Retarus Email Security
Protection solution for user and technical messaging.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Email gateway |
Retarus Email Security solution. |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | alert , event |
Category | malware , web |
Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "{\"direction\": \"OUTBOUND\", \"class\": \"EVENT\", \"version\": \"1.0\", \"type\": \"MTA\", \"ts\": \"2021-05-18 16:50:30 +0200\", \"host\": \"events.retarus.com\", \"customer\": \"45987FR\", \"metaData\": {}, \"sender\": \"utilisateur@mail.fr\", \"status\": \"ACCEPTED\", \"mimeId\": \"<d12b9brrfd3c89723ee5@STZE007.super.corp>\", \"rmxId\": \"20210518-32464-yvrfukcZEcd-0@out33.fg\", \"sourceIp\": \"255.255.255.1\", \"recipient\": \"recepient@mail.com\"}",
"event": {
"kind": "event"
},
"source": {
"ip": "255.255.255.1",
"domain": "mail.fr",
"address": "mail.fr",
"top_level_domain": "fr",
"registered_domain": "mail.fr"
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "45987FR"
},
"destination": {
"domain": "mail.com",
"address": "mail.com",
"top_level_domain": "com",
"registered_domain": "mail.com"
},
"retarus": {
"timestamp": "2021-05-18 16:50:30 +0200",
"email_direction": "OUTBOUND",
"mime_message_id": "<d12b9brrfd3c89723ee5@STZE007.super.corp>",
"message_id": "20210518-32464-yvrfukcZEcd-0@out33.fg",
"recipient": "recepient@mail.com",
"sender": "utilisateur@mail.fr",
"status": "ACCEPTED",
"class": "EVENT",
"type": "MTA"
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"related": {
"hosts": [
"events.retarus.com",
"mail.com",
"mail.fr"
],
"ip": [
"255.255.255.1"
]
}
}
{
"message": "{\"customer\": \"CuNo\",\"metaData\": {\"authentication\": {\"dkim\": {\"status\": \"dkim=none\",\"details\": \"dkim=none reason=\\\"no signature\\\"\"}},\"transportEncryption\": {\"requested\": false,\"established\": false},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"},\"contentEncryption\": false},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"xxx.xxx.xxx.xxx\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"INBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"kind": "event"
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"source": {
"domain": "retarus.com",
"address": "retarus.com",
"top_level_domain": "com",
"registered_domain": "retarus.com"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2021-07-11 14:58:43 +0200",
"email_direction": "INBOUND",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "ACCEPTED",
"class": "EVENT",
"type": "MTA"
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
}
}
{
"message": "{\"version\":\"1.0\",\"rmxId\":\"20220912-000000-111111111111-0@example\",\"sender\":\"\",\"ts\":\"2022-09-12 16:30:58 +0200\",\"metaData\":{\"transportEncryption\":{\"protocol\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)\",\"established\":true,\"requested\":true},\"authentication\":{\"dkim\":{\"status\":\"dkim=none\",\"details\":\"dkim=none reason=\\\"no signature\\\"\"},\"spf\":{\"status\":\"spf=none\",\"details\":\"spf=none smtp.helo=mailer.com\"}},\"header\":{\"from\":\"MAILER-DAEMON (Mail Delivery System)\",\"subject\":\"Undelivered Mail Returned to Sender\"},\"contentEncryption\":false},\"recipient\":\"user@example.org\",\"sourceIp\":\"1.2.3.4\",\"type\":\"MTA\",\"subtype\":\"INCOMING\",\"host\":\"events.retarus.com\",\"direction\":\"INBOUND\",\"status\":\"ACCEPTED\",\"customer\":\"15752FR\",\"class\":\"EVENT\",\"mimeId\":\"<00000000@mailer.com>\"}\n",
"event": {
"kind": "event"
},
"source": {
"ip": "1.2.3.4",
"address": "1.2.3.4"
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "15752FR"
},
"destination": {
"domain": "example.org",
"address": "example.org",
"top_level_domain": "org",
"registered_domain": "example.org"
},
"retarus": {
"timestamp": "2022-09-12 16:30:58 +0200",
"email_direction": "INBOUND",
"mime_message_id": "<00000000@mailer.com>",
"message_id": "20220912-000000-111111111111-0@example",
"recipient": "user@example.org",
"status": "ACCEPTED",
"class": "EVENT",
"type": "MTA"
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"related": {
"hosts": [
"events.retarus.com",
"example.org"
],
"ip": [
"1.2.3.4"
]
}
}
{
"message": "{\"customer\": \"CuNo\",\"metaData\": {\"transportEncryption\": {\"requested\": true,\"established\": true,\"protocol\": \"TLSv1.2\",\"cipherSuite\": \"ECDHE-RSA-AES128-SHA256(128/128bits)\"},\"header\": {\"subject\": \"This is a test mail\",\"from\": \"sender@example.com\"}},\"host\": \"events.retarus.com\",\"ts\": \"2021-07-11 14:58:43 +0200\",\"version\": \"1.0\",\"sourceIp\": \"255.255.255.1\",\"sender\": \"xxxxxxx@retarus.com\",\"type\": \"MTA\",\"subtype\": \"INCOMING\",\"direction\": \"OUTBOUND\",\"recipient\": \"xxxxxxx@retarus.de\",\"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\",\"status\": \"ACCEPTED\",\"class\": \"EVENT\",\"rmxId\": \"20210711-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"kind": "event"
},
"source": {
"ip": "255.255.255.1",
"domain": "retarus.com",
"address": "retarus.com",
"top_level_domain": "com",
"registered_domain": "retarus.com"
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2021-07-11 14:58:43 +0200",
"email_direction": "OUTBOUND",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"message_id": "20210711-145842-xxxxxx-xxxxxx-0@mailin27",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "ACCEPTED",
"class": "EVENT",
"type": "MTA"
},
"action": {
"name": "EVENT",
"outcome": "success",
"outcome_reason": "ACCEPTED"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
],
"ip": [
"255.255.255.1"
]
}
}
{
"message": "{\"class\": \"EVENT\", \"rmxId\": \"0001\", \"sourceIp\": \"1.1.1.1\", \"metaData\": {\"header\": {\"from\": \"sender <sender@senderdomain.fr>\", \"subject\": \"This is a subject\"}, \"transportEncryption\": {\"requested\": true, \"established\": true, \"protocol\": \"TLSv1.2\", \"cipherSuite\": \"ecdhe-ecdsa-aes128-gcm-sha256\"}}, \"recipient\": \"recipient@recipientdomain.fr\", \"mimeId\": \"<11111111>\", \"sender\": \"sender@senderdomain.fr\", \"version\": \"1.0\", \"customer\": \"1\", \"host\": \"host.fr\", \"subtype\": \"INCOMING\", \"type\": \"AAA\", \"ts\": \"2021-10-1 09:00:00 +0200\", \"direction\": \"OUTBOUND\", \"status\": \"ACCEPTED\"}",
"source": {
"ip": "1.1.1.1",
"domain": "senderdomain.fr",
"address": "senderdomain.fr",
"top_level_domain": "fr",
"registered_domain": "senderdomain.fr"
},
"observer": {
"version": "1.0",
"hostname": "host.fr"
},
"organization": {
"id": "1"
},
"destination": {
"domain": "recipientdomain.fr",
"address": "recipientdomain.fr",
"top_level_domain": "fr",
"registered_domain": "recipientdomain.fr"
},
"retarus": {
"timestamp": "2021-10-1 09:00:00 +0200",
"email_direction": "OUTBOUND",
"mime_message_id": "<11111111>",
"message_id": "0001",
"recipient": "recipient@recipientdomain.fr",
"sender": "sender@senderdomain.fr",
"status": "ACCEPTED",
"class": "EVENT",
"type": "AAA"
},
"related": {
"hosts": [
"host.fr",
"recipientdomain.fr",
"senderdomain.fr"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:18 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"CxO\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<164D6G96.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145817-42ZFjPxxxxxx-0@mailin01\"}",
"event": {
"kind": "alert",
"category": [
"malware"
],
"type": [
"info"
]
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"source": {
"domain": "retarus.com",
"address": "retarus.com",
"top_level_domain": "com",
"registered_domain": "retarus.com"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2018-10-16 14:58:18 +0200",
"email_direction": "INBOUND",
"mime_message_id": "<164D6G96.xxxxxxx@retarus.net>",
"message_id": "20181016-145817-42ZFjPxxxxxx-0@mailin01",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "DETECTED",
"class": "THREAT",
"type": "CxO"
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"details\": \"EICAR-AV-Test\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"MultiScan\", \"direction\": \"OUTBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<5616dfeid.xxxxxxxxxx@retarus.net>\", \"status\": \"INFECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145842-xxxxxx-xxxxxx-0@mailin27\"}",
"event": {
"kind": "alert",
"category": [
"malware"
],
"type": [
"info"
]
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"source": {
"domain": "retarus.com",
"address": "retarus.com",
"top_level_domain": "com",
"registered_domain": "retarus.com"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2018-10-16 14:58:43 +0200",
"email_direction": "OUTBOUND",
"mime_message_id": "<5616dfeid.xxxxxxxxxx@retarus.net>",
"message_id": "20181016-145842-xxxxxx-xxxxxx-0@mailin27",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "INFECTED",
"class": "THREAT",
"type": "MultiScan",
"virus_name": "EICAR-AV-Test"
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"related": {
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"threatType\": \"VIRUS\", \"checksum\": \"6b84714d0fa8c77d846306f37f4f3135596d34e17dca4f84088195272fd\", \"mimeType\": \"applicationx-dosexec\", \"details\": \"EICAR-Test-File\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 14:58:56 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxx@retarus.de\", \"type\": \"PZD\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<56168B42.xxxxxxx@retarus.net>\", \"status\": \"DETECTED\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145852-xxxxxx-xxxxxx-0@mailin01\"}",
"event": {
"kind": "alert",
"category": [
"malware"
],
"type": [
"info"
]
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"source": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2018-10-16 14:58:56 +0200",
"email_direction": "INBOUND",
"mime_message_id": "<56168B42.xxxxxxx@retarus.net>",
"message_id": "20181016-145852-xxxxxx-xxxxxx-0@mailin01",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxx@retarus.de",
"status": "DETECTED",
"class": "THREAT",
"type": "PZD",
"virus_name": "EICAR-Test-File"
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"file": {
"mimeType": "applicationx-dosexec",
"hash": {
"sha256": "sha256"
}
},
"related": {
"hash": [
"sha256"
],
"hosts": [
"events.retarus.com",
"retarus.de"
]
}
}
{
"message": "{\"customer\": \"CuNo\", \"metaData\": {\"hashFunction\": \"sha256\", \"checksum\": \"cbfdedf25f7f04daf9d705548cf6b6546d66bc206ea1a166fff15ece9434\"}, \"host\": \"events.retarus.com\", \"ts\": \"2018-10-16 15:03:43 +0200\", \"version\": \"1.0\", \"sourceIp\": \"xxx.xxx.xxx.xxx\", \"sender\": \"xxxxxxx@retarus.com\", \"type\": \"Sandboxing\", \"direction\": \"INBOUND\", \"recipient\": \"xxxxxxx@retarus.de\", \"mimeId\": \"<37357C96.xxxxxxx@retarus.net>\", \"status\": \"SUSPICIOUS\", \"class\": \"THREAT\", \"rmxId\": \"20181016-145902-xxxxxx-0@mailin08\"}",
"event": {
"kind": "alert",
"category": [
"malware"
],
"type": [
"info"
]
},
"observer": {
"version": "1.0",
"hostname": "events.retarus.com"
},
"organization": {
"id": "CuNo"
},
"source": {
"domain": "retarus.com",
"address": "retarus.com",
"top_level_domain": "com",
"registered_domain": "retarus.com"
},
"destination": {
"domain": "retarus.de",
"address": "retarus.de",
"top_level_domain": "de",
"registered_domain": "retarus.de"
},
"retarus": {
"timestamp": "2018-10-16 15:03:43 +0200",
"email_direction": "INBOUND",
"mime_message_id": "<37357C96.xxxxxxx@retarus.net>",
"message_id": "20181016-145902-xxxxxx-0@mailin08",
"recipient": "xxxxxxx@retarus.de",
"sender": "xxxxxxx@retarus.com",
"status": "SUSPICIOUS",
"class": "THREAT",
"type": "Sandboxing"
},
"action": {
"name": "THREAT",
"outcome": "failure"
},
"file": {
"hash": {
"sha256": "sha256"
}
},
"related": {
"hash": [
"sha256"
],
"hosts": [
"events.retarus.com",
"retarus.com",
"retarus.de"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
destination.domain |
keyword |
The domain name of the destination. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.hash.md5 |
keyword |
MD5 hash. |
file.hash.sha1 |
keyword |
SHA1 hash. |
file.hash.sha256 |
keyword |
SHA256 hash. |
file.hash.sha512 |
keyword |
SHA512 hash. |
file.hash.ssdeep |
keyword |
SSDEEP hash. |
file.mimeType |
keyword |
MIME type of the detected file (only included if threat type is VIRUS) |
observer.hostname |
keyword |
Hostname of the observer. |
observer.version |
keyword |
Observer version. |
organization.id |
keyword |
Unique identifier for the organization. |
retarus.class |
keyword |
Classification of the event |
retarus.email_direction |
keyword |
Possible values are: INBOUND |
retarus.message_id |
keyword |
Retarus unique message ID |
retarus.mime_message_id |
keyword |
Mime message ID |
retarus.phishing_identifier |
long |
Phishing identifier (if threat type is “URL”) |
retarus.recipient |
keyword |
Recipient of the message (envTo) |
retarus.sender |
keyword |
Sender of the message (envFrom) |
retarus.status |
keyword |
Possible values are: - for threat events: INFECTED |
retarus.timestamp |
keyword |
Timestamp of the message in YYYY-MM-DD hh:mm:ss +hhmm |
retarus.type |
keyword |
Feature which the event is for possible values are: MultiScan, CxO, Sandboxing, PZD, MTA |
retarus.virus_name |
keyword |
Virus name(s) found |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
url.full |
wildcard |
Full unparsed URL. |