Solved: Re: Creating a dictionary of domains

ross-crawford · ‎03-07-2024

I'm looking to essentially create a dictionary of specific domains, that will be used by a content-filter that checks the "Envelope Sender" for a term in the content dictionary, and if it matches to added a CEF Log Entry that can be picked up by our SIEM.

Unsure of what the correct format should be, this is what I have currently:

@domain\.com$

Is there a better way to test this rather than waiting for the next email to come from this domain and see if it matches? I've tried to understand the Trace function, however I'm not sure where I would see the if the domain matched or not. When I do my test trace, I can see that its going to our default policy for content filters where the one I created sits, but I cant see whether it matched or not.

Ken Stieers · ‎03-07-2024

That should work... I'm not where I can look at mine but I'm 99% sure that's how mine are set.

If you wanted to test, I'd create a content filter that just added a mail log entry for a domain I could sned a mail from.... but depending upon how your CEF log is set up that might still end up there too...

View solution in original post

Ken Stieers · ‎03-07-2024

That should work... I'm not where I can look at mine but I'm 99% sure that's how mine are set.

If you wanted to test, I'd create a content filter that just added a mail log entry for a domain I could sned a mail from.... but depending upon how your CEF log is set up that might still end up there too...

ross-crawford · ‎03-12-2024

Thanks, all working now using the above syntax!