diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json index 9278720faf4..0d76d7971f6 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json @@ -40,6 +40,10 @@ { "Name": "classification_s", "Type": "String" + }, + { + "Name": "threatStatus_s", + "Type": "String" } ] } \ No newline at end of file diff --git a/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml b/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml index 7edba047c2c..2eaf0e59dcd 100644 --- a/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml +++ b/Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml @@ -19,6 +19,7 @@ relevantTechniques: query: | ProofPointTAPClicksPermitted_CL | where classification_s =~ "malware" + | where threatStatus_s != "cleared" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s | extend RecipientName = tostring(split(Recipient, "@")[0]), RecipientUPNSuffix = tostring(split(Recipient, "@")[1]) | extend SenderName = tostring(split(Sender, "@")[0]), SenderUPNSuffix = tostring(split(Sender, "@")[1]) @@ -47,5 +48,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: URLClicked -version: 1.0.4 +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/ProofPointTap/Package/3.0.5.zip b/Solutions/ProofPointTap/Package/3.0.5.zip index 6d75662b5fe..b8656e28bce 100644 Binary files a/Solutions/ProofPointTap/Package/3.0.5.zip and b/Solutions/ProofPointTap/Package/3.0.5.zip differ diff --git a/Solutions/ProofPointTap/Package/createUiDefinition.json b/Solutions/ProofPointTap/Package/createUiDefinition.json index a71ee4cc44b..b9413c513de 100644 --- a/Solutions/ProofPointTap/Package/createUiDefinition.json +++ b/Solutions/ProofPointTap/Package/createUiDefinition.json @@ -71,7 +71,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/ProofPointTap/Package/mainTemplate.json b/Solutions/ProofPointTap/Package/mainTemplate.json index 51dffaf9d9e..7d358267a82 100644 --- a/Solutions/ProofPointTap/Package/mainTemplate.json +++ b/Solutions/ProofPointTap/Package/mainTemplate.json @@ -68,11 +68,11 @@ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0558155e-4556-447e-9a22-828f2a7de06b','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.4", + "analyticRuleVersion2": "1.0.5", "_analyticRulecontentId2": "8675dd7a-795e-4d56-a79c-fc848c5ee61c", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8675dd7a-795e-4d56-a79c-fc848c5ee61c')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8675dd7a-795e-4d56-a79c-fc848c5ee61c')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.4')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.5')))]" }, "workbookVersion1": "1.0.0", "workbookContentId1": "ProofPointTAPWorkbook", @@ -756,10 +756,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ProofpointTAP", "dataTypes": [ "ProofPointTAPMessagesDelivered_CL" - ], - "connectorId": "ProofpointTAP" + ] } ], "tactics": [ @@ -773,7 +773,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "Recipient", @@ -787,10 +786,10 @@ "columnName": "RecipientUPNSuffix", "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "columnName": "Sender", @@ -804,16 +803,17 @@ "columnName": "SenderUPNSuffix", "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "SenderIPAddress", "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -886,7 +886,7 @@ "description": "This query identifies a user clicking on an email link whose threat category is classified as a malware", "displayName": "Malware Link Clicked", "enabled": false, - "query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n", + "query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| where threatStatus_s != \"cleared\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -897,10 +897,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "ProofpointTAP", "dataTypes": [ "ProofPointTAPClicksPermitted_CL" - ], - "connectorId": "ProofpointTAP" + ] } ], "tactics": [ @@ -914,7 +914,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "columnName": "Recipient", @@ -928,10 +927,10 @@ "columnName": "RecipientUPNSuffix", "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { "columnName": "Sender", @@ -945,25 +944,26 @@ "columnName": "SenderUPNSuffix", "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "columnName": "SenderIPAddress", "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { "columnName": "URLClicked", "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } diff --git a/Solutions/ProofPointTap/ReleaseNotes.md b/Solutions/ProofPointTap/ReleaseNotes.md index d999f259a19..d67b88f6a8d 100644 --- a/Solutions/ProofPointTap/ReleaseNotes.md +++ b/Solutions/ProofPointTap/ReleaseNotes.md @@ -1,8 +1,8 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------| -| 3.0.5 | 05-07-2024 | Updated **Analytic Rules** MalwareAttachmentDelivered.yaml and MalwareLinkClicked.yaml | -| 3.0.4 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | -| 3.0.3 | 16-04-2024 | Repackaged for parser issue in maintemplate | +| 3.0.5 | 12-01-2025 | Updated **Analytic Rule** MalwareLinkClicked.yaml | +| 3.0.4 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | +| 3.0.3 | 16-04-2024 | Repackaged for parser issue in maintemplate | | 3.0.2 | 10-04-2024 | Added Azure Deploy button for government portal deployments | | 3.0.1 | 10-10-2023 | Manual deployment instructions updated for **Data Connector**| | 3.0.0 | 01-08-2023 | Updated solution logo with Microsoft Sentinel logo |