I'm trying to setup data enrichment so that I can better correlate e-mail events (based on the 'To' address from our McAfee E-mail Gateway Logs) to potentially suspicious or malicious proxy traffic.
EXAMPLE: An e-mail sent to <firstname.lastname@example.org> gets an e-mail. (let's say I'm already correlating potentially suspicious elements within the e-mail so I know that the email has a suspicious element (say word document with a macro).
15 minutes later I detect that user (not their email address but their user ID) connecting to a malware site as categorized by our web proxy.
The issue that I have currently is that I cannot associate the employee's e-mail activity with their host event activity (A/V Detection, Proxy alert for suspicious/malicious connection).
When I try to setup Data Enrichment for this i'm not able to use the 'To' field from the Mcafee Email Gateway to do the enrichment (that field doesn't show up in the enrich source and destination field options).
Re: ESM Data Enrichment - E-mail Recipient (Internal)
SelectSystem Properties/Data Enrichement, and clickAddto create a new Data Enrichment.
From the Data Enrichment Property of the ESM add a new data enrichment.
Set the Lookup Type toString.
Set the Enrichment Type toString.
The Pull Frequency should be no more frequent then daily unless the local AD environment is updated much more frequently.
Define the Active Directory (or LDAP) Source. The username and password supplied must have read access to user objects in AD.
Create the Query.
The Lookup Attribute issAMAccountName.
The Enrichment Attribute isuserPrincipalName or USERID@DOMAIN.
The simplest query would be(objectClass=user). This query will return a list of all objects in AD which are classified as a user. More complex queries can be used if a limited or different set of results is desired.
A test of the above query returns the following details. The test function only returns a maximum of 5 values, regardless of the number of actual entries. ClickNext>once the query succeeds.
Add a Destination.
Select an event source or sources for events that are to be enriched. As a suggestion, select your MS Windows data sources.
Select the Lookup Field. In this case it will be the Source User field. The lookup field is the value that exists in the event, which we will use as the index for our lookup.
Select the Enrichment Field. The Enrichment Field is the field where the enrichment value will be written to. A good option here might be Mailbox or Mail ID.
ClickFinishto save. Once the enrichment is complete, write the enrichment setting.
After the enrichment settings are written to the devices, you must selectRun Nowor the enrichment values will not be retrieved from the data source until the ‘Daily Trigger Time’ value set in step 1 is reached.