I have the following situation, I have integrated SIEM with a Ironmail and i received the event "SMTPO Service".
I like to change the parsing for this event in order to identify a field, but i can't find the ASP Rule tha generate this particular Data source
This is the Data Source
But i don't know which Advanced Syslog Parser rule generates the Data Source
In other cases it is easy because the parse rule have the same name that the data source, but in this case i don't have a clue how to relate one another.
Thanks for the help.
Under the Advanced Syslog Parser - filter for the Iron Mail Legcy Parser.
You can copy the packet data and run it through one of the parsers availible to see if it is being parsed out. Or copy one of them and modify it to your requirement to have the data parsed out.
Hope this helps.