AnsweredAssumed Answered

Wants To Check The Foreign Email Domain Details

Question asked by Deepanshu Sood on Aug 12, 2014
Latest reply on Sep 2, 2014 by Deepanshu Sood

Like • Show 0 Likes0
Comment • 7

Hello All,

Actually I want to create a report in which I can see that from how many different email domains I am getting the how many number of emails.

Like I have my company's email domain by the name of @indiapalace.com from where I am sending the emails and receiving the same.

So what I want is to know in RSA Security Analytics reporting is that from how many foreign or outside email domains I am getting the emails with their respective numbers of emails I received on the @indiapalace.com email domain.

This is all the what I want to see the details in my report.

Kindly suggest, if anyone have the idea for the same.

I am waiting for your response.

Thanks to everyone in advance.

No one else has this question

Outcomes

7 Replies

Hans Lorentzon

Aug 14, 2014 4:49 AM

One approach is to have a post-processing parser that extracts the domain (after the @) from the email.src/email.dst meta values and put it into new (or existing) meta keys (e.g. domain.src/domain.dst). See below for some prototypes of such parsers in lua.

And then use the latter meta keys for the reports.

Hope this helps!

/Hans

DomainSrcFromEmailSrc-v1.1.lua
local DomainSrcFromEmailSrc = nw.createParser("DomainSrcFromEmailSrc", "This extracts the domain from the email.src") ---Version 1.1 updated on 2014-08-12 function DomainSrcFromEmailSrc:extractDomain(index, metaValue) -- find the '@' in the email local num_temp = string.find(metaValue, "@") -- make sure that a '@' character was found if num_temp ~= nil then -- move to the position where the domain part starts num_temp = num_temp + 1 -- read domain part (sub string up to the end of the line) local string_temp = string.sub(metaValue, num_temp, string.len(metaValue)) -- make sure the read succeeded if string_temp ~= nil then -- register what was read as domain.src meta nw.createMeta(self.keys["domain.src"], string_temp) end end end -- declare "meta keys" DomainSrcFromEmailSrc:setKeys({ nwlanguagekey.create("domain.src"), }) -- declare a meta-callback for when email.src meta is created DomainSrcFromEmailSrc:setCallbacks({ [nwlanguagekey.create("email.src")] = DomainSrcFromEmailSrc.extractDomain, })

DomainSrcFromEmailSrc-v1.1.lua

local DomainSrcFromEmailSrc = nw.createParser("DomainSrcFromEmailSrc", "This extracts the domain from the email.src")

---Version 1.1 updated on 2014-08-12

function DomainSrcFromEmailSrc:extractDomain(index, metaValue)

-- find the '@' in the email

local num_temp = string.find(metaValue, "@")

-- make sure that a '@' character was found

if num_temp ~= nil then

-- move to the position where the domain part starts

num_temp = num_temp + 1

-- read domain part (sub string up to the end of the line)

local string_temp = string.sub(metaValue, num_temp, string.len(metaValue))

-- make sure the read succeeded

if string_temp ~= nil then

-- register what was read as domain.src meta

nw.createMeta(self.keys["domain.src"], string_temp)

end

-- declare "meta keys"

DomainSrcFromEmailSrc:setKeys({

nwlanguagekey.create("domain.src"),

})

-- declare a meta-callback for when email.src meta is created

DomainSrcFromEmailSrc:setCallbacks({

[nwlanguagekey.create("email.src")] = DomainSrcFromEmailSrc.extractDomain,

})

DomainDstFromEmailDst-v1.1.lua
local DomainDstFromEmailDst = nw.createParser("DomainDstFromEmailDst", "This extracts the domain from the email.dst") ---Version 1.1 updated on 2014-08-12 function DomainDstFromEmailDst:extractDomain(index, metaValue) -- find the '@' in the email local num_temp = string.find(metaValue, "@") -- make sure that a '@' character was found if num_temp ~= nil then -- move to the position where the domain part starts num_temp = num_temp + 1 -- read domain part (sub string up to the end of the line) local string_temp = string.sub(metaValue, num_temp, string.len(metaValue)) -- make sure the read succeeded if string_temp ~= nil then -- register what was read as domain.dst meta nw.createMeta(self.keys["domain.dst"], string_temp) end end end -- declare "meta keys" DomainDstFromEmailDst:setKeys({ nwlanguagekey.create("domain.dst"), }) -- declare a meta-callback for when email.dst meta is created DomainDstFromEmailDst:setCallbacks({ [nwlanguagekey.create("email.dst")] = DomainDstFromEmailDst.extractDomain, })

DomainDstFromEmailDst-v1.1.lua

local DomainDstFromEmailDst = nw.createParser("DomainDstFromEmailDst", "This extracts the domain from the email.dst")

---Version 1.1 updated on 2014-08-12

function DomainDstFromEmailDst:extractDomain(index, metaValue)

-- find the '@' in the email

local num_temp = string.find(metaValue, "@")

-- make sure that a '@' character was found

if num_temp ~= nil then

-- move to the position where the domain part starts

num_temp = num_temp + 1

-- read domain part (sub string up to the end of the line)

local string_temp = string.sub(metaValue, num_temp, string.len(metaValue))

-- make sure the read succeeded

if string_temp ~= nil then

-- register what was read as domain.dst meta

nw.createMeta(self.keys["domain.dst"], string_temp)

end

-- declare "meta keys"

DomainDstFromEmailDst:setKeys({

nwlanguagekey.create("domain.dst"),

})

-- declare a meta-callback for when email.dst meta is created

DomainDstFromEmailDst:setCallbacks({

[nwlanguagekey.create("email.dst")] = DomainDstFromEmailDst.extractDomain,

})

Actions

Deepanshu Sood @ Hans Lorentzon on Aug 14, 2014 5:32 AM
Mark Correct
Correct Answer
Hello Lorentzon,

Thanks for sharing this.

Please suggest step-by-step how I can use it and deploy the same in RSA Security Analytics as well, so in my reporting I can create a report based on the email domain.

I hope you understand my need that what I am looking for.

Regards,

Deepanshu Sood.
Like • Show 0 Likes0
Actions
- Hans Lorentzon @ Deepanshu Sood on Aug 14, 2014 7:51 AM
  Mark Correct
  Correct Answer
  First create the parser files (with extension .lua) on your local machine from which you use the browser to connect to the SA GUI.
  
  In the Security Analytics menu, select Administration > Devices.
  In the Device grid, select the Decoder or Log Decoder device.
  In the toolbar, select View > Config.
  Select the Parsers tab and then select Upload. The “Upload Parsers” dialogue window will pop up.
  Click the ‘+’ to browse and choose parser files to upload.
  Select the Upload button to upload your parser(s).
  
  The parsers should automatically be loaded and for any new captured and/or ingested data that already created email.src/email.dst meta values there will also be the domain.src/domain.dst meta values.
  
  Now the domain.src/domain.dst meta will be available to be used in a reporting rule.
  
  Hope this helps!
  
  /Hans
  Like • Show 1 Like1
  Actions
  - Deepanshu Sood @ Hans Lorentzon on Aug 14, 2014 9:12 AM
    Mark Correct
    Correct Answer
    Hello
    
    Thanks Hans for all your efforts.
    But the domain.src and domain.dst are already by default available in the SA while at first time.
    What I want is that whatever the emails I am receiving from the different email domains on our internal email server, I can get the list of those email domains and also the number of emails I received from the foreign email domain servers.
    So that I can identify that, suppose I have internal email domain by the name of
    
    @patern.com , then I can check the total numbers of emails I received from outside the email domains and with the numbers of email as well.
    
    The parser you suggested is totally right to identify the domain source and destination only but here we want to identify the domain in the reference to emails we received from the external email domains.
    
    I hope you understand what I am trying to say.
    
    If it will be possible to create a parser which can segregate the foreign email domain and with the number of email from there, then this will help us a lot to identify and create a rule accordingly.
    
    Regards,
    Deepanshu Sood.
    Like • Show 0 Likes0
    Actions

Hans Lorentzon Aug 18, 2014 6:43 AM
Mark Correct
Correct Answer
If the OOTB meta keys domain.src and domain.dst are not suitable in your environment, you can add new custom meta keys such as emaildomain.src and emaildomain.dst (to the "index-concentrator-custom.xml" file) and modify the lua parsers accordingly.

Perhaps I've missed something in your descriptions, but what information are your capturing that contain the from and to email addresses? Is this logs from an exchange server or packets/sessions from the incoming traffic to a mail server?
Can you provide some information on the email meta keys and values available in one of these (log) events or (packet) sessions?

/Hans
Like • Show 0 Likes0
Actions
- Deepanshu Sood @ Hans Lorentzon on Aug 19, 2014 12:16 AM
  Mark Correct
  Correct Answer
  Hello,
  
  Actually the domain.src and domain.dst are not suitable in this case, because I want to identify the emaildomain.src and emaildomain.dst.
  Thanks for suggesting to create a new custom meta such as like emaildomain.src and emaildomain.dst.
  I want to capture the total numbers of emails which is being shoot from the emaildomain.src and emaildomain.dst, so according to it I will create a report.
  And yes I am referring to the exchange server logs in my environment.
  
  Please explain this:
  Can you provide some information on the email meta keys and values available in one of these (log) events or (packet) sessions?
  
  In this what I can provide you, please suggest.
  
  And also suggest how we can create a custom meta and parser for emaildomain.src and emaildomain.dst.
  
  Thanks in advance.
  
  Deepanshu Sood.
  Like • Show 0 Likes0
  Actions
  - Deepanshu Sood @ Deepanshu Sood on Sep 2, 2014 8:36 AM
    Mark Correct
    Correct Answer
    Hello Hans,
    
    I have solved the issue of emaildomain.src and emaildomain.dst.
    I have these new meta keys on my concentrator and able to filter the emaildomains thru reporting.
    
    But now I have another concern regarding some new meta keys.
    I want to see that when the log is created and when the log is collected, so for this I have added two new meta keys
    by the name of generation.time and collection.time, but still I am not able to get any data into it.
    
    Please suggest how I can get this kind of data in these meta keys.
    
    Like I have a windows server integrated with my SA, so I want to see when the actual log was created and when was the same log being collected by SA in their respective meta keys.
    
    Hope you have understand my requirement. Can we also get the same lua parser for this kind of data from you, please suggest.
    
    Thanks to you in advance.
    
    Regards,
    Deepanshu Sood.
    Like • Show 0 Likes0
    Actions

Wants To Check The Foreign Email Domain Details

Outcomes

Related Content

Recommended Content