Embedded Files
About Avanan
About Avanan
Avanan system (now part of Check Point Software Technologies) is a leading cloud email and collaboration security platform.
Avanan is a crucial, next-generation security layer that plugs directly into your cloud suite to provide the best defense against advanced email and collaboration-based threats.
Logs Types:
Security Events Logs
Security Events Logs
These are the core logs detailing threats detected and neutralized:
Phishing / BEC / Impersonation:
Logs the AI/ML Score, indicating why the email was flagged.
Includes data on Low Relationship Strength, detected Spoofing, and Malicious URLs.
Records Sender/Recipient details and the language of the message.
Malware / Ransomware:
Records the Sandbox Scan Result and the specific Security Engine Name that made the detection.
Includes details on the attached File Type and Name, whether it was found in Email or File Sharing apps.
DLP (Data Loss Prevention):
Notes the DLP Classification and the Policy Violated.
Tracks the user who initiated the Sharing/Sending of the sensitive data.
Account Takeover (ATO):
Documents Anomalous Behavior Profile.
Records unusual login locations, Mass Export events, or Atypical usage patterns.
User Reported Phishing:
Logs the original email data and the Admin Action taken following the user report.
System & Operational Logs
System & Operational Logs
These logs track system health and administrative activities for auditing:
Audit Logs (Audit Logim):
Full documentation of all Admin Actions within the Avanan portal.
Includes changes to Policies, creation of Exceptions/Allow Lists, and changes to user privileges.
Event Logs:
Real-time record of the Mail Flow through Avanan's scanning layers.
Used primarily for Troubleshooting and verifying that all traffic is being scanned correctly.
Quarantine Logs:
A list of all Emails and Files sent to Quarantine.
Includes the Reason for Quarantine and tracks Restore Requests.
Product Configuration
Product Configuration
The process requires configuration in both the AWS Console (to set up the destination and permissions) and the Avanan portal (to configure the connection).
AWS Configuration (Setting up the Destination)
AWS Configuration (Setting up the Destination)
The goal is to create a storage bucket and a dedicated user with minimal permissions (Least Privilege) for Avanan to write logs.
1. Create the S3 Bucket
Log in to the AWS Management Console.
Navigate to the S3 service and click Create Bucket.
Choose a unique and descriptive name (e.g., avanan-security-logs-yourcompany).
Select the AWS Region where you want the data stored.
2. Create an IAM User and Policy
A dedicated IAM user will be used by Avanan to authenticate and write logs to your bucket.
Navigate to the IAM (Identity and Access Management) service.
Create a new User (e.g., avanan-log-exporter).
Select Programmatic Access as the access type.
Create a Policy: Define a new IAM policy to grant only the necessary write permissions to your specific S3 bucket.
Actions: Include s3:PutObject, s3:ListBucket, and s3:GetObject (to read/write logs and list files).
Resource: Specify the ARN (Amazon Resource Name) of your S3 bucket and the log path (e.g., arn:aws:s3:::avanan-security-logs-yourcompany/*).
Attach Policy: Attach this new policy to the user (avanan-log-exporter).
Save Credentials: Upon user creation, securely save the Access Key ID and Secret Access Key. (These are required for the Avanan setup).
Avanan Configuration (Enabling the Export)
Avanan Configuration (Enabling the Export)
You will now connect the Avanan platform to the S3 destination using the credentials created above.
Navigate to Settings: Log into the Avanan/Check Point Harmony Email & Collaboration Portal.
Access SIEM Integration: Navigate to Security Settings > Security Engines > SIEM Integration and click Configure.
Log Format: Select the desired log format (usually JSON is recommended for S3 archiving and SIEM analysis).
S3 Integration (Direct Method):
If Avanan supports direct S3 integration, select the relevant option (sometimes listed as an Event Forwarding method).
Enter the following AWS details in the Avanan interface:
Bucket Name: (e.g., avanan-security-logs-yourcompany)
Bucket Region: (The Region you selected in Step A.1)
Access Key ID: (From IAM User)
Secret Access Key: (From IAM User)
Note: If the S3 option is not directly available, you will need to install an Avanan Connector (or an appropriate Add-on) on a server running within AWS, which uses the Avanan API to pull the logs and then push them to S3.
Log Scope: Ensure you select which logs to send (e.g., Security Events, Audit Logs).
Save and Validate: Save the configuration. Avanan will perform a validation check and, if successful, begin exporting log files (often GZIP compressed JSON files) to your S3 bucket.
Verification in AWS
Verification in AWS
Check S3 Bucket: After a few minutes, verify the S3 bucket content. You should see new folders and compressed log files start appearing (e.g., under a path like /avanan/security-events/year/month/day/).
Conkit Installation
Conkit Installation
Conkit Installation:
To receive and process these logs, follow these steps for the connector installation and configuration:
Download Conkit: Avanan s3.
Install the Conkit via Cygent.
Open the connector setup using runagentsetup to configure the s3 Details.
Verification: After installation, check that the connector is successfully receiving events from the Silverfort system.
Rules
Rules
Page updated
Report abuse