NetWitness Community

Anonymous · ‎2014-08-12

Hello All,

Actually I want to create a report in which I can see that from how many different email domains I am getting the how many number of emails.

Like I have my company's email domain by the name of @indiapalace.com from where I am sending the emails and receiving the same.

So what I want is to know in RSA Security Analytics reporting is that from how many foreign or outside email domains I am getting the emails with their respective numbers of emails I received on the @indiapalace.com email domain.

This is all the what I want to see the details in my report.

Kindly suggest, if anyone have the idea for the same.

I am waiting for your response.

Thanks to everyone in advance.

Anonymous · ‎2014-08-14

One approach is to have a post-processing parser that extracts the domain (after the @) from the email.src/email.dst meta values and put it into new (or existing) meta keys (e.g. domain.src/domain.dst). See below for some prototypes of such parsers in lua.

And then use the latter meta keys for the reports.

Hope this helps!

/Hans

DomainSrcFromEmailSrc-v1.1.lua

local DomainSrcFromEmailSrc = nw.createParser("DomainSrcFromEmailSrc", "This extracts the domain from the email.src")

---Version 1.1 updated on 2014-08-12

function DomainSrcFromEmailSrc:extractDomain(index, metaValue)

-- find the '@' in the email

local num_temp = string.find(metaValue, "@")

-- make sure that a '@' character was found

if num_temp ~= nil then

-- move to the position where the domain part starts

num_temp = num_temp + 1

-- read domain part (sub string up to the end of the line)

local string_temp = string.sub(metaValue, num_temp, string.len(metaValue))

-- make sure the read succeeded

if string_temp ~= nil then

-- register what was read as domain.src meta

nw.createMeta(self.keys["domain.src"], string_temp)

end

-- declare "meta keys"

DomainSrcFromEmailSrc:setKeys({

nwlanguagekey.create("domain.src"),

})

-- declare a meta-callback for when email.src meta is created

DomainSrcFromEmailSrc:setCallbacks({

[nwlanguagekey.create("email.src")] = DomainSrcFromEmailSrc.extractDomain,

})

DomainDstFromEmailDst-v1.1.lua

local DomainDstFromEmailDst = nw.createParser("DomainDstFromEmailDst", "This extracts the domain from the email.dst")

---Version 1.1 updated on 2014-08-12

function DomainDstFromEmailDst:extractDomain(index, metaValue)

-- find the '@' in the email

local num_temp = string.find(metaValue, "@")

-- make sure that a '@' character was found

if num_temp ~= nil then

-- move to the position where the domain part starts

num_temp = num_temp + 1

-- read domain part (sub string up to the end of the line)

local string_temp = string.sub(metaValue, num_temp, string.len(metaValue))

-- make sure the read succeeded

if string_temp ~= nil then

-- register what was read as domain.dst meta

nw.createMeta(self.keys["domain.dst"], string_temp)

end

-- declare "meta keys"

DomainDstFromEmailDst:setKeys({

nwlanguagekey.create("domain.dst"),

})

-- declare a meta-callback for when email.dst meta is created

DomainDstFromEmailDst:setCallbacks({

[nwlanguagekey.create("email.dst")] = DomainDstFromEmailDst.extractDomain,

})

Anonymous · ‎2014-08-14

Hello Lorentzon,

Thanks for sharing this.

Please suggest step-by-step how I can use it and deploy the same in RSA Security Analytics as well, so in my reporting I can create a report based on the email domain.

I hope you understand my need that what I am looking for.

Regards,

Deepanshu Sood.

Anonymous · ‎2014-08-14

First create the parser files (with extension .lua) on your local machine from which you use the browser to connect to the SA GUI.

In the Security Analytics menu, select Administration > Devices.

In the Device grid, select the Decoder or Log Decoder device.

In the toolbar, select View > Config.

Select the Parsers tab and then select Upload. The “Upload Parsers” dialogue window will pop up.

Click the ‘+’ to browse and choose parser files to upload.

Select the Upload button to upload your parser(s).

The parsers should automatically be loaded and for any new captured and/or ingested data that already created email.src/email.dst meta values there will also be the domain.src/domain.dst meta values.

Now the domain.src/domain.dst meta will be available to be used in a reporting rule.

Hope this helps!

/Hans

Anonymous · ‎2014-08-14

Hello

Thanks Hans for all your efforts.

But the domain.src and domain.dst are already by default available in the SA while at first time.

What I want is that whatever the emails I am receiving from the different email domains on our internal email server, I can get the list of those email domains and also the number of emails I received from the foreign email domain servers.

So that I can identify that, suppose I have internal email domain by the name of

@patern.com , then I can check the total numbers of emails I received from outside the email domains and with the numbers of email as well.

The parser you suggested is totally right to identify the domain source and destination only but here we want to identify the domain in the reference to emails we received from the external email domains.

I hope you understand what I am trying to say.

If it will be possible to create a parser which can segregate the foreign email domain and with the number of email from there, then this will help us a lot to identify and create a rule accordingly.

Regards,

Deepanshu Sood.

Anonymous · ‎2014-08-18

If the OOTB meta keys domain.src and domain.dst are not suitable in your environment, you can add new custom meta keys such as emaildomain.src and emaildomain.dst (to the "index-concentrator-custom.xml" file) and modify the lua parsers accordingly.

Perhaps I've missed something in your descriptions, but what information are your capturing that contain the from and to email addresses? Is this logs from an exchange server or packets/sessions from the incoming traffic to a mail server?

Can you provide some information on the email meta keys and values available in one of these (log) events or (packet) sessions?

/Hans

Anonymous · ‎2014-08-19

Hello,

Actually the domain.src and domain.dst are not suitable in this case, because I want to identify the emaildomain.src and emaildomain.dst.

Thanks for suggesting to create a new custom meta such as like emaildomain.src and emaildomain.dst.

I want to capture the total numbers of emails which is being shoot from the emaildomain.src and emaildomain.dst, so according to it I will create a report.

And yes I am referring to the exchange server logs in my environment.

Please explain this:

Can you provide some information on the email meta keys and values available in one of these (log) events or (packet) sessions?

In this what I can provide you, please suggest.

And also suggest how we can create a custom meta and parser for emaildomain.src and emaildomain.dst.

Thanks in advance.

Deepanshu Sood.

Anonymous · ‎2014-09-02

Hello Hans,

I have solved the issue of emaildomain.src and emaildomain.dst.

I have these new meta keys on my concentrator and able to filter the emaildomains thru reporting.

But now I have another concern regarding some new meta keys.

I want to see that when the log is created and when the log is collected, so for this I have added two new meta keys

by the name of generation.time and collection.time, but still I am not able to get any data into it.

Please suggest how I can get this kind of data in these meta keys.

Like I have a windows server integrated with my SA, so I want to see when the actual log was created and when was the same log being collected by SA in their respective meta keys.

Hope you have understand my requirement. Can we also get the same lua parser for this kind of data from you, please suggest.

Thanks to you in advance.

Regards,

Deepanshu Sood.

NetWitness Community

Wants To Check The Foreign Email Domain Details