cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
r_gine
Level 9
Report Inappropriate Content
Message 1 of 4

ESM Data Enrichment - E-mail Recipient (Internal)

    I'm trying to setup data enrichment so that I can better correlate e-mail events (based on the 'To' address from our McAfee E-mail Gateway Logs) to potentially suspicious or malicious proxy traffic.

EXAMPLE: An e-mail sent to <employee.name@ourcompany.com> gets an e-mail. (let's say I'm already correlating potentially suspicious elements within the e-mail so I know that the email has a suspicious element (say word document with a macro).

15 minutes later I detect that user (not their email address but their user ID) connecting to a malware site as categorized by our web proxy.

The issue that I have currently is that I cannot associate the employee's e-mail activity with their host event activity (A/V Detection, Proxy alert for suspicious/malicious connection).

When I try to setup Data Enrichment for this i'm not able to use the 'To' field from the Mcafee Email Gateway to do the enrichment (that field doesn't show up in the enrich source and destination field options).

3 Replies

Re: ESM Data Enrichment - E-mail Recipient (Internal)

I am alos facing the same issue.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: ESM Data Enrichment - E-mail Recipient (Internal)

  1. Select System Properties/Data Enrichement, and click Add to create a new Data Enrichment.
  2. From the Data Enrichment Property of the ESM add a new data enrichment.
    1. Set the Lookup Type to String.
    2. Set the Enrichment Type to String.
    3. The Pull Frequency should be no more frequent then daily unless the local AD environment is updated much more frequently.
  3. Define the Active Directory (or LDAP) Source.  The username and password supplied must have read access to user objects in AD.
  4. Create the Query.
    1. The Lookup Attribute is sAMAccountName.
    2. The Enrichment Attribute is userPrincipalName or USERID@DOMAIN.
    3. The simplest query would be (objectClass=user).  This query will return a list of all objects in AD which are classified as a user.  More complex queries can be used if a limited or different set of results is desired.
    4. A test of the above query returns the following details. The test function only returns a maximum of 5 values, regardless of the number of actual entries.  Click Next> once the query succeeds.

  5. Add a Destination.
    1. Click Add.
    2. Select an event source or sources for events that are to be enriched.  As a suggestion, select your MS Windows data sources.
    3. Select the Lookup Field. In this case it will be the Source User field. The lookup field is the value that exists in the event, which we will use as the index for our lookup.
    4. Select the Enrichment Field.  The Enrichment Field is the field where the enrichment value will be written to.  A good option here might be Mailbox or Mail ID.
  6. Click Finish to save.  Once the enrichment is complete, write the enrichment setting.
  7. After the enrichment settings are written to the devices, you must select Run Now or the enrichment values will not be retrieved from the data source until the ‘Daily Trigger Time’ value set in step 1 is reached.
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: ESM Data Enrichment - E-mail Recipient (Internal)

is it Working ?!

Best regards.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.