Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 4

ESM Data Enrichment - E-mail Recipient (Internal)

    I'm trying to setup data enrichment so that I can better correlate e-mail events (based on the 'To' address from our McAfee E-mail Gateway Logs) to potentially suspicious or malicious proxy traffic.

EXAMPLE: An e-mail sent to <> gets an e-mail. (let's say I'm already correlating potentially suspicious elements within the e-mail so I know that the email has a suspicious element (say word document with a macro).

15 minutes later I detect that user (not their email address but their user ID) connecting to a malware site as categorized by our web proxy.

The issue that I have currently is that I cannot associate the employee's e-mail activity with their host event activity (A/V Detection, Proxy alert for suspicious/malicious connection).

When I try to setup Data Enrichment for this i'm not able to use the 'To' field from the Mcafee Email Gateway to do the enrichment (that field doesn't show up in the enrich source and destination field options).

3 Replies

Re: ESM Data Enrichment - E-mail Recipient (Internal)

I am alos facing the same issue.

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: ESM Data Enrichment - E-mail Recipient (Internal)

  1. Select System Properties/Data Enrichement, and click Add to create a new Data Enrichment.
  2. From the Data Enrichment Property of the ESM add a new data enrichment.
    1. Set the Lookup Type to String.
    2. Set the Enrichment Type to String.
    3. The Pull Frequency should be no more frequent then daily unless the local AD environment is updated much more frequently.
  3. Define the Active Directory (or LDAP) Source.  The username and password supplied must have read access to user objects in AD.
  4. Create the Query.
    1. The Lookup Attribute is sAMAccountName.
    2. The Enrichment Attribute is userPrincipalName or USERID@DOMAIN.
    3. The simplest query would be (objectClass=user).  This query will return a list of all objects in AD which are classified as a user.  More complex queries can be used if a limited or different set of results is desired.
    4. A test of the above query returns the following details. The test function only returns a maximum of 5 values, regardless of the number of actual entries.  Click Next> once the query succeeds.

  5. Add a Destination.
    1. Click Add.
    2. Select an event source or sources for events that are to be enriched.  As a suggestion, select your MS Windows data sources.
    3. Select the Lookup Field. In this case it will be the Source User field. The lookup field is the value that exists in the event, which we will use as the index for our lookup.
    4. Select the Enrichment Field.  The Enrichment Field is the field where the enrichment value will be written to.  A good option here might be Mailbox or Mail ID.
  6. Click Finish to save.  Once the enrichment is complete, write the enrichment setting.
  7. After the enrichment settings are written to the devices, you must select Run Now or the enrichment values will not be retrieved from the data source until the ‘Daily Trigger Time’ value set in step 1 is reached.
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: ESM Data Enrichment - E-mail Recipient (Internal)

is it Working ?!

Best regards.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community