You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Cisco Secure Email Gateway

Collect logs from Cisco Secure Email Gateway with Elastic Agent.

What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

The Cisco Email Security Appliance integration collects and parses data from Cisco Secure Email Gateway using TCP/UDP and logfile.

Compatibility

This module has been tested against Cisco Secure Email Gateway server version 14.0.0 Virtual Gateway C100V with the below given logs pattern.

Configurations

  • Sign-in to Cisco Secure Email Gateway Portal and follow the below steps for configurations:
    1. In Cisco Secure Email Gateway Administrator Portal, go to System Administration > Log Subscriptions.
    2. Click Add Log Subscription.
    3. Enter all the Required Details.
    4. Set Log Name as below for the respective category:
      • AMP Engine Logs -> amp
      • Anti-Spam Logs -> antispam
      • Antivirus Logs -> antivirus
      • Authentication Logs -> authentication
      • Bounce Logs -> bounces
      • Consolidated Event Logs -> consolidated_event
      • Content Scanner Logs -> content_scanner
      • HTTP Logs -> gui_logs
      • IronPort Text Mail Logs -> error_logs
      • Text Mail Logs -> mail_logs
      • Status Logs -> status
      • System Logs -> system
    5. Select Log Level as Information.
    6. Select Retrieval Method.
    7. Click Submit and commit the Changes.

Note

  • Retrieval Method Supported:
    • FTP Push to Remote Server for the below categories: AMP Engine Logs, Anti-Spam Logs, Antivirus Logs, Authentication Logs, Bounce Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs and System Logs.
    • Syslog Push for the below categories: AMP Engine Logs, Anti-Spam Logs, Antivirus Logs, Consolidated Event Logs, Content Scanner Logs, HTTP Logs, IronPort Text Mail Logs, Text Mail Logs, Status Logs and System Logs.

Sample Logs

Below are the samples logs of respective category:

AMP Engine Logs:

File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec

Response received for file reputation query from Cloud. FileName = 'mod-6.exe', MID = 5, Disposition = MALICIOUS, Malware = W32.061DEF69B5-100.SBX.TG,Reputation Score = 73, sha256 =061def69b5c100e9979610fa5675bd19258b19a7ff538b5c2d230b467c312f19, upload_action = 2

File Analysis complete. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Submit Timestamp: 1475825466, Update Timestamp: 1475825953, Disposition: 3 Score: 100, run_id: 194926004 Details: Analysis is completed for the File SHA256[16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc] Spyname:[W32.16454AFF50-100.SBX.TG]

File not uploaded for analysis. MID = 0 File SHA256[a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82] file mime[text/plain] Reason: No active/dynamic contents exists

File analysis upload skipped. SHA256: b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef,Timestamp[1454782976] details[File SHA256[b5c7e26491983baa713c9a2910ee868efd891661c6a0553b28f17b8fdc8cc3ef] file mime[application/pdf], upload priority[Low] not uploaded, re-tries[3], backoff[986] discarding ...]

SHA256: 69e17e213732da0d0cbc48ae7030a4a18e0c1289f510e8b139945787f67692a5,Timestamp[1454959409] details[Server Response HTTP code:[502]]

Retrospective verdict received. SHA256: 16454aff5082c2e9df43f3e3b9cdba3c6ae1766416e548c30a971786db570bfc, Timestamp: 1475832815.7, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.16454AFF50-100.SBX.

Anti-Spam Logs

case antispam - engine (72324) : case-daemon: Initializing Child

case antispam - engine (15703) : case-daemon: all children killed, exitting

case antispam - engine (15703) : case-daemon: server killed by SIGHUP, shutting down

Antivirus Logs

sophos  antivirus - MID 69391938 - Result 'CLEAN' ()

sophos  antivirus - MID 68431780 0 - Error - 'Encrypted' '0x8004021'

sophos  antivirus - MID 66842418 0 - Virus 'CXmail/Phish-O' 'body.scan/Payment.html' 1 0

sophos  antivirus - MID 66784457 0 - Virus 'CXmail/MalPE-HB' 'body.scan/242426.cab/rockro9046.exe' 1 0

sophos  antivirus - MID 68016096 0 - Virus 'CXmail/MalPE-FL' 'body.scan/redactedFileName.rar/redactedFileName.exe' 1 0

sophos  antivirus - MID 68016096 0 - Virus 'CXmail/MalPE-AC' 'body.scan/redactedFileName.rar' 1 0

sophos  antivirus - MID 66301278 0 - Virus 'Mal/DrodRar-AIC' 'body.scan/anotherFileName.arj' 1 0

sophos  antivirus - MID 67753636 0 - Virus 'Troj/MSIL-TAR' 'body.scan/otherFileName.exe' 1 0

sophos  antivirus - MID 66710307 7 - Limit - 'Max Files Exceeded'

sophos  antivirus - MID 66708787 - timed out on message

Authentication Logs

The user admin successfully logged on from 1.128.3.4 with privilege admin using an HTTPS connection.

CLI: User admin logged out from 1.128.3.4 because of inactivity timeout

GUI: User admin logged out from session d0PfzQa02E8NwMiah2jx because of inactivity timeout

logout:1.128.3.4 user:admin session:wKV0AK29Ggdhztfl4Sal

User admin logged out of SSH session 1.128.3.4

An authentication attempt by the user admin from 1.128.3.4 failed using an HTTPS connection.

User admin was authenticated successfully.

User joe failed authentication.

Bounce Logs

Bounced: DCID 2 MID 15232 From:<example.com> To:<example.com> RID 0 - 5.1.0 - Unknown address error ('550', ['5.1.1 The email account that you tried to reach does not exist. Please try', "5.1.1 double-checking the recipient's email address for typos or", '5.1.1 unnecessary spaces. Learn more at', '5.1.1  xxxxx ay44si12078156oib.94 - gsmtp'])

Bounced: 123:123 From:<example.com> To:<example.com>

Consolidated Event Logs

CEF:0|Cisco|C100V Email Security Virtual Appliance|14.0.0-657|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=42127C7DDEE76852677B-F80CE8074CD3 ESAMID=1053 ESAICID=134 ESAAMPVerdict=UNKNOWN ESAASVerdict=NEGATIVE ESAAVVerdict=NEGATIVE  ESACFVerdict=MATCH endTime=Thu Mar 18 08:04:46 2021 ESADLPVerdict=NOT_EVALUATED dvc=1.128.3.4 ESAAttachmentDetails={'test.txt': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': '7f843d263304fb0516d6210e9de4fa7f01f2f623074aab6e3ee7051f7b785cfa'}, 'BodyScanner': {'fsize': 10059}}} ESAFriendlyFrom=example.com ESAGMVerdict=NEGATIVE startTime=Thu Mar 18 08:04:29 2021 deviceInboundInterface=Incomingmail deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=example.com cs1Label=MailPolicy cs1=DEFAULT ESAMFVerdict=NOT_EVALUATED act=QUARANTINED ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='<example.com>' ESAMsgSize=11873 ESAOFVerdict=POSITIVE duser=example.com ESAHeloIP=1.128.3.4 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=27 years 2 months 15 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Weak ESASPFVerdict={'mailfrom': {'result': 'None', 'sender': 'example.com'}, 'helo': {'result': 'None', 'sender': 'postmaster'}, 'pra': {'result': 'None', 'sender': 'example.com'}} sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=1.128.3.4 msg='Testing'

Content Scanner Logs

PF: Starting multi-threaded Perceptive server (pid=17729)

PF: Restarting content_scanner service.

IronPort Text Mail Logs

Quarantine: Failed to connect to quarantine

Internal SMTP giving up on message to example.com with subject 'Warning <System> example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error.

Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning <System> example.com: Your "IronPort Email Encryption" key will expire in under 60...".

Internal SMTP system attempting to send a message to example.com with subject 'Critical <System> example.com: Log Error: Subscription error_logs: Failed to connect to 10....' (attempt #0).

HTTP Logs

req:1.128.3.4 user:admin id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

req:1.128.3.4 user:- id:2v10z5fEuDsvhdbVE6Ck 200 GET xxx.png HTTP/1.1 -

Action: User admin logged out from session 5GPz0QDlfxUYQ0Y3PgYN beacuse of inactivity timeout

Session fRK3TSjzhHhoI9CV5Kvt user:admin expired

Session fRK3TSjzhHhoI9CV5Kvt from 1.128.3.4 not found Destination:/mail_policies/email_security_manager/incoming_mail_policies

SourceIP:1.128.3.4 Destination:/login Username:admin Privilege:admin session:5GPz0QDlfxUYQ0Y3PgYN Action: The HTTPS session has been established successfully.

PERIODIC REPORTS: No root directory for Periodic Reports Archive. Probably, running first time...

Could not fetch current Virus Threat Level: OS error opening URL 'http://example.com/xxxxx/xxxxx.txt'

SSL error with client 1.128.3.4:000 - (336151574, 'error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown')

Error in https connection from host 1.128.3.4 port 000 - [Errno 54] Connection reset by peer

Passphrase has been changed for user admin

Text Mail Logs

MID 111 DLP violation. Severity: LOW (Risk Factor: 15). DLP policy match: 'PCI-DSS (Payment Card Industry Data Security Standard)'.

graymail [CONFIG] Starting graymail configuration handler

URL_REP_CLIENT: Configuration changed. Triggering restart of URL Reputation client service.

A System/Warning alert was sent to example.com with subject "Warning <System> cisco.esa: URL category definitions have changed.; Added new category '...".

New SMTP ICID 5 interface Management (1.128.3.4) address 1.128.3.4 reverse dns host example.com verified yes

Start MID 6 ICID 5

MID 6 ICID 5 From: <example.com>

MID 6 ICID 5 RID 0 To: <example.com>

MID 6 ready 100 bytes from <example.com>

ICID 5 close

New SMTP DCID 8 interface 1.128.3.4 address 1.128.3.4

Delivery start DCID 8 MID 6 to RID [0]

Message done DCID 8 MID 6 to RID [0]

DCID 8 close

URL category definitions have changed. Please check and update your filters to use the new definitions

Error while sending alert: Unable to send System/Warning alert to example.com with subject "Warning <System> example.com: Your "IronPort Email Encryption" key will expire in under 60...".

Your "IronPort Anti-Spam" key will expire in under 60 day(s). Please contact your authorized Cisco sales representative.

Internal SMTP system successfully sent a message to example.com with subject 'Warning <System> cisco.esa: Your "Sophos Anti-Virus" key will expire in under 60 day(s)....'.

Internal SMTP giving up on message to example.com with subject 'Warning <System> example.com: Your "IronPort Email Encryption" key will expire in under 60...': Unrecoverable error.

Internal SMTP Error: Failed to send message to host 1.128.3.4:000 for recipient example: Unexpected SMTP response "553", expecting code starting with "2", response was ['#5.1.8 Domain of sender address <example.xxx> does not exist'].

MID 68119155 RID [0] Response '2.0.0 OK  1687954632 redactedstring - gsmtp'

MID 68119155 Subject "redacted subject"

MID 68119155 queued for delivery

Message finished MID 68119155 done

MID 68119155 interim verdict using engine: CASE bulk

MID 68119155 interim AV verdict using Sophos CLEAN

MID 68119155 using engine: GRAYMAIL positive

MID 68119155 Outbreak Filters: verdict negative

MID 68119155 using engine: SPF Verdict Cache using cached verdict

MID 68119155 Message-ID '<redacted@redactedMailFrom.com>'

MID 68119155 DMARC: Verification passed

MID 68119155 SPF: mailfrom identity no-reply@redactedMailFrom.com Pass (v=spf1)

MID 68119155 matched all recipients for per-recipient policy DEFAULT in the inbound table

MID 68119155 SDR: Tracker Header : redactedTrackerHeader

MID 68119155 SDR: Domains for which SDR is requested: reverse DNS host: redacted.redactedMailFrom.com, helo: redacted.redactedMailFrom.com, env-from: redactedMailFrom.com, header-from: redactedMailFrom.com, reply-to: redactedMailFrom.com

MID 68119155 SDR: Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: redacted.redactedMailFrom.com

MID 68119155 DMARC: Message from domain redactedMailFrom.com, DMARC pass (SPF aligned True, DKIM aligned True)

MID 68119155 DKIM: pass signature verified (d=redactedMailFrom.com s=srsa2048 i=@redactedMailFrom.com)

MID 68119155 AMP file reputation verdict : SKIPPED (no attachment in message)

Status Logs

Status: CPULd 0 DskIO 0 RAMUtil 1 QKUsd 0 QKFre 8388608 CrtMID 0 CrtICID 0 CrtDCID 1 InjMsg 0 InjRcp 0 GenBncRcp 0 RejRcp 0 DrpMsg 0 SftBncEvnt 0 CmpRcp 0 HrdBncRcp 0 DnsHrdBnc 0 5XXHrdBnc 0 FltrHrdBnc 0 ExpHrdBnc 0 OtrHrdBnc 0 DlvRcp 0 DelRcp 0 GlbUnsbHt 0 ActvRcp 0 UnatmptRcp 0 AtmptRcp 0 CrtCncIn 0 CrtCncOut 0 DnsReq 0 NetReq 0 CchHit 0 CchMis 0 CchEct 0 CchExp 0 CPUTTm 91 CPUETm 32182 MaxIO 487 RAMUsd 125195690 MMLen 0 DstInMem 3 ResCon 0 WorkQ 0 QuarMsgs 0 QuarQKUsd 0 LogUsd 5 SophLd 99 BMLd 0 CASELd 0 TotalLd 47 LogAvail 148G EuQ 0 EuqRls 0 CmrkLd 0 McafLd 0 SwIn 338 SwOut 681 SwPgIn 2123 SwPgOut 7156 SwapUsage 0% RptLd 0 QtnLd 0 EncrQ 0 InjBytes 0

System Logs

PID 1237: User admin commit changes: Added a second CLI log for examples

lame DNS referral: qname:example.net ns_name:example.net zone:example.net ref_zone:example.net referrals:[(524666183436709L, 0, 'insecure', 'example.net'), (524666183436709L, 0, 'insecure', 'example.net')]

Failed to bootstrap the DNS resolver. Unable to contact root servers.

DNS query network error '[Errno 51] Network is unreachable' to 'dummy_ip' looking up ' '

Received an invalid DNS Response: '' to IP dummy_ip looking up example.de

Logs

log

This is the log dataset.

An example event for log looks as following:

{
    "@timestamp": "2023-03-17T18:24:37.000Z",
    "agent": {
        "ephemeral_id": "7dbab520-f89c-42fb-93be-e46d1ec05fb8",
        "id": "0949f27e-3199-48ba-af2b-55e717cda399",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.7.1"
    },
    "cisco_secure_email_gateway": {
        "log": {
            "category": {
                "name": "amp"
            },
            "message": "File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec"
        }
    },
    "data_stream": {
        "dataset": "cisco_secure_email_gateway.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.10.0"
    },
    "elastic_agent": {
        "id": "0949f27e-3199-48ba-af2b-55e717cda399",
        "snapshot": false,
        "version": "8.7.1"
    },
    "email": {
        "attachments": {
            "file": {
                "name": "mod-6.exe",
                "size": 1673216
            }
        },
        "content_type": "application/x-dosexec",
        "message_id": "5"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "cisco_secure_email_gateway.log",
        "ingested": "2023-10-31T06:24:58Z",
        "kind": "event",
        "timezone": "UTC"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "level": "info",
        "source": {
            "address": "192.168.254.4:57187"
        },
        "syslog": {
            "priority": 166
        }
    },
    "tags": [
        "forwarded",
        "cisco_secure_email_gateway-log"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cisco_secure_email_gateway.log.5xx_hard_bounces
5XX Hard Bounces.
long
cisco_secure_email_gateway.log.act
keyword
cisco_secure_email_gateway.log.action
keyword
cisco_secure_email_gateway.log.active_recipients
Active Recipients.
long
cisco_secure_email_gateway.log.address
ip
cisco_secure_email_gateway.log.alert_category
keyword
cisco_secure_email_gateway.log.antivirus_result
keyword
cisco_secure_email_gateway.log.appliance.product
keyword
cisco_secure_email_gateway.log.appliance.vendor
keyword
cisco_secure_email_gateway.log.appliance.version
keyword
cisco_secure_email_gateway.log.attempted_recipients
Attempted Recipients.
long
cisco_secure_email_gateway.log.backoff
The number of (x) seconds before the email gateway needs to wait before it makes an attempt to upload the file to the file analysis server. This occurs when the email gateway reaches the daily upload limit.
long
cisco_secure_email_gateway.log.bmld
long
cisco_secure_email_gateway.log.bounce_type
Bounced or delayed (for example, hard or soft-bounce).
keyword
cisco_secure_email_gateway.log.cache.exceptions
Cache Exceptions.
long
cisco_secure_email_gateway.log.cache.expired
Cache Expired.
long
cisco_secure_email_gateway.log.cache.hits
Cache Hits.
long
cisco_secure_email_gateway.log.cache.misses
Cache Misses.
long
cisco_secure_email_gateway.log.case_id
keyword
cisco_secure_email_gateway.log.case_ld
Percent CPU used by CASE scanning.
long
cisco_secure_email_gateway.log.category.name
keyword
cisco_secure_email_gateway.log.cef_format_version
keyword
cisco_secure_email_gateway.log.cfp1
double
cisco_secure_email_gateway.log.cfp1_label
keyword
cisco_secure_email_gateway.log.cmrkld
long
cisco_secure_email_gateway.log.command
text
cisco_secure_email_gateway.log.commit_changes
text
cisco_secure_email_gateway.log.completed_recipients
Completed Recipients.
long
cisco_secure_email_gateway.log.connection
keyword
cisco_secure_email_gateway.log.connection_status
keyword
cisco_secure_email_gateway.log.cpu.elapsed_time
Elapsed time since the application started.
long
cisco_secure_email_gateway.log.cpu.total_time
Total CPU time used by the application.
long
cisco_secure_email_gateway.log.cpu.utilization
CPU Utilization.
long
cisco_secure_email_gateway.log.crt.delivery_connection_id
Delivery Connection ID (DCID).
keyword
cisco_secure_email_gateway.log.crt.injection_connection_id
Injection Connection ID (ICID).
keyword
cisco_secure_email_gateway.log.cs1
keyword
cisco_secure_email_gateway.log.cs1_label
keyword
cisco_secure_email_gateway.log.cs2
keyword
cisco_secure_email_gateway.log.cs2_label
keyword
cisco_secure_email_gateway.log.cs3
keyword
cisco_secure_email_gateway.log.cs3_label
keyword
cisco_secure_email_gateway.log.cs4
keyword
cisco_secure_email_gateway.log.cs4_label
keyword
cisco_secure_email_gateway.log.cs5
keyword
cisco_secure_email_gateway.log.cs5_label
keyword
cisco_secure_email_gateway.log.cs6
keyword
cisco_secure_email_gateway.log.cs6_label
keyword
cisco_secure_email_gateway.log.current.inbound_connections
Current Inbound Connections.
long
cisco_secure_email_gateway.log.current.outbound_connections
Current Outbound Connections.
long
cisco_secure_email_gateway.log.data.ip
ip
cisco_secure_email_gateway.log.deleted_recipients
Deleted Recipients.
long
cisco_secure_email_gateway.log.delivered_recipients
Delivered Recipients.
long
cisco_secure_email_gateway.log.delivery_connection_id
Delivery Connection ID. This is a numerical identifier for an individual SMTP connection to another server, for delivery of 1 to thousands of messages, each with some or all of their RIDs being delivered in a single message transmission.
keyword
cisco_secure_email_gateway.log.description
text
cisco_secure_email_gateway.log.destination
text
cisco_secure_email_gateway.log.destination_memory
Number of destination objects in memory.
long
cisco_secure_email_gateway.log.details
Additional information.
text
cisco_secure_email_gateway.log.device_direction
keyword
cisco_secure_email_gateway.log.disk_io
Disk I/O Utilization.
long
cisco_secure_email_gateway.log.disposition
The file reputation disposition values are: MALICIOUS CLEAN FILE UNKNOWN - When the reputation score is zero. VERDICT UNKNOWN - When the disposition is FILE UNKNOWN and score is non-zero. LOW RISK - When no dynamic content is found in a file after file analysis, the verdict is Low Risk. The file is not sent for file analysis, and the message continues through the email pipeline.
keyword
cisco_secure_email_gateway.log.dkim_aligned
Protocol DKIM aligned is true or false.
boolean
cisco_secure_email_gateway.log.dns.hard_bounces
DNS Hard Bounces.
long
cisco_secure_email_gateway.log.dns.requests
DNS Requests.
long
cisco_secure_email_gateway.log.domain
keyword
cisco_secure_email_gateway.log.dropped_messages
Dropped Messages.
long
cisco_secure_email_gateway.log.email
keyword
cisco_secure_email_gateway.log.email_tracker_header
Header consisting of (but not typically displaying) critical information for efficient email tracking and delivery.
keyword
cisco_secure_email_gateway.log.encrypted_hash
keyword
cisco_secure_email_gateway.log.encryption_queue
Messages in the Encryption Queue.
long
cisco_secure_email_gateway.log.engine
Engine used by the interim verdict.
keyword
cisco_secure_email_gateway.log.env
keyword
cisco_secure_email_gateway.log.error_code
keyword
cisco_secure_email_gateway.log.esa.amp_verdict
keyword
cisco_secure_email_gateway.log.esa.as_verdict
keyword
cisco_secure_email_gateway.log.esa.attachment_details
text
cisco_secure_email_gateway.log.esa.av_verdict
keyword
cisco_secure_email_gateway.log.esa.content_filter_verdict
keyword
cisco_secure_email_gateway.log.esa.dane.host
keyword
cisco_secure_email_gateway.log.esa.dane.ip
ip
cisco_secure_email_gateway.log.esa.dane.status
keyword
cisco_secure_email_gateway.log.esa.delivery_connection_id
keyword
cisco_secure_email_gateway.log.esa.dha_source
ip
cisco_secure_email_gateway.log.esa.dkim_verdict
keyword
cisco_secure_email_gateway.log.esa.dlp_verdict
keyword
cisco_secure_email_gateway.log.esa.dmarc_verdict
keyword
cisco_secure_email_gateway.log.esa.final_action_details
text
cisco_secure_email_gateway.log.esa.friendly_from
keyword
cisco_secure_email_gateway.log.esa.graymail_verdict
keyword
cisco_secure_email_gateway.log.esa.helo.domain
keyword
cisco_secure_email_gateway.log.esa.helo.ip
ip
cisco_secure_email_gateway.log.esa.injection_connection_id
keyword
cisco_secure_email_gateway.log.esa.mail_auto_remediation_action
text
cisco_secure_email_gateway.log.esa.mail_flow_policy
keyword
cisco_secure_email_gateway.log.esa.mar_action
keyword
cisco_secure_email_gateway.log.esa.mf_verdict
keyword
cisco_secure_email_gateway.log.esa.msg_size
long
cisco_secure_email_gateway.log.esa.msg_too_big
keyword
cisco_secure_email_gateway.log.esa.msg_too_big_from_sender
boolean
cisco_secure_email_gateway.log.esa.outbreak_filter_verdict
keyword
cisco_secure_email_gateway.log.esa.rate_limited_ip
keyword
cisco_secure_email_gateway.log.esa.reply_to
keyword
cisco_secure_email_gateway.log.esa.sdr_consolidated_domain_age
text
cisco_secure_email_gateway.log.esa.sender_group
keyword
cisco_secure_email_gateway.log.esa.spf_verdict
keyword
cisco_secure_email_gateway.log.esa.tls.domain
keyword
cisco_secure_email_gateway.log.esa.tls.in.cipher
keyword
cisco_secure_email_gateway.log.esa.tls.in.connection_status
keyword
cisco_secure_email_gateway.log.esa.tls.in.protocol
keyword
cisco_secure_email_gateway.log.esa.tls.out.cipher
keyword
cisco_secure_email_gateway.log.esa.tls.out.connection_status
keyword
cisco_secure_email_gateway.log.esa.tls.out.protocol
keyword
cisco_secure_email_gateway.log.esa.url_details
text
cisco_secure_email_gateway.log.estimated.quarantine
Estimated number of messages in the Spam quarantine.
long
cisco_secure_email_gateway.log.estimated.quarantine_release_queue
Estimated number of messages in the Spam quarantine release queue.
long
cisco_secure_email_gateway.log.event.name
keyword
cisco_secure_email_gateway.log.event_class_id
keyword
cisco_secure_email_gateway.log.expired_hard_bounces
Expired Hard Bounces.
long
cisco_secure_email_gateway.log.filter_hard_bounces
Filter Hard Bounces.
long
cisco_secure_email_gateway.log.generated_bounce_recipients
Generated Bounce Recipients.
long
cisco_secure_email_gateway.log.global_unsubscribe_hits
Global Unsubscribe Hits.
long
cisco_secure_email_gateway.log.hard_bounce_recipients
Hard Bounced Recipients.
long
cisco_secure_email_gateway.log.helo
keyword
cisco_secure_email_gateway.log.injected.bytes
Total Injected Message Size in Bytes.
long
cisco_secure_email_gateway.log.injected.messages
Injected Messages.
long
cisco_secure_email_gateway.log.injected.recipients
Injected Recipients.
long
cisco_secure_email_gateway.log.injection_connection_id
Injection Connection ID. This is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent.
keyword
cisco_secure_email_gateway.log.interface
keyword
cisco_secure_email_gateway.log.listener.name
keyword
cisco_secure_email_gateway.log.log_available
Amount of disk space available for log files.
keyword
cisco_secure_email_gateway.log.log_used
Percent of log partition used.
long
cisco_secure_email_gateway.log.malware
The name of the malware threat.
keyword
cisco_secure_email_gateway.log.maturity
Sender maturity time.
keyword
cisco_secure_email_gateway.log.max_io
Maximum disk I/O operations per second for the mail process.
long
cisco_secure_email_gateway.log.mcafee_ld
Percent CPU used by McAfee anti-virus scanning.
long
cisco_secure_email_gateway.log.message
text
cisco_secure_email_gateway.log.message_filters_verdict
keyword
cisco_secure_email_gateway.log.message_status
keyword
cisco_secure_email_gateway.log.messages_length
Total number of messages in the system.
long
cisco_secure_email_gateway.log.name
keyword
cisco_secure_email_gateway.log.network_requests
Network Requests.
long
cisco_secure_email_gateway.log.ns_name
keyword
cisco_secure_email_gateway.log.object
keyword
cisco_secure_email_gateway.log.object_attr
keyword
cisco_secure_email_gateway.log.object_category
keyword
cisco_secure_email_gateway.log.other_hard_bounces
Other Hard Bounces.
long
cisco_secure_email_gateway.log.outcome
keyword
cisco_secure_email_gateway.log.policy
Per-recipient policy defined in the inbound table.
keyword
cisco_secure_email_gateway.log.privilege
keyword
cisco_secure_email_gateway.log.qname
keyword
cisco_secure_email_gateway.log.quarantine.load
CPU load during the Quarantine process.
long
cisco_secure_email_gateway.log.quarantine.messages
Number of individual messages in policy, virus, or outbreak quarantine (messages present in multiple quarantines are counted only once).
long
cisco_secure_email_gateway.log.quarantine.queue_kilobytes_used
KBytes used by policy, virus, and outbreak quarantine messages.
long
cisco_secure_email_gateway.log.queue_kilobytes_free
Queue Kilobytes Free.
long
cisco_secure_email_gateway.log.queue_kilobytes_usd
Queue Kilobytes Used.
long
cisco_secure_email_gateway.log.ram.used
Allocated memory in bytes.
long
cisco_secure_email_gateway.log.ram.utilization
RAM Utilization.
long
cisco_secure_email_gateway.log.rank
long
cisco_secure_email_gateway.log.read_bytes
long
cisco_secure_email_gateway.log.recepients
keyword
cisco_secure_email_gateway.log.recipient_id
Recipient ID.
keyword
cisco_secure_email_gateway.log.ref_zone
keyword
cisco_secure_email_gateway.log.referrals
text
cisco_secure_email_gateway.log.rejected_recipients
Rejected Recipients.
long
cisco_secure_email_gateway.log.reporting_load
CPU load during the Reporting process.
long
cisco_secure_email_gateway.log.reputation_score
The reputation score assigned to the file by the file reputation server.
keyword
cisco_secure_email_gateway.log.resource_conservation
Resource conservation tarpit value. Acceptance of incoming mail is delayed by this number of seconds due to heavy system load.
long
cisco_secure_email_gateway.log.response
SMTP response code and message from recipient host.
text
cisco_secure_email_gateway.log.result
text
cisco_secure_email_gateway.log.retries
The number of upload attempts performed on a given file.
long
cisco_secure_email_gateway.log.risk_factor
long
cisco_secure_email_gateway.log.run_id
The numeric value (ID) assigned to the file by the file analysis server for a particular file analysis.
keyword
cisco_secure_email_gateway.log.score
The analysis score assigned to the file by the file analysis server.
long
cisco_secure_email_gateway.log.server_error_details
text
cisco_secure_email_gateway.log.session
keyword
cisco_secure_email_gateway.log.severity
keyword
cisco_secure_email_gateway.log.soft_bounced_events
Soft Bounced Events.
long
cisco_secure_email_gateway.log.sophos_ld
Percent CPU used by Sophos anti-virus scanning.
long
cisco_secure_email_gateway.log.spf_aligned
Protocol SPF aligned is true or false.
boolean
cisco_secure_email_gateway.log.spy_name
The name of the threat, if a malware is found in the file during file analysis.
keyword
cisco_secure_email_gateway.log.start_time
keyword
cisco_secure_email_gateway.log.subject
text
cisco_secure_email_gateway.log.submit.timestamp
The date and time at which the file is uploaded to the file analysis server by the email gateway.
date
cisco_secure_email_gateway.log.suspected_domains
keyword
cisco_secure_email_gateway.log.swap_usage
keyword
cisco_secure_email_gateway.log.swapped.in
Memory swapped in.
long
cisco_secure_email_gateway.log.swapped.out
Memory swapped out.
long
cisco_secure_email_gateway.log.swapped.page.in
Memory paged in.
long
cisco_secure_email_gateway.log.swapped.page.out
Memory paged out.
long
cisco_secure_email_gateway.log.threat_category
Category of the threat.
keyword
cisco_secure_email_gateway.log.threat_level
Threat level.
keyword
cisco_secure_email_gateway.log.total_ld
Total CPU consumption.
long
cisco_secure_email_gateway.log.type
keyword
cisco_secure_email_gateway.log.unattempted_recipients
Unattempted Recipients.
long
cisco_secure_email_gateway.log.update.timestamp
The date and time at which the file analysis for the file is complete.
date
cisco_secure_email_gateway.log.upload.action
The upload action value recommended by the file reputation server to take on the given file 0 - Need not send for upload. 1 - Send file for upload. Note The email gateway uploads the file when the upload action value is ‘1.’. 2 - Do not send file for upload. 3 - Send only metadata for upload.
keyword
cisco_secure_email_gateway.log.upload.priority
Upload priority values are: High - For all selected file types, except PDF file type. Low - For only PDF file types.
keyword
cisco_secure_email_gateway.log.vendor_action
keyword
cisco_secure_email_gateway.log.verdict
The file retrospective verdict value is malicious or clean.
keyword
cisco_secure_email_gateway.log.verdict_scale
Verdict is negative or postive.
keyword
cisco_secure_email_gateway.log.verified
keyword
cisco_secure_email_gateway.log.work_queue
This is the number of messages currently in the work queue.
long
cisco_secure_email_gateway.log.zone
keyword
client.ip
IP address of the client (IPv4 or IPv6).
ip
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
destination.ip
IP address of the destination (IPv4 or IPv6).
ip
destination.port
Port of the destination.
long
dns.question.name
The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
email.attachments.file.hash.sha256
SHA256 hash.
keyword
email.attachments.file.mime_type
The MIME media type of the attachment. This value will typically be extracted from the Content-Type MIME header field.
keyword
email.attachments.file.name
Name of the attachment file including the file extension.
keyword
email.attachments.file.size
Attachment file size in bytes.
long
email.content_type
Information about how the message is to be displayed. Typically a MIME type.
keyword
email.direction
The direction of the message based on the sending and receiving domains.
keyword
email.from.address
The email address of the sender, typically from the RFC 5322 From: header field.
keyword
email.message_id
Identifier from the RFC 5322 Message-ID: email header that refers to a particular email message.
wildcard
email.subject
A brief summary of the topic of the message.
keyword
email.subject.text
Multi-field of email.subject.
match_only_text
email.to.address
The email address of recipient
keyword
event.dataset
Event dataset.
constant_keyword
event.end
event.end contains the date when the event ended or when the activity was last observed.
date
event.id
Unique ID to describe the event.
keyword
event.module
Event module.
constant_keyword
event.outcome
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. event.outcome simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of event.outcome, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with event.type:info, or any events for which an outcome does not make logical sense.
keyword
event.reason
Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site).
keyword
event.start
event.start contains the date when the event started or when the activity was first observed.
date
file.extension
File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
keyword
file.name
Name of the file including the extension, without the directory.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.name.text
Multi-field of host.os.name.
text
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
http.request.method
HTTP request method. The value should retain its casing from the original event. For example, GET, get, and GeT are all considered valid values for this field.
keyword
http.response.status_code
HTTP response status code.
long
http.version
HTTP version.
keyword
input.type
Input type.
keyword
log.file.path
File path from which the log event was read / sent from.
keyword
log.level
Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are warn, err, i, informational.
keyword
log.offset
Log offset.
long
log.source.address
Source address from which the log event was read / sent from.
keyword
log.syslog.priority
Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
long
network.protocol
In the OSI Model this would be the Application Layer protocol. For example, http, dns, or ssh. The field value must be normalized to lowercase for querying.
keyword
observer.vendor
Vendor name of the observer.
keyword
process.pid
Process id.
long
related.hash
All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names or other user identifiers seen on the event.
keyword
source.domain
The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
keyword
source.ip
IP address of the source (IPv4 or IPv6).
ip
source.port
Port of the source.
long
tags
List of keywords used to tag each event.
keyword
url.path
Path of the request, such as "/search".
wildcard
user.name
Short name or login of the user.
keyword
user.name.text
Multi-field of user.name.
match_only_text
user_agent.device.name
Name of the device.
keyword
user_agent.name
Name of the user agent.
keyword
user_agent.original
Unparsed user_agent string.
keyword
user_agent.original.text
Multi-field of user_agent.original.
match_only_text
user_agent.os.full
Operating system name, including the version or code name.
keyword
user_agent.os.full.text
Multi-field of user_agent.os.full.
match_only_text
user_agent.os.name
Operating system name, without the version.
keyword
user_agent.os.name.text
Multi-field of user_agent.os.name.
match_only_text
user_agent.os.version
Operating system version as a raw string.
keyword
user_agent.version
Version of the user agent.
keyword

Changelog

VersionDetails
1.18.0
Enhancement View pull request
Support new format for mail category of logs and add pipeline for antivirus category.
1.17.0
Enhancement View pull request
Improve 'event.original' check to avoid errors if set.
1.16.0
Enhancement View pull request
Update ingest pipeline to handle v15.

Bug fix View pull request
Fix handling of logs without a syslog priority.

Bug fix View pull request
Fix handling of event.start and event.end for consolidated events.
1.15.0
Enhancement View pull request
ECS version updated to 8.10.0.
1.14.0
Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.
1.13.1
Bug fix View pull request
Remove the unused mappings for 'type' and 'filepath'.
1.13.0
Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
1.12.0
Enhancement View pull request
Update package-spec to 2.10.0.
1.11.2
Bug fix View pull request
Match both Unix and Windows-style paths, correctly.
1.11.1
Bug fix View pull request
Match both Unix and Windows-style paths
1.11.0
Enhancement View pull request
Update package to ECS 8.9.0.
1.10.1
Bug fix View pull request
Fix grok timeout on expensive consolidated events logs.
1.10.0
Enhancement View pull request
Convert dashboard to lens.
1.9.0
Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.
1.8.2
Bug fix View pull request
Fix grok pattern in AMP pipeline.
1.8.1
Bug fix View pull request
Fix consolidated event pipeline
1.8.0
Enhancement View pull request
Update package to ECS 8.8.0.
1.7.1
Bug fix View pull request
Fix grok pattern and timezone in consolidated pipeline.
1.7.0
Enhancement View pull request
Update package to ECS 8.7.0.
1.6.2
Bug fix View pull request
Fix grok pattern in AMP pipeline.
1.6.1
Enhancement View pull request
Added categories and/or subcategories.
1.6.0
Enhancement View pull request
Allow configuration of time zones.
1.5.1
Enhancement View pull request
Add trim processor to remove white spaces in message.
1.5.0
Enhancement View pull request
Update package to ECS 8.6.0.
1.4.0
Enhancement View pull request
Add udp_options to the UDP input.
1.3.1
Bug fix View pull request
Fix grok pattern to extract additional fields
1.3.0
Enhancement View pull request
Add an on_failure processor to the date processor.
1.2.0
Enhancement View pull request
Update package to ECS 8.5.0.
1.1.0
Enhancement View pull request
Improve error message for incorrect log filepath configuration.

Bug fix View pull request
Fix grok pattern for extracting log category from filepath.
1.0.1
Bug fix View pull request
Remove duplicate fields.
1.0.0
Enhancement View pull request
Make GA
0.3.0
Enhancement View pull request
Update package to ECS 8.4.0
0.2.1
Enhancement View pull request
Improve SSL config description and example.
0.2.0
Enhancement View pull request
Update package to ECS 8.3.0.
0.1.0
Enhancement View pull request
Initial draft of the package

On this page