CRTX-146122-ProofPoint-Email-Security (#37954)

* added support for audit log type

* added release notes

* added release notes

* added release notes

* fix

* fix

* fix

* fix

* fix

* added parsing

* fix yml

* fix notes

* added tags

Packs/ProofpointEmailSecurity/ModelingRules/ProofpointEmailSecurity/ProofpointEmailSecurity.xif

@@ -39,6 +39,7 @@ filter event_type = "message"
         xdm.email.attachment.sha256 = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> sha256), "@element" != "" and "@element" != null), ", "),
         xdm.observer.action = arraystring(arraymap(actions, if("@element" -> isFinal = "true", "@element" -> action, null)), ", "),
         xdm.alert.original_threat_name = arraystring(`filter` -> modules.av.virusNames[], ", ");
+
 // Modeling rule for Proofpoint email security "Mail" events
 filter event_type = "maillog"
 | alter
@@ -53,4 +54,28 @@ filter event_type = "maillog"
         xdm.observer.action = rtrim(arrayindex(regextract(sm -> stat, "(^[^:\(]+)"), 0), "\s"),
         xdm.email.recipients = arraymap(arraymap(arraymap(arraymap(sm -> to[], ltrim("@element", "\"")), rtrim("@element", "\"")), ltrim("@element", "<")), rtrim("@element", ">")),
         xdm.network.tls.cipher = if(lowercase(tls -> cipher) = "none", null, tls -> cipher),
-        xdm.network.tls.protocol_version = if(lowercase(tls -> version) = "none", null, tls -> version);
+        xdm.network.tls.protocol_version = if(lowercase(tls -> version) = "none", null, tls -> version);
+
+// Modeling rule for Proofpoint email security "Audit" events
+filter event_type = "audit"
+| alter source_ip = audit -> user.ipAddress, target_ip = metadata -> origin.data.agent
+| alter 
+        xdm.target.resource.type = audit -> resourceType,
+        xdm.source.user.identifier = audit -> user.id,
+        xdm.source.user.username = audit -> user.email,
+        xdm.source.ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip, null),
+        xdm.source.ipv6 = if(source_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", source_ip, null),
+        xdm.target.ipv4 = if(target_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", target_ip, null),
+        xdm.target.ipv6 = if(target_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", target_ip, null),
+        xdm.event.operation_sub_type = audit -> action,
+        xdm.alert.severity = audit -> level,
+        xdm.alert.subcategory = parsed_fields -> eventSubCategory,
+        xdm.observer.unique_identifier = metadata -> customerId,
+        xdm.event.type = event_type,
+        xdm.event.id = guid,
+        xdm.event.description = parsed_fields,
+        xdm.alert.description = parsed_fields -> eventDetails,
+        xdm.observer.type = metadata -> origin.type,
+        xdm.observer.content_version = metadata -> origin.schemaVersion,
+        xdm.observer.version = metadata -> origin.data.version,
+        xdm.observer.name = metadata -> origin.data.cid;

Packs/ProofpointEmailSecurity/ModelingRules/ProofpointEmailSecurity/ProofpointEmailSecurity_schema.json

@@ -44,6 +44,18 @@
           "type": "string",
           "is_array": false
       },
+      "audit": {
+          "type": "string",
+          "is_array": false
+      },
+      "metadata": {
+        "type": "string",
+        "is_array": false
+    },
+    "parsed_fields": {
+        "type": "string",
+        "is_array": false
+    },
       "envelope": {
           "type": "string",
           "is_array": false

Packs/ProofpointEmailSecurity/ParsingRules/ProofpointEmailSecurity/ProofpointEmailSecurity.xif

@@ -0,0 +1,6 @@
+[INGEST:vendor="proofpoint", product="email_security", target_dataset="proofpoint_email_security_raw" , no_hit=keep]
+ filter event_type = "audit"
+| alter tmp_get_xml_keys = rtrim(arraystring(arraymap(regextract(replex(arraystring(audit -> tags[],","),"\.","_"),"name\":\s*\"(.*?)\","),concat("(?P", "<"+"@element"+">", "[^|]+)?\|")),""),"\|")
+| alter tmp_get_xml_values = ltrim(rtrim(replex(replex(replex(arraystring(regextract(replex(arraystring(audit -> tags[],","),"value\":\s*\"\"","value\":\"null\""),"value\":\s*\"(.*?)?\"\}"),"|"),"\<[^>|]+",""),"><","null"),"([<|>]?\|?[<|>])","|"),"|"),"|")
+| alter parsed_fields = if(tmp_get_xml_values = null or tmp_get_xml_values ~= "^\s*$", null, regexcapture(tmp_get_xml_values, tmp_get_xml_keys))
+| fields -tmp_*;

Packs/ProofpointEmailSecurity/ParsingRules/ProofpointEmailSecurity/ProofpointEmailSecurity.yml

@@ -0,0 +1,6 @@
+fromversion: 8.5.0
+id: proofpoint_email_security_ParsingRule
+name: Proofpoint Email Security Parsing Rule
+rules: ''
+samples: ''
+tags: []

Packs/ProofpointEmailSecurity/ReleaseNotes/1_0_6.md

@@ -0,0 +1,13 @@
+
+#### Modeling Rules
+
+##### Proofpoint Email Security Modeling Rule
+
+Improved implementation of Cortex Data Model (XDM) mapping for the audit event type.
+
+#### Parsing Rules
+
+##### New: Proofpoint Email Security Parsing Rule
+
+Added parsing rules for the audit event type.
+

Packs/ProofpointEmailSecurity/pack_metadata.json

@@ -2,14 +2,18 @@
     "name": "Proofpoint Email Security",
     "description": "Proofpoint Email Security pack provides visibility into email security threats and protects your organization from phishing, malware, and compliance risks.",
     "support": "xsoar",
-    "currentVersion": "1.0.5",
+    "currentVersion": "1.0.6",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
     "categories": [
         "Analytics & SIEM"
     ],
-    "tags": [],
+    "tags": [
+        "Email",
+        "Alerts",
+        "Security"
+    ],
     "useCases": [],
     "keywords": [
         "On Demand",