I'm trying to setup data enrichment so that I can better correlate e-mail events (based on the 'To' address from our McAfee E-mail Gateway Logs) to potentially suspicious or malicious proxy traffic.
EXAMPLE: An e-mail sent to <email@example.com> gets an e-mail. (let's say I'm already correlating potentially suspicious elements within the e-mail so I know that the email has a suspicious element (say word document with a macro).
15 minutes later I detect that user (not their email address but their user ID) connecting to a malware site as categorized by our web proxy.
The issue that I have currently is that I cannot associate the employee's e-mail activity with their host event activity (A/V Detection, Proxy alert for suspicious/malicious connection).
When I try to setup Data Enrichment for this i'm not able to use the 'To' field from the Mcafee Email Gateway to do the enrichment (that field doesn't show up in the enrich source and destination field options).