Merge pull request #12621 from Azure/v-sabiraj-proofpointTAPrules

v-atulyadav · web-flow · commit f0525b571851 · 2025-09-25T12:51:47.000+05:30
Update analytic rules to use ProofpointTAPEvent parser
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermittedV2_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermittedV2_CL.json
@@ -0,0 +1,49 @@
+{
+  "Name": "ProofPointTAPClicksPermittedV2_CL",
+  "Properties": [
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "threatsInfoMap",
+      "Type": "String"
+    },
+    {
+      "Name": "messageParts",
+      "Type": "String"
+    },
+    {
+      "Name": "sender",
+      "Type": "String"
+    },
+    {
+      "Name": "senderIP",
+      "Type": "String"
+    },
+    {
+      "Name": "recipient",
+      "Type": "String"
+    },
+    {
+      "Name": "subject",
+      "Type": "String"
+    },
+    {
+      "Name": "clickTime",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "url",
+      "Type": "String"
+    },
+    {
+      "Name": "classification",
+      "Type": "String"
+    },
+    {
+      "Name": "threatStatus",
+      "Type": "String"
+    }
+  ]
+}
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPMessagesDeliveredV2_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPMessagesDeliveredV2_CL.json
@@ -0,0 +1,45 @@
+{
+  "Name": "ProofPointTAPMessagesDeliveredV2_CL",
+  "Properties": [
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "threatsInfoMap",
+      "Type": "Dynamic"
+    },
+    {
+      "Name": "messageParts",
+      "Type": "Dynamic"
+    },
+    {
+      "Name": "sender",
+      "Type": "String"
+    },
+    {
+      "Name": "senderIP",
+      "Type": "String"
+    },
+    {
+      "Name": "recipient",
+      "Type": "String"
+    },
+    {
+      "Name": "subject",
+      "Type": "String"
+    },
+    {
+      "Name": "threatType",
+      "Type": "String"
+    },
+    {
+      "Name": "classification",
+      "Type": "String"
+    },
+    {
+      "Name": "filename",
+      "Type": "String"
+    }
+  ]
+}
diff --git a/Solutions/ProofPointTap/Analytic Rules/MalwareAttachmentDelivered.yaml b/Solutions/ProofPointTap/Analytic Rules/MalwareAttachmentDelivered.yaml
@@ -7,7 +7,7 @@ status: Available
 requiredDataConnectors:
   - connectorId: ProofpointTAP
     dataTypes:
-      - ProofPointTAPMessagesDelivered_CL
+      - ProofPointTAPMessagesDeliveredV2_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,13 +17,13 @@ tactics:
 relevantTechniques:
   - T1566.001
 query: |
-  ProofPointTAPMessagesDelivered_CL
-  | mv-expand todynamic(threatsInfoMap_s)
-  | mv-expand todynamic(messageParts_s)
-  | extend threatType = tostring(threatsInfoMap_s.threatType), classification = tostring(threatsInfoMap_s.classification)
-  | extend filename = tostring(messageParts_s.filename)
+  ProofPointTAPMessagesDeliveredV2_CL
+  | mv-expand todynamic(threatsInfoMap)
+  | mv-expand todynamic(messageParts)
+  | extend threatType = tostring(threatsInfoMap.threatType), classification = tostring(threatsInfoMap.classification)
+  | extend filename = tostring(messageParts.filename)
   | where threatType =~ "attachment" and classification =~ "malware"
-  | summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification,  Subject = subject_s
+  | summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender, SenderIPAddress = senderIP, Recipient = tostring(recipient), threatType, classification, Subject = subject
   | mv-expand todynamic(Recipient)
   | extend RecipientName = tostring(split(Recipient, "@")[0]), RecipientUPNSuffix = tostring(split(Recipient, "@")[1])
   | extend SenderName = tostring(split(Sender, "@")[0]), SenderUPNSuffix = tostring(split(Sender, "@")[1])
@@ -48,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SenderIPAddress
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
diff --git a/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml b/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml
@@ -7,7 +7,7 @@ status: Available
 requiredDataConnectors:
   - connectorId: ProofpointTAP
     dataTypes:
-      - ProofPointTAPClicksPermitted_CL
+      - ProofPointTAPClicksPermittedV2_CL
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,10 +17,10 @@ tactics:
 relevantTechniques:
   - T1566.002
 query: |
-  ProofPointTAPClicksPermitted_CL
-  | where classification_s =~ "malware"
-  | where threatStatus_s != "cleared"
-  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s
+  ProofPointTAPClicksPermittedV2_CL
+  | where classification =~ "malware"
+  | where threatStatus != "cleared"
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender, SenderIPAddress = senderIP, Recipient = recipient, TimeClicked = clickTime, URLClicked = url
   | extend RecipientName = tostring(split(Recipient, "@")[0]), RecipientUPNSuffix = tostring(split(Recipient, "@")[1])
   | extend SenderName = tostring(split(Sender, "@")[0]), SenderUPNSuffix = tostring(split(Sender, "@")[1])
 entityMappings:
@@ -48,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: URLClicked
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled
diff --git a/Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.yaml b/Solutions/ProofPointTap/Parsers/ProofpointTAPEvent.yaml
@@ -41,7 +41,7 @@ FunctionQuery: |
                   SrcIpAddr=coalesce(column_ifexists('senderIP_s',''),senderIP),
                   SpamScore=coalesce(toint(column_ifexists('spamScore_d',int(null))),spamScore),
                   Subject=coalesce(column_ifexists('subject_s',''),subject),
-                   ThreatID=coalesce(column_ifexists('threatID',''),threatID),
+                  ThreatID=coalesce(column_ifexists('threatID',''),threatID),
                   ThreatsInfoMap=coalesce(column_ifexists('threatsInfoMap_s',''),threatsInfoMap),
                    ThreatStatus=coalesce(column_ifexists('threatStatus_s',''),threatStatus),
                    ThreatTime=coalesce(column_ifexists('threatTime_t',datetime(null)),threatTime),
