Configuration
3.17
Search this version
Configuration
Configuration
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
SIEM/SOAR
Copy Markdown
Open in ChatGPT
Open in Claude
MetaDefender™ Cloud Email Security allows integration with external SIEM/SOAR systems. Follow the steps below to configure a provider.
Supported Integrations
Elasticsearch
Use this option to forward events directly to an Elasticsearch cluster.
Configuration Steps
Select Elasticsearch under Service Selection.
Endpoint URL Enter the Elasticsearch endpoint, for example:
https://<host>:9200Authentication Type Select Basic Authentication.
Authentication Details
- Username: Enter the Elasticsearch username.
- Password: Enter the corresponding password.
Event Filters
Enable Send Events to forward events.
Select one or more Statuses, such as:
- Closed Without Action
- Deleted
- Delivered
- Failed to Deliver
- Investigating
- Quarantined
- Released
- Rescanning
Select one or more Verdicts, such as:
- Malicious
- Suspicious
- Sanitized
- No threat detected
- Encrypted content
- Unsupported file type
- Failure to analyze
- Skipped
- Sanitization policy error
Audit Log Filters
- Enable Send Audit Logs to forward administrative activity.
- Select Event Types, such as:
- Authentication
- Configuration
Click Save Changes to apply the configuration.
Generic HTTP
Use this option to forward events to a custom HTTP endpoint or third-party SIEM/SOAR service.
Configuration Steps
Select HTTP under Service Selection.
Endpoint URL Enter the destination service endpoint, for example:
https://<host>:8080API Key Specify the API key required by the destination service.
Event Filters
- Enable Send Events to forward events.
- Configure Status and Verdict filters as needed.
Audit Log Filters
- Enable Send Audit Logs to forward audit events.
- Select relevant Event Types (for example, Authentication or Configuration).
Click Save Changes to apply the configuration.
JSON Output Reference
Common Fields
| Field | Description |
|---|---|
eventId | Unique identifier for this event instance. |
correlationId | Identifier used to correlate this event with other related events across systems. |
source | Originating system that generated the event (e.g., MDCES). |
timestamp | ISO 8601 timestamp indicating when the event was generated. |
tenantId | Identifier for the tenant/customer associated with the event. |
eventType | High-level category of the event. |
message | Human-readable summary of the event outcome. |
userId | User or system responsible for triggering the event. |
Event Fields
Processing Details
| Field | Description |
|---|---|
details/messageId | Unique identifier of the processed email. |
details/integrationId | Identifier of the integration handling the message. |
details/processingId | Unique ID for this processing execution. |
details/policyId | Identifier of the policy applied. |
details/timestamp | Time when processing was logged. |
details/messageStatus | Final delivery status of the message. |
details/quarantineStatus | Indicates whether the message was quarantined. |
details/policyName | Human-readable name of the applied policy. |
details/reason | Reason for quarantine or action taken. |
details/processingTimeMs | Total processing time in milliseconds. |
Metadata
| Field | Description |
|---|---|
details/emailMetaData/sentTimestamp | Time the email was sent. |
details/emailMetaData/receivedTimestamp | Time the email was received. |
details/emailMetaData/senderIp | IP address of the sending mail server. |
details/emailMetaData/sender | SMTP sender. |
details/emailMetaData/from | From: header. |
details/emailMetaData/to | To: header. |
details/emailMetaData/cc | Cc: header. |
details/emailMetaData/recipients | SMTP recipients. |
details/emailMetaData/subject | Email subject line. |
details/emailMetaData/size | Email size in bytes. |
details/emailMetaData/emailDirection | Direction of email flow (Inbound/Outbound). |
details/emailMetaData/senderDomain | Sending mail server domain. |
details/emailMetaData/emailHeaderMessageId | Message-ID from email headers. |
Overall Scan Result
| Field | Description |
|---|---|
details/scanResult/overallVerdict | Final verdict after all scans. |
details/scanResult/scanDuration | Total scan time in milliseconds. |
details/scanResult/verdict | Normalized verdict value. |
details/scanResult/severity | Severity level of detected threats. |
details/scanResult/scanResultEngines/totalEngines | Number of scanning engines used. |
details/scanResult/scanResultEngines/detectedEngines | Number of engines that detected a threat. |
Parts
| Field | Description |
|---|---|
details/emailParts/fileId | Unique identifier for the email part. |
details/emailParts/data/fileName | Name/path of the file. |
details/emailParts/data/contentType | Body or Attachment. |
details/emailParts/data/sha256 | SHA-256 file hash. |
details/emailParts/data/size | File size in bytes. |
details/emailParts/data/partId | Message structure identifier. |
details/emailParts/data/contentId | Content-ID header value. |
details/emailParts/data/fileType | File extension/type. |
details/emailParts/data/fileTypeDescription | Human-readable file type. |
details/emailParts/scanResult/dataId | Internal scanning system identifier. |
details/emailParts/scanResult/threatDetectionResult | Threat detection outcome. |
details/emailParts/scanResult/deepCdrResult | CDR processing result. |
details/emailParts/scanResult/fileVerdict | Final verdict for the file. |
Audit History
| Field | Description |
|---|---|
details/auditHistory/type | Type of audit event. |
details/auditHistory/timestamp | Time the audit event occurred. |
details/auditHistory/description | Description of the audit event. |
details/auditHistory/sender | Sender involved in the audit event. |
details/auditHistory/to | Recipients involved in the audit event. |
Audit Fields
| Field | Description |
|---|---|
timestamp |
Time when the audited action occurred. |
referencedObject |
Type of object affected by the action (e.g., POLICY). |
operationType |
Operation performed on the referenced object (e.g., UPDATE). |
eventType |
Category of audit event (e.g., CONFIGURATION). |
referenceId |
Identifier of the specific object that was modified. |
Connection Test Fields
| Field | Description |
|---|---|
test |
Always 'true'. |
timestamp |
Time when test was logged. |
message |
Always 'Test connection from MDCES'. |
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Next to read:
AllowlistDiscard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message
