BRIEF Video on EMAIL and the Data Lake.
In this video we show the EMAIL Attachment and URL table that is available in the data lake, we also pivot from a URL seen an an email to ask if any endpoint have ever communicated to that URL and if so what process was it. From that we start the investigation and generate a process tree to see what that URL made happen on the device
Getting Started
For email to work you need to have the Sophos EMAL Product deployed and configured with Office 365 with auto search and destroy enabled. Some setup and configuration instructions are below.... (Hey I managed to get it going, so how hard can it be)
The pre-requisites for using the email service is that you have your own domain, that you can re-direct the MX record for and then push the email through us. You will need to enable the search and destroy feature highlighted below and be using Office365.
SETUP
https://docs.sophos.com/central/Customer/help/en-us/central/Customer/learningContents/Configure365.html (Office 365)
For the last step you will need to join the EAP from early January and you will need to be using Office 365 as your mailbox store. Once you have signed up to the beta we will start collecting that information and populating the table.
A trial license is sufficient, just follow the instructions for configuring Sophos EMAIL for an office 365 account.
CONFIGURATION
You also need the 'Search and Destroy' feature enabled
CONFIRMING SETUP IS DONE
Once setup you should start seeing emails in the email report section of central.
Running some Queries
It may take a few minutes before email attachment and url data starts getting into the lake
Here are some queries I wrote, others will show up under the OTHER category (We will be adding a new category for EMAIL soon)
-- (DATA LAKE QUERY) EMAIL SENDER DETAILS
-- Generic EMAIL URL LINK SEARCH -- VARIABLE $$Sender$$ STRING With Email_List AS ( SELECT timestamp Received_date, "from" FROM_, envelope_recipient To, subject, domain, url Url_Link, client_ip, scheme, mime_date Send_date, reply_to, array_join(to,',') TO_ARRAY, array_join(cc,',') CC_ARRAY FROM xdr_xge_url_data WHERE "from" LIKE '%$$Sender$$%' ORDER BY timestamp DESC ) SELECT From_, COUNT(From_) Instances, array_join(array_agg(DISTINCT To), CHR(10)) To_LIST, array_join(array_agg(DISTINCT subject), CHR(10)) subject_LIST, array_join(array_agg(DISTINCT domain), CHR(10)) domain_LIST, array_join(array_agg(DISTINCT url_Link), CHR(10)) url_LIST, array_join(array_agg(DISTINCT client_ip), CHR(10)) Client_IP_LIST, MIN(Received_date) First_Email, MAX(Received_date) Last_Email FROM Email_List GROUP BY From_ ORDER BY Instances DESC
-- (DATA LAKE QUERY) EMAIL GENERIC URL SEARCH
-- Generic EMAIL URL LINK SEARCH -- VARIABLE $$From contains$$ STRING -- VARIABLE $$To contains$$ STRING -- VARIABLE $$URL contains$$ URL -- VARIABLE $$client IP$$ IP_Address -- VARIABLE $$domain contains$$ STRING -- VARIABLE $$subject contains$$ STRING SELECT timestamp Received_date, "from" FROM_, envelope_recipient To, subject, domain, url Url_Link, client_ip, scheme, mime_date Send_date, reply_to, array_join(to,',') TO_ARRAY, array_join(cc,',') CC_ARRAY FROM xdr_xge_url_data WHERE (url LIKE '%$$URL contains$$%' OR resolved_url LIKE '%$$URL contains$$%') AND domain LIKE '%$$domain contains$$%' AND subject LIKE '%$$subject contains$$%' AND client_IP LIKE '%$$client IP$$%' AND "from" LIKE '%$$From contains$$%' AND envelope_recipient LIKE '%$$To contains$$%' ORDER BY timestamp DESC
-- (DATA LAKE QUERY) EMAIL Generic attachment search
-- EMAIL Generic attachment search -- VARIABLE $$From$$ STRING -- VARIABLE $$To$$ STRING -- VARIABLE $$Subject contains$$ STRING -- VARIABLE $$client_IP$$ IP_Address -- VARIABLE $$Name of attachment file$$ STRING -- VARIABLE $$SHA_256 of the attachments$$ SHA-256 SELECT timestamp, "from" FROM_, envelope_recipient To, subject, name File_Name, size size, checksum File_SHA256 FROM symlink_xdr_xge_att_data WHERE "from" LIKE '%$$From$$%' AND envelope_recipient LIKE '%$$To$$%' AND subject LIKE '%$$Subject contains$$%' AND client_IP LIKE '%$$client_IP$$%' AND name LIKE '%$$Name of attachment file$$%' AND checksum LIKE '%$$SHA_256 of the attachments$$%' ORDER BY timestamp DESC
