Merge pull request #11794 from Azure/v-atulyadav/proofpointtapicm

v-dvedak · web-flow · commit 51f0f499d78a · 2025-02-12T17:17:32.000+05:30
Update analytical rule MalwareLinkClicked.yaml
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json
@@ -40,6 +40,10 @@
     {
       "Name": "classification_s",
       "Type": "String"
+    },
+    {
+      "Name": "threatStatus_s",
+      "Type": "String"
     }
   ]
 }
diff --git a/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml b/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml
@@ -19,6 +19,7 @@ relevantTechniques:
 query: |
   ProofPointTAPClicksPermitted_CL
   | where classification_s =~ "malware"
+  | where threatStatus_s != "cleared"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s
   | extend RecipientName = tostring(split(Recipient, "@")[0]), RecipientUPNSuffix = tostring(split(Recipient, "@")[1])
   | extend SenderName = tostring(split(Sender, "@")[0]), SenderUPNSuffix = tostring(split(Sender, "@")[1])
@@ -47,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: URLClicked
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
diff --git a/Solutions/ProofPointTap/Package/3.0.5.zip b/Solutions/ProofPointTap/Package/3.0.5.zip
diff --git a/Solutions/ProofPointTap/Package/createUiDefinition.json b/Solutions/ProofPointTap/Package/createUiDefinition.json
@@ -71,7 +71,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
diff --git a/Solutions/ProofPointTap/Package/mainTemplate.json b/Solutions/ProofPointTap/Package/mainTemplate.json
@@ -68,11 +68,11 @@
       "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0558155e-4556-447e-9a22-828f2a7de06b','-', '1.0.4')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "1.0.4",
+      "analyticRuleVersion2": "1.0.5",
       "_analyticRulecontentId2": "8675dd7a-795e-4d56-a79c-fc848c5ee61c",
       "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8675dd7a-795e-4d56-a79c-fc848c5ee61c')]",
       "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8675dd7a-795e-4d56-a79c-fc848c5ee61c')))]",
-      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.4')))]"
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.5')))]"
     },
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "ProofPointTAPWorkbook",
@@ -756,10 +756,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "ProofpointTAP",
                     "dataTypes": [
                       "ProofPointTAPMessagesDelivered_CL"
-                    ],
-                    "connectorId": "ProofpointTAP"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -773,7 +773,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "Recipient",
@@ -787,10 +786,10 @@
                         "columnName": "RecipientUPNSuffix",
                         "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "Sender",
@@ -804,16 +803,17 @@
                         "columnName": "SenderUPNSuffix",
                         "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "columnName": "SenderIPAddress",
                         "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   }
                 ]
               }
@@ -886,7 +886,7 @@
                 "description": "This query identifies a user clicking on an email link whose threat category is classified as a malware",
                 "displayName": "Malware Link Clicked",
                 "enabled": false,
-                "query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
+                "query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| where threatStatus_s != \"cleared\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -897,10 +897,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "ProofpointTAP",
                     "dataTypes": [
                       "ProofPointTAPClicksPermitted_CL"
-                    ],
-                    "connectorId": "ProofpointTAP"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -914,7 +914,6 @@
                 ],
                 "entityMappings": [
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "Recipient",
@@ -928,10 +927,10 @@
                         "columnName": "RecipientUPNSuffix",
                         "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "Account",
                     "fieldMappings": [
                       {
                         "columnName": "Sender",
@@ -945,25 +944,26 @@
                         "columnName": "SenderUPNSuffix",
                         "identifier": "UPNSuffix"
                       }
-                    ]
+                    ],
+                    "entityType": "Account"
                   },
                   {
-                    "entityType": "IP",
                     "fieldMappings": [
                       {
                         "columnName": "SenderIPAddress",
                         "identifier": "Address"
                       }
-                    ]
+                    ],
+                    "entityType": "IP"
                   },
                   {
-                    "entityType": "URL",
                     "fieldMappings": [
                       {
                         "columnName": "URLClicked",
                         "identifier": "Url"
                       }
-                    ]
+                    ],
+                    "entityType": "URL"
                   }
                 ]
               }
diff --git a/Solutions/ProofPointTap/ReleaseNotes.md b/Solutions/ProofPointTap/ReleaseNotes.md
@@ -1,8 +1,8 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                           |
 |-------------|--------------------------------|--------------------------------------------------------------|
-| 3.0.5       | 05-07-2024                     | Updated **Analytic Rules** MalwareAttachmentDelivered.yaml and MalwareLinkClicked.yaml              |
-| 3.0.4       | 26-04-2024                     | Repackaged for fix on parser in maintemplate to have old parsername and parentid                    |
-| 3.0.3       | 16-04-2024                     | Repackaged for parser issue in maintemplate  |
+| 3.0.5       | 12-01-2025                     | Updated **Analytic Rule** MalwareLinkClicked.yaml  		  | 
+| 3.0.4       | 26-04-2024                     | Repackaged for fix on parser in maintemplate to have old parsername and parentid        |
+| 3.0.3       | 16-04-2024                     | Repackaged for parser issue in maintemplate  				  |
 | 3.0.2       | 10-04-2024                     | Added Azure Deploy button for government portal deployments  |
 | 3.0.1       | 10-10-2023                     | Manual deployment instructions updated for **Data Connector**|          
 | 3.0.0       | 01-08-2023                     | Updated solution logo with Microsoft Sentinel logo           |

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,10 @@`
`40`	`40`	`{`
`41`	`41`	`"Name": "classification_s",`
`42`	`42`	`"Type": "String"`
	`43`	`+ },`
	`44`	`+ {`
	`45`	`+ "Name": "threatStatus_s",`
	`46`	`+ "Type": "String"`
`43`	`47`	`}`
`44`	`48`	`]`
`45`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@`
`71`	`71`	`}`
`72`	`72`	`},`
`73`	`73`	`{`
`74`		`- "name": "dataconnectors-link2",`
	`74`	`+ "name": "dataconnectors-link1",`
`75`	`75`	`"type": "Microsoft.Common.TextBlock",`
`76`	`76`	`"options": {`
`77`	`77`	`"link": {`
Original file line number	Diff line number	Diff line change
`@@ -68,11 +68,11 @@`
`68`	`68`	`"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0558155e-4556-447e-9a22-828f2a7de06b','-', '1.0.4')))]"`
`69`	`69`	`},`
`70`	`70`	`"analyticRuleObject2": {`
`71`		`- "analyticRuleVersion2": "1.0.4",`
	`71`	`+ "analyticRuleVersion2": "1.0.5",`
`72`	`72`	`"_analyticRulecontentId2": "8675dd7a-795e-4d56-a79c-fc848c5ee61c",`
`73`	`73`	`"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8675dd7a-795e-4d56-a79c-fc848c5ee61c')]",`
`74`	`74`	`"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8675dd7a-795e-4d56-a79c-fc848c5ee61c')))]",`
`75`		`- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.4')))]"`
	`75`	`+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.5')))]"`
`76`	`76`	`},`
`77`	`77`	`"workbookVersion1": "1.0.0",`
`78`	`78`	`"workbookContentId1": "ProofPointTAPWorkbook",`
`@@ -756,10 +756,10 @@`
`756`	`756`	`"status": "Available",`
`757`	`757`	`"requiredDataConnectors": [`
`758`	`758`	`{`
	`759`	`+ "connectorId": "ProofpointTAP",`
`759`	`760`	`"dataTypes": [`
`760`	`761`	`"ProofPointTAPMessagesDelivered_CL"`
`761`		`- ],`
`762`		`- "connectorId": "ProofpointTAP"`
	`762`	`+ ]`
`763`	`763`	`}`
`764`	`764`	`],`
`765`	`765`	`"tactics": [`
`@@ -773,7 +773,6 @@`
`773`	`773`	`],`
`774`	`774`	`"entityMappings": [`
`775`	`775`	`{`
`776`		`- "entityType": "Account",`
`777`	`776`	`"fieldMappings": [`
`778`	`777`	`{`
`779`	`778`	`"columnName": "Recipient",`
`@@ -787,10 +786,10 @@`
`787`	`786`	`"columnName": "RecipientUPNSuffix",`
`788`	`787`	`"identifier": "UPNSuffix"`
`789`	`788`	`}`
`790`		`- ]`
	`789`	`+ ],`
	`790`	`+ "entityType": "Account"`
`791`	`791`	`},`
`792`	`792`	`{`
`793`		`- "entityType": "Account",`
`794`	`793`	`"fieldMappings": [`
`795`	`794`	`{`
`796`	`795`	`"columnName": "Sender",`
`@@ -804,16 +803,17 @@`
`804`	`803`	`"columnName": "SenderUPNSuffix",`
`805`	`804`	`"identifier": "UPNSuffix"`
`806`	`805`	`}`
`807`		`- ]`
	`806`	`+ ],`
	`807`	`+ "entityType": "Account"`
`808`	`808`	`},`
`809`	`809`	`{`
`810`		`- "entityType": "IP",`
`811`	`810`	`"fieldMappings": [`
`812`	`811`	`{`
`813`	`812`	`"columnName": "SenderIPAddress",`
`814`	`813`	`"identifier": "Address"`
`815`	`814`	`}`
`816`		`- ]`
	`815`	`+ ],`
	`816`	`+ "entityType": "IP"`
`817`	`817`	`}`
`818`	`818`	`]`
`819`	`819`	`}`
`@@ -886,7 +886,7 @@`
`886`	`886`	`"description": "This query identifies a user clicking on an email link whose threat category is classified as a malware",`
`887`	`887`	`"displayName": "Malware Link Clicked",`
`888`	`888`	`"enabled": false,`
`889`		- "query": "ProofPointTAPClicksPermitted_CL\n\| where classification_s =~ \"malware\"\n\| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n\| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n\| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
	`889`	+ "query": "ProofPointTAPClicksPermitted_CL\n\| where classification_s =~ \"malware\"\n\| where threatStatus_s != \"cleared\"\n\| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n\| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n\| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
`890`	`890`	`"queryFrequency": "PT1H",`
`891`	`891`	`"queryPeriod": "PT1H",`
`892`	`892`	`"severity": "Medium",`
`@@ -897,10 +897,10 @@`
`897`	`897`	`"status": "Available",`
`898`	`898`	`"requiredDataConnectors": [`
`899`	`899`	`{`
	`900`	`+ "connectorId": "ProofpointTAP",`
`900`	`901`	`"dataTypes": [`
`901`	`902`	`"ProofPointTAPClicksPermitted_CL"`
`902`		`- ],`
`903`		`- "connectorId": "ProofpointTAP"`
	`903`	`+ ]`
`904`	`904`	`}`
`905`	`905`	`],`
`906`	`906`	`"tactics": [`
`@@ -914,7 +914,6 @@`
`914`	`914`	`],`
`915`	`915`	`"entityMappings": [`
`916`	`916`	`{`
`917`		`- "entityType": "Account",`
`918`	`917`	`"fieldMappings": [`
`919`	`918`	`{`
`920`	`919`	`"columnName": "Recipient",`
`@@ -928,10 +927,10 @@`
`928`	`927`	`"columnName": "RecipientUPNSuffix",`
`929`	`928`	`"identifier": "UPNSuffix"`
`930`	`929`	`}`
`931`		`- ]`
	`930`	`+ ],`
	`931`	`+ "entityType": "Account"`
`932`	`932`	`},`
`933`	`933`	`{`
`934`		`- "entityType": "Account",`
`935`	`934`	`"fieldMappings": [`
`936`	`935`	`{`
`937`	`936`	`"columnName": "Sender",`
`@@ -945,25 +944,26 @@`
`945`	`944`	`"columnName": "SenderUPNSuffix",`
`946`	`945`	`"identifier": "UPNSuffix"`
`947`	`946`	`}`
`948`		`- ]`
	`947`	`+ ],`
	`948`	`+ "entityType": "Account"`
`949`	`949`	`},`
`950`	`950`	`{`
`951`		`- "entityType": "IP",`
`952`	`951`	`"fieldMappings": [`
`953`	`952`	`{`
`954`	`953`	`"columnName": "SenderIPAddress",`
`955`	`954`	`"identifier": "Address"`
`956`	`955`	`}`
`957`		`- ]`
	`956`	`+ ],`
	`957`	`+ "entityType": "IP"`
`958`	`958`	`},`
`959`	`959`	`{`
`960`		`- "entityType": "URL",`
`961`	`960`	`"fieldMappings": [`
`962`	`961`	`{`
`963`	`962`	`"columnName": "URLClicked",`
`964`	`963`	`"identifier": "Url"`
`965`	`964`	`}`
`966`		`- ]`
	`965`	`+ ],`
	`966`	`+ "entityType": "URL"`
`967`	`967`	`}`
`968`	`968`	`]`
`969`	`969`	`}`