Document toolboxDocument toolbox

mail.trellix

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Nov 22, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with mail.trellix identify events generated by Trellix.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as mail.trellix. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Trellix FireEye ETP

mail.trellix.etp.alert_summary

mail.trellix.etp.alert_summary

mail.trellix.etp.email_trace

mail.trellix.etp.email_trace

mail.trellix.etp.user_activity_search

mail.trellix.etp.user_activity_search

mail.trellix.etp.statistic

mail.trellix.etp.statistic

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

mail.trellix.etp.alert_summary

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

attributes__meta__read

bool

 

 

 

attributes__meta__last_modified_on

timestamp

 

 

 

attributes__meta__legacy_id

int8

 

 

 

attributes__meta__acknowledged

bool

 

 

 

attributes__meta__timestamps__db_insert_time

str

 

 

 

attributes__meta__timestamps__es_insert_time

timestamp

 

 

 

attributes__meta__last_malware

str

 

 

 

attributes__meta__alert_type

str

 

 

 

attributes__alert__product

str

 

 

 

attributes__alert__alert_type

str

 

 

 

attributes__alert__malware_md5

str

 

 

 

attributes__alert__timestamp

timestamp

 

 

 

attributes__alert__sha256

str

 

 

 

attributes__email__status

str

 

 

 

attributes__email__source_ip

str

 

 

 

attributes__email__source_ip_v4

ip4

ip4(attributes__email__source_ip)

attributes__email__source_ip

 

attributes__email__source_ip_v6

ip6

ip6(attributes__email__source_ip)

attributes__email__source_ip

 

attributes__email__smtp__rcpt_to

str

 

 

 

attributes__email__smtp__mail_from

str

 

 

 

attributes__email__etp_message_id

str

 

 

 

attributes__email__headers__cc

str

 

 

 

attributes__email__headers__to

str

 

 

 

attributes__email__headers__from

str

 

 

 

attributes__email__headers__subject

str

 

 

 

attributes__email__attachment

str

 

 

 

attributes__email__timestamp__accepted

timestamp

 

 

 

id

str

 

 

 

links__detail

str

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

mail.trellix.etp.email_trace

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

id

str

 

 

 

threat_type

str

 

 

 

included

str

 

 

 

attributes__verdicts_as

str

 

 

 

attributes__verdicts_av

str

 

 

 

attributes__verdicts_at

str

 

 

 

attributes__verdicts_pv

str

 

 

 

attributes__verdicts_yara

str

 

 

 

attributes__verdicts__action_yara

str

 

 

 

attributes__domain

str

 

 

 

attributes__down_stream_msg_id

str

 

 

 

attributes__subject

str

 

 

 

attributes__accepted_date_time

timestamp

 

 

 

attributes__last_modified_date_time

timestamp

 

 

 

attributes__original_message_id

str

 

 

 

attributes__country_code

str

 

 

 

attributes__sender_header

str

 

 

 

attributes__sender_smtp

str

 

 

 

attributes__sender_ip

str

 

 

 

attributes__sender_ip_v4

ip4

ip4(attributes__sender_ip)

attributes__sender_ip

 

attributes__sender_ip_v6

ip6

attributes__sender_ip

 

attributes__status

str

 

 

 

attributes__recipient_smtp

str

 

 

 

attributes__recipient_header

str

 

 

 

attributes__email_size

float8

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

mail.trellix.etp.user_activity_search

Field

Type

Field Transformation

Source field name

Extra fields

Field

Type

Field Transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

attributes__user_email_id

str

 

 

 

attributes__time

str

 

 

 

attributes__user_ip

str

 

 

 

attributes__user_ip_v4

ip4

attributes__user_ip

 

attributes__user_ip_v6

ip6

attributes__user_ip

 

attributes__details_values

str

 

 

 

attributes__user_agent

str

 

 

 

attributes__user_action

str

 

 

 

attributes__user_action_text

str

 

 

 

attributes__details

str

 

 

 

at_devo_pulling_id

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓

mail.trellix.etp.statistic

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

emails_delivered

str

 

temporary_failures

str

 

permanent_failures

str

 

emails_accepted

str

 

emails_received

str

 

malicious

str

 

spam

str

 

virus_name

str

 

at_devo_pulling_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓