ts\": \"2021-10-1 09:00:00 +0200\", \"direction\": \"OUTBOUND\", \"status\": \"ACCEPTED\"}",
    "event": {
        "category": [
            "email"
        ],
        "type": [
            "info"
        ]
    },
    "destination": {
        "address": "recipientdomain.fr",
        "domain": "recipientdomain.fr",
        "registered_domain": "recipientdomain.fr",
        "top_level_domain": "fr"
    },
    "email": {
        "from": {
            "address": [
                "sender <sender@senderdomain.fr>"
            ]
        },
        "sender": {
            "address": [
                "recipient@recipientdomain.fr"
            ]
        },
        "subject": "This is a subject"
    },
    "observer": {
        "hostname": "host.fr",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "1"
    },
    "related": {
        "hosts": [
            "host.fr",
            "recipientdomain.fr",
            "senderdomain.fr"
        ],
        "ip": [
            "1.1.1.1"
        ]
    },
    "retarus": {
        "class": "EVENT",
        "email_direction": "OUTBOUND",
        "message_id": "0001",
        "mime_message_id": "<11111111>",
        "recipient": "recipient@recipientdomain.fr",
        "sender": "sender@senderdomain.fr",
        "status": "ACCEPTED",
        "timestamp": "2021-10-1 09:00:00 +0200",
        "type": "AAA"
    },
    "source": {
        "address": "senderdomain.fr",
        "domain": "senderdomain.fr",
        "ip": "1.1.1.1",
        "registered_domain": "senderdomain.fr",
        "top_level_domain": "fr"
    }
}
{
    "message": "{\"customer\": \"CuNo\", \"metaData\": {}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:18 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"CxO\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<164D6G96.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145817-42ZFjPxxxxxx-0@mailin01\"}",
    "event": {
        "category": [
            "malware"
        ],
        "kind": "alert",
        "outcome": "failure",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "THREAT",
        "outcome": "failure"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "null"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        }
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "retarus.com",
            "retarus.de"
        ]
    },
    "retarus": {
        "class": "THREAT",
        "email_direction": "INBOUND",
        "message_id": "20181016-145817-42ZFjPxxxxxx-0@mailin01",
        "mime_message_id": "<164D6G96.xxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxxx@retarus.com",
        "status": "DETECTED",
        "timestamp": "2018-10-16 14:58:18 +0200",
        "type": "CxO"
    },
    "source": {
        "address": "retarus.com",
        "domain": "retarus.com",
        "registered_domain": "retarus.com",
        "top_level_domain": "com"
    }
}
{
    "message": "{\"customer\": \"CuNo\", \"metaData\": {\"details\": \"EICAR-AV-Test\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"MultiScan\", \"direction\": \"OUTBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\", \"status\": \"INFECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145842-xxxxxx-xxxxxx-0@mailin27\"}",
    "event": {
        "category": [
            "malware"
        ],
        "kind": "alert",
        "outcome": "failure",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "THREAT",
        "outcome": "failure"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "null"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        }
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hosts": [
            "events.retarus.com",
            "retarus.com",
            "retarus.de"
        ]
    },
    "retarus": {
        "class": "THREAT",
        "email_direction": "OUTBOUND",
        "message_id": "20181016-145842-xxxxxx-xxxxxx-0@mailin27",
        "mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxxx@retarus.com",
        "status": "INFECTED",
        "timestamp": "2018-10-16 14:58:43 +0200",
        "type": "MultiScan",
        "virus_name": "EICAR-AV-Test"
    },
    "source": {
        "address": "retarus.com",
        "domain": "retarus.com",
        "registered_domain": "retarus.com",
        "top_level_domain": "com"
    }
}
{
    "message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"threatType\": \"VIRUS\", \"checksum\": \"6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd\", \"mimeType\": \"applicationx-dosexec\", \"details\": \"EICAR-Test-File\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:56 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxx@retarus.de\", \"type\": \"PZD\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<56168B42.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145852-xxxxxx-xxxxxx-0@mailin01\"}",
    "event": {
        "category": [
            "malware"
        ],
        "kind": "alert",
        "outcome": "failure",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "THREAT",
        "outcome": "failure"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "null"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        }
    },
    "file": {
        "hash": {
            "sha256": "sha256"
        },
        "mimeType": "applicationx-dosexec"
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hash": [
            "sha256"
        ],
        "hosts": [
            "events.retarus.com",
            "retarus.de"
        ]
    },
    "retarus": {
        "class": "THREAT",
        "email_direction": "INBOUND",
        "message_id": "20181016-145852-xxxxxx-xxxxxx-0@mailin01",
        "mime_message_id": "<56168B42.xxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxx@retarus.de",
        "status": "DETECTED",
        "timestamp": "2018-10-16 14:58:56 +0200",
        "type": "PZD",
        "virus_name": "EICAR-Test-File"
    },
    "source": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    }
}
{
    "message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"checksum\": \"cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 15:03:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"Sandboxing\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<37357C96.xxxxxxx@retarus.net>\", \"status\": \"SUSPICIOUS\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145902-xxxxxx-0@mailin08\"}",
    "event": {
        "category": [
            "malware"
        ],
        "kind": "alert",
        "outcome": "failure",
        "type": [
            "info"
        ]
    },
    "action": {
        "name": "THREAT",
        "outcome": "failure"
    },
    "destination": {
        "address": "retarus.de",
        "domain": "retarus.de",
        "registered_domain": "retarus.de",
        "top_level_domain": "de"
    },
    "email": {
        "from": {
            "address": [
                "null"
            ]
        },
        "sender": {
            "address": [
                "xxxxxxx@retarus.de"
            ]
        }
    },
    "file": {
        "hash": {
            "sha256": "sha256"
        }
    },
    "observer": {
        "hostname": "events.retarus.com",
        "product": "Email Security",
        "vendor": "Retarus",
        "version": "1.0"
    },
    "organization": {
        "id": "CuNo"
    },
    "related": {
        "hash": [
            "sha256"
        ],
        "hosts": [
            "events.retarus.com",
            "retarus.com",
            "retarus.de"
        ]
    },
    "retarus": {
        "class": "THREAT",
        "email_direction": "INBOUND",
        "message_id": "20181016-145902-xxxxxx-0@mailin08",
        "mime_message_id": "<37357C96.xxxxxxx@retarus.net>",
        "recipient": "xxxxxxx@retarus.de",
        "sender": "xxxxxxx@retarus.com",
        "status": "SUSPICIOUS",
        "timestamp": "2018-10-16 15:03:43 +0200",
        "type": "Sandboxing"
    },
    "source": {
        "address": "retarus.com",
        "domain": "retarus.com",
        "registered_domain": "retarus.com",
        "top_level_domain": "com"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
destination.domain keyword The domain name of the destination.
email.from.address keyword The sender's email address.
email.sender.address keyword Address of the message sender.
email.subject keyword The subject of the email message.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.type keyword Event type. The third categorization field in the hierarchy.
file.hash.md5 keyword MD5 hash.
file.hash.sha1 keyword SHA1 hash.
file.hash.sha256 keyword SHA256 hash.
file.hash.sha512 keyword SHA512 hash.
file.hash.ssdeep keyword SSDEEP hash.
file.mimeType keyword MIME type of the detected file (only included if threat type is VIRUS)
observer.hostname keyword Hostname of the observer.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
organization.id keyword Unique identifier for the organization.
retarus.class keyword Classification of the event
retarus.dkim.result keyword DKIM result
retarus.email_direction keyword Possible values are: INBOUND
retarus.message_id keyword Retarus unique message ID
retarus.mime_message_id keyword Mime message ID
retarus.phishing_identifier long Phishing identifier (if threat type is “URL”)
retarus.recipient keyword Recipient of the message (envTo)
retarus.sender keyword Sender of the message (envFrom)
retarus.spf.record keyword SPF record
retarus.spf.status keyword SPF result
retarus.status keyword Possible values are: - for threat events: INFECTED
retarus.timestamp keyword Timestamp of the message in YYYY-MM-DD hh:mm:ss +hhmm
retarus.type keyword Feature which the event is for possible values are: MultiScan, CxO, Sandboxing, PZD, MTA
retarus.virus_name keyword Virus name(s) found
source.domain keyword The domain name of the source.
source.ip ip IP address of the source.
url.full wildcard Full unparsed URL.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.