Skip to content

Update analytical rule MalwareLinkClicked.yaml #11794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-dvedak merged 4 commits into from
Feb 12, 2025
Merged

Update analytical rule MalwareLinkClicked.yaml #11794

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
078aeb0
Update MalwareLinkClicked.yaml
v-atulyadav Feb 11, 2025
61176a5
version update
v-atulyadav Feb 11, 2025
f126e5d
Update ProofPointTAPClicksPermitted_CL.json
v-atulyadav Feb 11, 2025
fc88608
updatecpackage
v-atulyadav Feb 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/ProofPointTAPClicksPermitted_CL.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@
{
"Name": "classification_s",
"Type": "String"
},
{
"Name": "threatStatus_s",
"Type": "String"
}
]
}
3 changes: 2 additions & 1 deletion Solutions/ProofPointTap/Analytic Rules/MalwareLinkClicked.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ relevantTechniques:
query: |
ProofPointTAPClicksPermitted_CL
| where classification_s =~ "malware"
| where threatStatus_s != "cleared"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s
| extend RecipientName = tostring(split(Recipient, "@")[0]), RecipientUPNSuffix = tostring(split(Recipient, "@")[1])
| extend SenderName = tostring(split(Sender, "@")[0]), SenderUPNSuffix = tostring(split(Sender, "@")[1])
Expand Down Expand Up @@ -47,5 +48,5 @@ entityMappings:
fieldMappings:
- identifier: Url
columnName: URLClicked
version: 1.0.4
version: 1.0.5
kind: Scheduled
Binary file modified Solutions/ProofPointTap/Package/3.0.5.zip
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion Solutions/ProofPointTap/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
}
},
{
"name": "dataconnectors-link2",
"name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
Expand Down
42 changes: 21 additions & 21 deletions Solutions/ProofPointTap/Package/mainTemplate.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,11 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0558155e-4556-447e-9a22-828f2a7de06b','-', '1.0.4')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.4",
"analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "8675dd7a-795e-4d56-a79c-fc848c5ee61c",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8675dd7a-795e-4d56-a79c-fc848c5ee61c')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8675dd7a-795e-4d56-a79c-fc848c5ee61c')))]",
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.4')))]"
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8675dd7a-795e-4d56-a79c-fc848c5ee61c','-', '1.0.5')))]"
},
"workbookVersion1": "1.0.0",
"workbookContentId1": "ProofPointTAPWorkbook",
Expand Down Expand Up @@ -756,10 +756,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ProofpointTAP",
"dataTypes": [
"ProofPointTAPMessagesDelivered_CL"
],
"connectorId": "ProofpointTAP"
]
}
],
"tactics": [
Expand All @@ -773,7 +773,6 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Recipient",
Expand All @@ -787,10 +786,10 @@
"columnName": "RecipientUPNSuffix",
"identifier": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Sender",
Expand All @@ -804,16 +803,17 @@
"columnName": "SenderUPNSuffix",
"identifier": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SenderIPAddress",
"identifier": "Address"
}
]
],
"entityType": "IP"
}
]
}
Expand Down Expand Up @@ -886,7 +886,7 @@
"description": "This query identifies a user clicking on an email link whose threat category is classified as a malware",
"displayName": "Malware Link Clicked",
"enabled": false,
"query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
"query": "ProofPointTAPClicksPermitted_CL\n| where classification_s =~ \"malware\"\n| where threatStatus_s != \"cleared\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, TimeClicked = clickTime_t, URLClicked = url_s\n| extend RecipientName = tostring(split(Recipient, \"@\")[0]), RecipientUPNSuffix = tostring(split(Recipient, \"@\")[1])\n| extend SenderName = tostring(split(Sender, \"@\")[0]), SenderUPNSuffix = tostring(split(Sender, \"@\")[1])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
Expand All @@ -897,10 +897,10 @@
"status": "Available",
"requiredDataConnectors": [
{
"connectorId": "ProofpointTAP",
"dataTypes": [
"ProofPointTAPClicksPermitted_CL"
],
"connectorId": "ProofpointTAP"
]
}
],
"tactics": [
Expand All @@ -914,7 +914,6 @@
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Recipient",
Expand All @@ -928,10 +927,10 @@
"columnName": "RecipientUPNSuffix",
"identifier": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Sender",
Expand All @@ -945,25 +944,26 @@
"columnName": "SenderUPNSuffix",
"identifier": "UPNSuffix"
}
]
],
"entityType": "Account"
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SenderIPAddress",
"identifier": "Address"
}
]
],
"entityType": "IP"
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URLClicked",
"identifier": "Url"
}
]
],
"entityType": "URL"
}
]
}
Expand Down
6 changes: 3 additions & 3 deletions Solutions/ProofPointTap/ReleaseNotes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------|
| 3.0.5 | 05-07-2024 | Updated **Analytic Rules** MalwareAttachmentDelivered.yaml and MalwareLinkClicked.yaml |
| 3.0.4 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid |
| 3.0.3 | 16-04-2024 | Repackaged for parser issue in maintemplate |
| 3.0.5 | 12-01-2025 | Updated **Analytic Rule** MalwareLinkClicked.yaml |
| 3.0.4 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid |
| 3.0.3 | 16-04-2024 | Repackaged for parser issue in maintemplate |
| 3.0.2 | 10-04-2024 | Added Azure Deploy button for government portal deployments |
| 3.0.1 | 10-10-2023 | Manual deployment instructions updated for **Data Connector**|
| 3.0.0 | 01-08-2023 | Updated solution logo with Microsoft Sentinel logo |
Loading