Cisco IronPort E-Mail Security Use Cases
I've thought about some use cases for Cisco Ironport E-Mail Security. The code is pseudo code and not transferable 1:1 to a rule. So if I'm waiting for various conditions like devEventClassID = "ACCEPT" && message = "antivirus positive" I'm waiting for different events. In that example those two event fields will never are in one event.
UC #01: Detect possible SPAM wave
message = "verdict negative" && <Email sumbmitted> && devCustStr1 != TRUSTED
AddToList("Possible_SPAM_Wave_SrcIP",SrcIP) //Field "Count" automatically +1
Possible_SPAM_Wave_SrcIP.Count > X //X must be significantly higher than normal email traffic //To detect "Count < X" use ArcSight internal events
SendMail "Possible SPAM Wave detected"
A further improvement could be a comparisson between an external reputation DB like projecthoneypot.org. So if the Src IP is not trusted by Ironport OR by ext. DB, put it on a list.
UC #02: Source spreads virus
DevEventClassID = "ACCEPT" && message = "antivirus positive"
AddToList("Virus_via_E-Mail_from_accepted_Source",SrcIP) //Field "Count" automatically +1
Virus_via_E-Mail_from_accepted_Source.Count > 5 //To detect "Count > X" use ArcSight internal events
SendMail "Possible Virus spread via E-Mail detected"
A further improvement could be to use a combination between SrcIP and Email Address. PRO: Reduce false positives if this type of email comes from Gmail. CONTRA: If emails are sent by 1000 of various email addresses from one source the counter wont becomes higher than 5.
UC #03: Attachment deleted by endpoint antivirus, but virus not detected by IronPort
devEventClassID = "ACCEPT" && devEventClassID = "Attachment found" && message = "verdict negative"
name = "Virus detected" && Submitted_attachment.AttachmentFileName == FileName
Report with Output who has all those files too
Maybe decrease reputation from good to bad
With the last option "Report with Output who has all those files too" you can see, if another endpoint with no AV or old signature has this file too.
These UCs are just ideas at the moment, not yet implemented.
Re: Cisco IronPort E-Mail Security Use Cases
Additionally I think you can look for Email that is sent unencrypted, and then go into reporting on total bytes by user or domain.