Email Metadata Streaming to Helix

In this installment of the Tips and Insights series, Adam Goff explains metadata streaming in FireEye Helix. This data can be a very useful for your I.T. and security teams.

Hi I’m Adam Goff. I’m a Support Engineer here at FireEye. Today we are going to be talking about email metadata streaming to Helix. When available email metadata can be a useful tool for I.T. and security teams. We will start by going over to the settings and then Metadata Streaming.

Up at the top you have your activate button. So we would click enable. We would hit apply. That will show the HTTP and our Syslog forwarder options. With the HTTP we can add a receiver. Name it. Give it a URL. Pick whether or not it authenticates. If it does we can use basic authentication of username and password or token authentication which also includes the requirement of having a token. Or we can do Syslog and we can add a Syslog receiver. So this could be a Comm Broker. You put in the Comm Broker name. Its IP. You tell it you want to send by TCP, UDP or SSL and then leave it on the default format if you’re going to go to a Comm Broker. If you’re going to go to your CIM you can set these as desired. And so we have three different format options available to you if desired.

Now in Helix you’ll see that we now have a new class for the metadata as highlighted. It’s currently named “fireeye-ex- metadata” as seen.

When we search for the class equals fireeye ex metadata it will pull up the metadata for each email that has been scanned by a email security appliance within your environment.

There are several fields that are important within the event data captured by Helix. First we have our appliance id. That appliance id references the specific email security appliance within your environment.

Then we have objects. Objects references what object in your email was analyzed for potential malicious content.

Then we have our results and that will tell you if the email was found to be clean or malicious at the time that it was processed. We have our delivery status which will tell you whether or not the email was successfully delivered off of the email security appliance to the next hop in your MTA.

And then you have your classic fields of too, from, subject, uuid. All the things you might want to pivot on as you’re analyzing your email security metadata. Now we see how we can get email metadata into Helix for fast more FireEye tips and insights.

Scroll to Top