I noticed today that some of my emails have host information that is
being parsed from the message body. I just want to know if this a bug or
a feature. For example the sender includes alternate email addresses in
their signature and because of the f...
We are seeing a large number of phishing emails that have pretty
predictable content in the body of the message. I was thinking about
creating a parser to handle some of the more pervasive messages. My
first cut are messages where, for example, the e...
We have had several phishing campaigns that have UTF-8 sections of the
email subject or email address. For example I have a message with the
subject that comes in as "=?UTF-8?Q?Data_is_pointing_toward=E2=80=A6?="
and the meta key is displayed as subj...
We are capturing email delivery from our Ironport ESA inbound to
Exchange and the messages are bulk delivered by IronPort. We noticed
that when there are a number of large messages in a single bulk that
meta is generated for only the first one or two...
I decrypt traffic from my Palo Alto firewall and send it to a capture
port. The destination ports do not get changed, so Netwitness is setting
some meta values that become kind of useless for us. The parsers
correctly handle the traffic as service = ...
Thanks for the reply. I don't doubt that the format of the command is
wrong. I added the commas in the HTTPS section sans any real examples to
work from, I guessed. Unfortunately with or without the commas and even
a hybrid fashion with no commas in ...
Dave, Thanks for your help. The CEF logs from the CMS seem to be lacking
the timestamp and other information in the header so they are not being
identified correctly as CEF. You helped me get started with a version of
a parser for LEEF formatted logs...
The cef log parser is enabled. The CMS supports CEF, LEEF, CSV, TEXT,
JSON, XML. I assumed that with the CEF parser and the cef-custom.xml it
would be easiest to get CEF working the way I want. When I use LEEF, the
messages are parsed as fireeyewebmp...
UEBA Essential Hunting Guide: https://community.rsa.com/docs/DOC-86470.
The table in the Intrusion Behaviors section under the Required Data
Sources column. /Dion
