Skip to content

Update analytic rules to use ProofpointTAPEvent parser #12621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
v-atulyadav merged 6 commits into from
Sep 25, 2025
Merged

Update analytic rules to use ProofpointTAPEvent parser #12621

v-atulyadav merged 6 commits into from
Sep 25, 2025

Conversation

@v-sabiraj
Copy link
Contributor

@v-sabiraj v-sabiraj commented Aug 1, 2025

Revised MalwareAttachmentDelivered and MalwareLinkClicked analytic rules to use the unified ProofpointTAPEvent parser and updated field references for consistency. Minor formatting adjustment in ProofpointTAPEvent parser for ThreatID assignment.

Required items, please complete

Change(s):

  • See guidance below

Reason for Change(s):

  • See guidance below

Version Updated:

  • Required only for Detections/Analytic Rule templates
  • See guidance below

Testing Completed:

  • See guidance below

Checked that the validations are passing and have addressed any issues that are present:

  • See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

@v-sabiraj
Update analytic rules to use ProofpointTAPEvent parser
a7a39ea 
Revised MalwareAttachmentDelivered and MalwareLinkClicked analytic rules to use the unified ProofpointTAPEvent parser and updated field references for consistency. Minor formatting adjustment in ProofpointTAPEvent parser for ThreatID assignment.
@v-sabiraj v-sabiraj requested review from a team as code owners August 1, 2025 19:46
@contentautomationbot
Copy link

contentautomationbot bot commented Aug 1, 2025

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@v-atulyadav v-atulyadav self-assigned this Aug 4, 2025
@v-atulyadav v-atulyadav added the Solution Solution specialty review needed label Aug 4, 2025
@v-sabiraj
Add ProofpointTAPEvent custom table test definition
2ae396a 
Introduces ProofpointTAPEvent.json to define the schema for the Proofpoint TAP event custom table in KQL validation tests. This table includes properties for event metadata, threat details, and message attributes to support comprehensive testing.
@v-sabiraj
Update dataTypes to ProofpointTAPEvent in analytic rules
b00425b 
Changed the required dataTypes for MalwareAttachmentDelivered and MalwareLinkClicked analytic rules from specific tables to the generic ProofpointTAPEvent. This aligns the rules with updated data connector schemas.
@v-sabiraj
Update ProofPoint TAP analytic rules to use new data tables
cb27a59 
Replaced usage of 'ProofpointTAPEvent' with 'ProofPointTAPMessagesDeliveredV2_CL' and 'ProofPointTAPClicksPermittedV2_CL' in MalwareAttachmentDelivered and MalwareLinkClicked analytic rules. Updated field references and query logic to match the new schema.
@v-sabiraj
Delete ProofpointTAPEvent.json
9bf61da
v-atulyadav
v-atulyadav previously approved these changes Sep 24, 2025
View reviewed changes
@v-atulyadav v-atulyadav merged commit f0525b5 into master Sep 25, 2025
33 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-atulyadav v-atulyadav

Labels

P0 Solution Solution specialty review needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@v-sabiraj @v-atulyadav