Retarus Email Security
Overview
Protection solution for user and technical messaging.
- Vendor: Retarus
- Plan: Defend Prime
- Supported environment: Cloud
- Detection based on: Telemetry / Alert
- Supported application or feature: Email gateway
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"direction": "OUTBOUND",
"class": "EVENT",
"version": "1.0",
"type": "MTA",
"ts": "2021-05-18 16:50:30 +0200",
"host": "events.retarus.com",
"customer": "45987FR",
"metaData": {},
"sender": "utilisateur@mail.fr",
"status": "ACCEPTED",
"mimeId": "<d12b9brrfd3c89723ee5@STZE007.super.corp>",
"rmxId": "20210518-32464-yvrfukcZEcd-0@out33.fg",
"sourceIp": "255.255.255.1",
"recipient": "recepient@mail.com"
}
{
"customer": "CuNo",
"metaData": {
"authentication": {
"dkim": {
"status": "dkim=none",
"details": "dkim=none reason=\"no signature\""
}
},
"transportEncryption": {
"requested": false,
"established": false
},
"header": {
"subject": "This is a test mail",
"from": "sender@example.com"
},
"contentEncryption": false
},
"host": "events.retarus.com",
"ts": "2021-07-11 14:58:43 +0200",
"version": "1.0",
"sourceIp": "xxx.xxx.xxx.xxx",
"sender": "xxxxxxx@retarus.com",
"type": "MTA",
"subtype": "INCOMING",
"direction": "INBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"status": "ACCEPTED",
"class": "EVENT",
"rmxId": "20210711-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
"version": "1.0",
"rmxId": "20220912-000000-111111111111-0@example",
"sender": "",
"ts": "2022-09-12 16:30:58 +0200",
"metaData": {
"transportEncryption": {
"protocol": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
"established": true,
"requested": true
},
"authentication": {
"dkim": {
"status": "dkim=none",
"details": "dkim=none reason=\"no signature\""
},
"spf": {
"status": "spf=none",
"details": "spf=none smtp.helo=mailer.com"
}
},
"header": {
"from": "MAILER-DAEMON (Mail Delivery System)",
"subject": "Undelivered Mail Returned to Sender"
},
"contentEncryption": false
},
"recipient": "user@example.org",
"sourceIp": "1.2.3.4",
"type": "MTA",
"subtype": "INCOMING",
"host": "events.retarus.com",
"direction": "INBOUND",
"status": "ACCEPTED",
"customer": "15752FR",
"class": "EVENT",
"mimeId": "<00000000@mailer.com>"
}
{
"customer": "CuNo",
"metaData": {
"transportEncryption": {
"requested": true,
"established": true,
"protocol": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-SHA256(128/128bits)"
},
"header": {
"subject": "This is a test mail",
"from": "sender@example.com"
}
},
"host": "events.retarus.com",
"ts": "2021-07-11 14:58:43 +0200",
"version": "1.0",
"sourceIp": "255.255.255.1",
"sender": "xxxxxxx@retarus.com",
"type": "MTA",
"subtype": "INCOMING",
"direction": "OUTBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"status": "ACCEPTED",
"class": "EVENT",
"rmxId": "20210711-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
"class": "EVENT",
"rmxId": "0001",
"sourceIp": "1.1.1.1",
"metaData": {
"header": {
"from": "sender <sender@senderdomain.fr>",
"subject": "This is a subject"
},
"transportEncryption": {
"requested": true,
"established": true,
"protocol": "TLSv1.2",
"cipherSuite": "ecdhe-ecdsa-aes128-gcm-sha256"
}
},
"recipient": "recipient@recipientdomain.fr",
"mimeId": "<11111111>",
"sender": "sender@senderdomain.fr",
"version": "1.0",
"customer": "1",
"host": "host.fr",
"subtype": "INCOMING",
"type": "AAA",
"ts": "2021-10-1 09:00:00 +0200",
"direction": "OUTBOUND",
"status": "ACCEPTED"
}
{
"customer": "CuNo",
"metaData": {},
"host": "events.retarus.com",
"ts": "2018-10-16 14:58:18 +0200",
"version": "1.0",
"sourceIp": "xxx.xxx.xxx.xxx",
"sender": "xxxxxxx@retarus.com",
"type": "CxO",
"direction": "INBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<164D6G96.xxxxxxx@retarus.net>",
"status": "DETECTED",
"class": "THREAT",
"rmxId": "20181016-145817-42ZFjPxxxxxx-0@mailin01"
}
{
"customer": "CuNo",
"metaData": {
"details": "EICAR-AV-Test"
},
"host": "events.retarus.com",
"ts": "2018-10-16 14:58:43 +0200",
"version": "1.0",
"sourceIp": "xxx.xxx.xxx.xxx",
"sender": "xxxxxxx@retarus.com",
"type": "MultiScan",
"direction": "OUTBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"status": "INFECTED",
"class": "THREAT",
"rmxId": "20181016-145842-xxxxxx-xxxxxx-0@mailin27"
}
{
"customer": "CuNo",
"metaData": {
"hashFunction": "sha256",
"threatType": "VIRUS",
"checksum": "6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd",
"mimeType": "applicationx-dosexec",
"details": "EICAR-Test-File"
},
"host": "events.retarus.com",
"ts": "2018-10-16 14:58:56 +0200",
"version": "1.0",
"sourceIp": "xxx.xxx.xxx.xxx",
"sender": "xxxxxx@retarus.de",
"type": "PZD",
"direction": "INBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<56168B42.xxxxxxx@retarus.net>",
"status": "DETECTED",
"class": "THREAT",
"rmxId": "20181016-145852-xxxxxx-xxxxxx-0@mailin01"
}
{
"customer": "CuNo",
"metaData": {
"hashFunction": "sha256",
"checksum": "cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434"
},
"host": "events.retarus.com",
"ts": "2018-10-16 15:03:43 +0200",
"version": "1.0",
"sourceIp": "xxx.xxx.xxx.xxx",
"sender": "xxxxxxx@retarus.com",
"type": "Sandboxing",
"direction": "INBOUND",
"recipient": "xxxxxxx@retarus.de",
"mimeId": "<37357C96.xxxxxxx@retarus.net>",
"status": "SUSPICIOUS",
"class": "THREAT",
"rmxId": "20181016-145902-xxxxxx-0@mailin08"
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Email gateway |
Retarus Email Security solution. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | email, malware, web |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"direction\": \"OUTBOUND\", \"class\": \"EVENT\", \"version\": \"1.0\", \"type\": \"MTA\", \"ts\": \"2021-05-18 16:50:30 +0200\", \"host\": \"events.retarus.com\", \"customer\": \"45987FR\", \"metaData\": {}, \"sender\": \"utilisateur@mail.fr\", \"status\": \"ACCEPTED\", \"mimeId\": \"<d12b9brrfd3c89723ee5@STZE007.super.corp>\", \"rmxId\": \"20210518-32464-yvrfukcZEcd-0@out33.fg\", \"sourceIp\": \"255.255.255.1\", \"recipient\": \"recepient@mail.com\"}",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"destination": {
"address": "mail.com",
"domain": "mail.com",
"registered_domain": "mail.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"null"
]
},
"sender": {
"address": [
"recepient@mail.com"
]
}
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "45987FR"
},
"related": {
"hosts": [
"events.retarus.com",
"mail.com",
"mail.fr"
],
"ip": [
"255.255.255.1"
]
},
"retarus": {
"class": "EVENT",
"email_direction": "OUTBOUND",
"message_id": "20210518-32464-yvrfukcZEcd-0@out33.fg",
"mime_message_id": "<d12b9brrfd3c89723ee5@STZE007.super.corp>",
"recipient": "recepient@mail.com",
"sender": "utilisateur@mail.fr",
"status": "ACCEPTED",
"timestamp": "2021-05-18 16:50:30 +0200",
"type": "MTA"
},
"source": {
"address": "mail.fr",
"domain": "mail.fr",
"ip": "255.255.255.1",
"registered_domain": "mail.fr",
"top_level_domain": "fr"
}
}
{
"message": "{\"customer\": \"CuNo\",\"metaData\": {\"authentication\": {\"dkim\": {\"status\": \"dkim=none\",\"details\": \"dkim=none reason=\\\"no signature\\\"\"}},\"transportEncryption\": {\"requested\": false,\"established\": false},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"},\"contentEncryption\": false},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"xxx.xxx.xxx.xxx\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"INBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"sender@example.com"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
},
"subject": "This is a test mail"
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
},
"retarus": {
"class": "EVENT",
"dkim": {
"result": "dkim=none reason=\"no signature\""
},
"email_direction": "INBOUND",
"message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "ACCEPTED",
"timestamp": "2021-07-11 14:58:43 +0200",
"type": "MTA"
},
"source": {
"address": "retarus.com",
"domain": "retarus.com",
"registered_domain": "retarus.com",
"top_level_domain": "com"
}
}
{
"message": "{\"version\":\"1.0\",\"rmxId\":\"20220912-000000-111111111111-0@example\",\"sender\":\"\",\"ts\":\"2022-09-12 16:30:58 +0200\",\"metaData\":{\"transportEncryption\":{\"protocol\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)\",\"established\":true,\"requested\":true},\"authentication\":{\"dkim\":{\"status\":\"dkim=none\",\"details\":\"dkim=none reason=\\\"no signature\\\"\"},\"spf\":{\"status\":\"spf=none\",\"details\":\"spf=none smtp.helo=mailer.com\"}},\"header\":{\"from\":\"MAILER-DAEMON (Mail Delivery System)\",\"subject\":\"Undelivered Mail Returned to Sender\"},\"contentEncryption\":false},\"recipient\":\"user@example.org\",\"sourceIp\":\"1.2.3.4\",\"type\":\"MTA\",\"subtype\":\"INCOMING\",\"host\":\"events.retarus.com\",\"direction\":\"INBOUND\",\"status\":\"ACCEPTED\",\"customer\":\"15752FR\",\"class\":\"EVENT\",\"mimeId\":\"<00000000@mailer.com>\"}\n",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"MAILER-DAEMON (Mail Delivery System)"
]
},
"sender": {
"address": [
"user@example.org"
]
},
"subject": "Undelivered Mail Returned to Sender"
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "15752FR"
},
"related": {
"hosts": [
"events.retarus.com",
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"retarus": {
"class": "EVENT",
"dkim": {
"result": "dkim=none reason=\"no signature\""
},
"email_direction": "INBOUND",
"message_id": "20220912-000000-111111111111-0@example",
"mime_message_id": "<00000000@mailer.com>",
"recipient": "user@example.org",
"spf": {
"status": "spf=none"
},
"status": "ACCEPTED",
"timestamp": "2022-09-12 16:30:58 +0200",
"type": "MTA"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "{\"customer\": \"CuNo\",\"metaData\": {\"transportEncryption\": {\"requested\": true,\"established\": true,\"protocol\": \"TLSv1.2\",\"cipherSuite\": \"ECDHE-RSA-AES128-SHA256(128/128bits)\"},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"}},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"255.255.255.1\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"OUTBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"sender@example.com"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
},
"subject": "This is a test mail"
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
],
"ip": [
"255.255.255.1"
]
},
"retarus": {
"class": "EVENT",
"email_direction": "OUTBOUND",
"message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "ACCEPTED",
"timestamp": "2021-07-11 14:58:43 +0200",
"type": "MTA"
},
"source": {
"address": "retarus.com",
"domain": "retarus.com",
"ip": "255.255.255.1",
"registered_domain": "retarus.com",
"top_level_domain": "com"
}
}
{
"message": "{\"class\": \"EVENT\", \"rmxId\": \"0001\", \"sourceIp\": \"1.1.1.1\", \"metaData\": {\"header\": {\"from\": \"sender <sender@senderdomain.fr>\", \"subject\": \"This is a subject\"}, \"transportEncryption\": {\"requested\": true, \"established\": true, \"protocol\": \"TLSv1.2\", \"cipherSuite\": \"ecdhe-ecdsa-aes128-gcm-sha256\"}}, \"recipient\": \"recipient@recipientdomain.fr\", \"mimeId\": \"<11111111>\", \"sender\": \"sender@senderdomain.fr\", \"version\": \"1.0\", \"customer\": \"1\", \"host\": \"host.fr\", \"subtype\": \"INCOMING\", \"type\": \"AAA\", \"ts\": \"2021-10-1 09:00:00 +0200\", \"direction\": \"OUTBOUND\", \"status\": \"ACCEPTED\"}",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "recipientdomain.fr",
"domain": "recipientdomain.fr",
"registered_domain": "recipientdomain.fr",
"top_level_domain": "fr"
},
"email": {
"from": {
"address": [
"sender <sender@senderdomain.fr>"
]
},
"sender": {
"address": [
"recipient@recipientdomain.fr"
]
},
"subject": "This is a subject"
},
"observer": {
"hostname": "host.fr",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"host.fr",
"recipientdomain.fr",
"senderdomain.fr"
],
"ip": [
"1.1.1.1"
]
},
"retarus": {
"class": "EVENT",
"email_direction": "OUTBOUND",
"message_id": "0001",
"mime_message_id": "<11111111>",
"recipient": "recipient@recipientdomain.fr",
"sender": "sender@senderdomain.fr",
"status": "ACCEPTED",
"timestamp": "2021-10-1 09:00:00 +0200",
"type": "AAA"
},
"source": {
"address": "senderdomain.fr",
"domain": "senderdomain.fr",
"ip": "1.1.1.1",
"registered_domain": "senderdomain.fr",
"top_level_domain": "fr"
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:18 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"CxO\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<164D6G96.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145817-42ZFjPxxxxxx-0@mailin01\"}",
"event": {
"category": [
"malware"
],
"kind": "alert",
"outcome": "failure",
"type": [
"info"
]
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"null"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
}
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
},
"retarus": {
"class": "THREAT",
"email_direction": "INBOUND",
"message_id": "20181016-145817-42ZFjPxxxxxx-0@mailin01",
"mime_message_id": "<164D6G96.xxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "DETECTED",
"timestamp": "2018-10-16 14:58:18 +0200",
"type": "CxO"
},
"source": {
"address": "retarus.com",
"domain": "retarus.com",
"registered_domain": "retarus.com",
"top_level_domain": "com"
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"details\": \"EICAR-AV-Test\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"MultiScan\", \"direction\": \"OUTBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\", \"status\": \"INFECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"category": [
"malware"
],
"kind": "alert",
"outcome": "failure",
"type": [
"info"
]
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"null"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
}
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
},
"retarus": {
"class": "THREAT",
"email_direction": "OUTBOUND",
"message_id": "20181016-145842-xxxxxx-xxxxxx-0@mailin27",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "INFECTED",
"timestamp": "2018-10-16 14:58:43 +0200",
"type": "MultiScan",
"virus_name": "EICAR-AV-Test"
},
"source": {
"address": "retarus.com",
"domain": "retarus.com",
"registered_domain": "retarus.com",
"top_level_domain": "com"
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"threatType\": \"VIRUS\", \"checksum\": \"6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd\", \"mimeType\": \"applicationx-dosexec\", \"details\": \"EICAR-Test-File\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:56 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxx@retarus.de\", \"type\": \"PZD\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<56168B42.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145852-xxxxxx-xxxxxx-0@mailin01\"}",
"event": {
"category": [
"malware"
],
"kind": "alert",
"outcome": "failure",
"type": [
"info"
]
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"null"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
}
},
"file": {
"hash": {
"sha256": "sha256"
},
"mimeType": "applicationx-dosexec"
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hash": [
"sha256"
],
"hosts": [
"events.retarus.com",
"retarus.de"
]
},
"retarus": {
"class": "THREAT",
"email_direction": "INBOUND",
"message_id": "20181016-145852-xxxxxx-xxxxxx-0@mailin01",
"mime_message_id": "<56168B42.xxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxx@retarus.de",
"status": "DETECTED",
"timestamp": "2018-10-16 14:58:56 +0200",
"type": "PZD",
"virus_name": "EICAR-Test-File"
},
"source": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"checksum\": \"cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 15:03:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"Sandboxing\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<37357C96.xxxxxxx@retarus.net>\", \"status\": \"SUSPICIOUS\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145902-xxxxxx-0@mailin08\"}",
"event": {
"category": [
"malware"
],
"kind": "alert",
"outcome": "failure",
"type": [
"info"
]
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"destination": {
"address": "retarus.de",
"domain": "retarus.de",
"registered_domain": "retarus.de",
"top_level_domain": "de"
},
"email": {
"from": {
"address": [
"null"
]
},
"sender": {
"address": [
"xxxxxxx@retarus.de"
]
}
},
"file": {
"hash": {
"sha256": "sha256"
}
},
"observer": {
"hostname": "events.retarus.com",
"product": "Email Security",
"vendor": "Retarus",
"version": "1.0"
},
"organization": {
"id": "CuNo"
},
"related": {
"hash": [
"sha256"
],
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
},
"retarus": {
"class": "THREAT",
"email_direction": "INBOUND",
"message_id": "20181016-145902-xxxxxx-0@mailin08",
"mime_message_id": "<37357C96.xxxxxxx@retarus.net>",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "SUSPICIOUS",
"timestamp": "2018-10-16 15:03:43 +0200",
"type": "Sandboxing"
},
"source": {
"address": "retarus.com",
"domain": "retarus.com",
"registered_domain": "retarus.com",
"top_level_domain": "com"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
destination.domain |
keyword |
The domain name of the destination. |
email.from.address |
keyword |
The sender's email address. |
email.sender.address |
keyword |
Address of the message sender. |
email.subject |
keyword |
The subject of the email message. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.hash.md5 |
keyword |
MD5 hash. |
file.hash.sha1 |
keyword |
SHA1 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.hash.sha512 |
keyword |
SHA512 hash. |
file.hash.ssdeep |
keyword |
SSDEEP hash. |
file.mimeType |
keyword |
MIME type of the detected file (only included if threat type is VIRUS) |
observer.hostname |
keyword |
Hostname of the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
organization.id |
keyword |
Unique identifier for the organization. |
retarus.class |
keyword |
Classification of the event |
retarus.dkim.result |
keyword |
DKIM result |
retarus.email_direction |
keyword |
Possible values are: INBOUND |
retarus.message_id |
keyword |
Retarus unique message ID |
retarus.mime_message_id |
keyword |
Mime message ID |
retarus.phishing_identifier |
long |
Phishing identifier (if threat type is “URL”) |
retarus.recipient |
keyword |
Recipient of the message (envTo) |
retarus.sender |
keyword |
Sender of the message (envFrom) |
retarus.spf.record |
keyword |
SPF record |
retarus.spf.status |
keyword |
SPF result |
retarus.status |
keyword |
Possible values are: - for threat events: INFECTED |
retarus.timestamp |
keyword |
Timestamp of the message in YYYY-MM-DD hh:mm:ss +hhmm |
retarus.type |
keyword |
Feature which the event is for possible values are: MultiScan, CxO, Sandboxing, PZD, MTA |
retarus.virus_name |
keyword |
Virus name(s) found |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
url.full |
wildcard |
Full unparsed URL. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.