Email Scanning¶
ACE has support for generating alerts by scanning emails. ACE has three ways of receiving emails to scan.
- SMTP collection
- Office365 journaling
- Exchange or Office365 mailbox extraction
Analysis Mode Email¶
The analysis mode email is defined in the configuration settings. This mode has a group of analysis modules assigned to it that are design specifically for email scanning.
- Email Analyzer
- Email Conversation Attachment Analyzer
- Email Conversation Frequency Analyzer
- Email Conversation Frequency Link Analyzer
- Email Link Analyzer
- Encrypted Archive Analyzer
- analysis_module_mailbox_email_analyzer
- analysis_module_message_id_analyzer
- analysis_module_msoffice_encryption_analyzer
- analysis_module_smtp_stream_analyzer
Yara Scanning¶
ACE does not scan the entire email as-is with yara. The headers of the email are placed into a NAME.headers file where NAME is the name of the RFC 822 formatted email file. Then each attachment is extracted an analyzed.