I´m struggeling with the integration of the Cisco Ironport eMail Security Appliance as UEBA source.
The LogPoint documenation - Data Sources For UEBA — UEBA Guide latest documentation (logpoint.com) - indicates the ESA is supported.
The corresponding UEBA matching query is - device_category=Email* sAMAccountName=* receiver=* datasize=* | fields,log_ts,sender,receiver,userPrincipalName,sAMAccountName,datasize,subject,status,file,file_count
The ESA never sends a combination of receiver and datasize. The ESA only logs a combination auf sender and datazize. The ESA´s sender & receiver logs are linked only via the MID “message_identifier”
Has anyone seen or did this integration with Cisco´s ESA and UEBA? Is it running in the correct way?