diff --git a/Packs/CheckPointHEC/.pack-ignore b/Packs/CheckPointHEC/.pack-ignore index e69de29bb2d1..9ee3840bb8ae 100644 --- a/Packs/CheckPointHEC/.pack-ignore +++ b/Packs/CheckPointHEC/.pack-ignore @@ -0,0 +1,17 @@ +[file:incidentfield-CheckPointHEC_Campaign_Task.json] +ignore=IF113 + +[file:incidentfield-CheckPointHEC_Farm.json] +ignore=IF113 + +[file:incidentfield-CheckPointHEC_Email_Sender.json] +ignore=IF113 + +[file:incidentfield-CheckPointHEC_Email_Subject.json] +ignore=IF113 + +[file:incidentfield-CheckPointHEC_Reported.json] +ignore=IF113 + +[file:incidentfield-CheckPointHEC_Task.json] +ignore=IF113 \ No newline at end of file diff --git a/Packs/CheckPointHEC/.secrets-ignore b/Packs/CheckPointHEC/.secrets-ignore index 23a90e031ba4..e80cf8a1a00f 100644 --- a/Packs/CheckPointHEC/.secrets-ignore +++ b/Packs/CheckPointHEC/.secrets-ignore @@ -1,3 +1,6 @@ Automation@avtestqa.com -24dfc0f6bd9c7f2eaf5f8457b8c593d3 -54.240.9.35 +a@b.test +https://yardiasp14.com +http://operatf.xyz +a@b.c +d@e.f \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Campaign_Task.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Campaign_Task.json new file mode 100644 index 000000000000..1ffcf277bb4d --- /dev/null +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Campaign_Task.json @@ -0,0 +1,32 @@ +{ + "id": "incident_checkpointheccampaigntask", + "version": -1, + "modified": "2023-08-07T15:36:49.667762Z", + "name": "CP HEC Campaign Task", + "ownerOnly": false, + "description": "Campaign task id to get results", + "cliName": "checkpointheccampaigntask", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "CheckPointHEC Security Event" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Customer.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Customer.json index dd7272699e12..c5fe5dd746fd 100644 --- a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Customer.json +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Customer.json @@ -1,8 +1,8 @@ { "id": "incident_checkpointheccustomer", "version": -1, - "modified": "2023-07-02T03:39:22.498231281Z", - "name": "CheckPointHEC Customer", + "modified": "2023-08-01T19:26:46.346683Z", + "name": "CP HEC Customer", "ownerOnly": false, "placeholder": "CP Customer", "description": "Customer portal name", diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Sender.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Sender.json new file mode 100644 index 000000000000..322e05bcdda8 --- /dev/null +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Sender.json @@ -0,0 +1,33 @@ +{ + "id": "incident_checkpointhecemailsender", + "version": -1, + "modified": "2023-08-07T15:36:49.667762Z", + "name": "CP HEC Email Sender", + "ownerOnly": false, + "placeholder": "Email Sender", + "description": "Sender of the email", + "cliName": "checkpointhecemailsender", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "CheckPointHEC Security Event" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Subject.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Subject.json new file mode 100644 index 000000000000..099bc9151649 --- /dev/null +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Email_Subject.json @@ -0,0 +1,33 @@ +{ + "id": "incident_checkpointhecemailsubject", + "version": -1, + "modified": "2023-08-07T15:36:49.667762Z", + "name": "CP HEC Email Subject", + "ownerOnly": false, + "placeholder": "Email Subject", + "description": "Subject of the email", + "cliName": "checkpointhecemailsubject", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "CheckPointHEC Security Event" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Entity.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Entity.json index 2a92ed3c7d3f..91a3dc2a47f4 100644 --- a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Entity.json +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Entity.json @@ -1,8 +1,8 @@ { "id": "incident_checkpointhecentity", "version": -1, - "modified": "2023-07-02T04:30:15.829662037Z", - "name": "CheckPointHEC Entity", + "modified": "2023-08-01T19:26:46.346683Z", + "name": "CP HEC Entity", "ownerOnly": false, "placeholder": "CP Entity ID", "description": "Internal entity ID of email with leak", diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Farm.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Farm.json new file mode 100644 index 000000000000..57858044a808 --- /dev/null +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Farm.json @@ -0,0 +1,33 @@ +{ + "id": "incident_checkpointhecfarm", + "version": -1, + "modified": "2023-08-07T15:36:49.667762Z", + "name": "CP HEC Farm", + "ownerOnly": false, + "placeholder": "CP Farm", + "description": "Customer farm", + "cliName": "checkpointhecfarm", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "CheckPointHEC Security Event" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Saas.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Saas.json index 48f745162db0..768d2987a2dc 100644 --- a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Saas.json +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Saas.json @@ -1,8 +1,8 @@ { "id": "incident_checkpointhecsaas", "version": -1, - "modified": "2023-07-02T04:30:00.142598958Z", - "name": "CheckPointHEC Saas", + "modified": "2023-08-01T19:26:46.346683Z", + "name": "CP HEC Saas", "ownerOnly": false, "placeholder": "CP Saas Identifier", "description": "Internal SaaS Identifier", diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Task.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Task.json new file mode 100644 index 000000000000..d505dd6848bb --- /dev/null +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Task.json @@ -0,0 +1,32 @@ +{ + "id": "incident_checkpointhectask", + "version": -1, + "modified": "2023-08-07T15:36:49.667762Z", + "name": "CP HEC Task", + "ownerOnly": false, + "description": "Action task id to get results", + "cliName": "checkpointhectask", + "type": "shortText", + "closeForm": false, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "CheckPointHEC Security Event" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": true, + "caseInsensitive": true, + "sla": 0, + "threshold": 72, + "fromVersion": "6.9.0" +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Type.json b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Type.json index 093ab1b00562..2d898a4e8188 100644 --- a/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Type.json +++ b/Packs/CheckPointHEC/IncidentFields/incidentfield-CheckPointHEC_Type.json @@ -1,8 +1,8 @@ { "id": "incident_checkpointhectype", "version": -1, - "modified": "2023-07-02T04:30:44.192922335Z", - "name": "CheckPointHEC Type", + "modified": "2023-08-01T19:26:46.346683Z", + "name": "CP HEC Type", "ownerOnly": false, "placeholder": "CP Event Type", "description": "Detection type (dlp, phishing, malware, spam)", diff --git a/Packs/CheckPointHEC/IncidentTypes/incidenttype-CheckPointHEC_Security_Event.json b/Packs/CheckPointHEC/IncidentTypes/incidenttype-CheckPointHEC_Security_Event.json index e02192ee5a0a..ac6c18afc95d 100644 --- a/Packs/CheckPointHEC/IncidentTypes/incidenttype-CheckPointHEC_Security_Event.json +++ b/Packs/CheckPointHEC/IncidentTypes/incidenttype-CheckPointHEC_Security_Event.json @@ -19,7 +19,7 @@ "disabled": false, "reputationCalc": 0, "onChangeRepAlg": 0, - "layout": "CheckPointHEC Security Event Layout", + "layout": "CP HEC Security Event Layout", "detached": false, "extractSettings": { "mode": "Specific", diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.py b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.py index 1a2569dc7eb4..26b6c9da9f21 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.py +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.py @@ -1,15 +1,15 @@ -from CommonServerPython import * - -import base64 import hashlib -import json -import urllib3 import uuid -from typing import Any +from urllib.parse import urlencode + +import urllib3 + +from CommonServerPython import * urllib3.disable_warnings() DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' +SAAS_NAMES = ['office365_emails'] class Client(BaseClient): @@ -56,27 +56,29 @@ def _get_token(self) -> str: ) return self.token or '' - def _call_api(self, method: str, url_suffix: str, json_data: dict = None) -> dict[str, Any]: + def _call_api(self, method: str, url_suffix: str, params: dict = None, json_data: dict = None) -> dict[str, Any]: path = '/'.join([self.api_version, url_suffix]) request_string = f'/{path}' + if params: + request_string += f'?{urlencode(params)}' return self._http_request( method, url_suffix=path, headers=self._get_headers(request_string), + params=params, json_data=json_data ) - def get_scopes(self) -> dict[str, Any]: + def test_api(self) -> dict[str, bool]: return self._call_api( 'GET', - url_suffix='scopes' + url_suffix='soar/test' ) def query_events(self, start_date: str) -> dict[str, Any]: - saas = ['office365_emails'] request_data = { 'startDate': start_date, - 'saas': saas + 'saas': SAAS_NAMES } payload = { 'requestData': request_data @@ -93,40 +95,125 @@ def get_entity(self, entity: str) -> dict[str, Any]: url_suffix=f'search/entity/{entity}' ) + def get_email(self, entity: str) -> dict[str, Any]: + return self._call_api( + 'GET', + url_suffix=f'soar/entity/{entity}' + ) + + def search_emails(self, start_date: str, sender: str = None, subject: str = None): + entity_filter = { + 'saas': SAAS_NAMES[0], + 'startDate': start_date + } + extended_filter = [] + if sender: + extended_filter.append({ + 'saasAttrName': 'entityPayload.fromEmail', + 'saasAttrOp': 'contains', + 'saasAttrValue': sender + }) + if subject: + extended_filter.append({ + 'saasAttrName': 'entityPayload.subject', + 'saasAttrOp': 'contains', + 'saasAttrValue': subject + }) + request_data = { + 'entityFilter': entity_filter, + 'entityExtendedFilter': extended_filter, + } + payload = { + 'requestData': request_data + } + return self._call_api( + 'POST', + url_suffix='search/query', + json_data=payload + ) + + def send_action(self, entities: list, action: str, scope: str): + request_data = { + 'entityIds': entities, + 'entityType': 'office365_emails_email', + 'entityActionName': action, + 'scope': scope + } + payload = { + 'requestData': request_data + } + return self._call_api( + 'POST', + 'action/entity', + json_data=payload + ) + + def get_task(self, task: str, scope: str): + return self._call_api( + 'GET', + f'task/{task}', + params={'scope': scope} + ) + + def send_notification(self, entity: str, emails: List[str]): + payload = { + 'requestData': { + 'entityId': entity, + 'emails': emails + } + } + return self._call_api( + 'POST', + 'soar/notify', + json_data=payload + ) + def test_module(client: Client): - client.get_scopes() - demisto.results('ok') + result = client.test_api() + return 'ok' if result.get('ok') else 'error' def fetch_incidents(client: Client, first_fetch: str, max_fetch: int): last_run = demisto.getLastRun() if not (last_fetch := last_run.get('last_fetch')): - last_fetch, _ = parse_date_range(first_fetch, DATE_FORMAT) + if last_fetch := dateparser.parse(first_fetch, date_formats=[DATE_FORMAT]): + last_fetch = last_fetch.isoformat() + else: + raise Exception('Could not get last fetch') result = client.query_events(start_date=last_fetch) events = result['responseData'][:min(max_fetch, len(result['responseData']))] incidents: list[dict[str, Any]] = [] for event in events: + if (occurred := event.get('eventCreated')) <= last_fetch: + continue + event_id = event.get('eventId') + threat_type = event.get('type') incidents.append({ - 'name': f'#CP Event: {event_id}', + 'name': f'Threat: {threat_type.title()}', 'details': event.get('description'), - 'occurred': event.get('eventCreated'), + 'occurred': occurred, 'rawJSON': json.dumps(event), 'type': 'CheckPointHEC Security Event', 'severity': int(event.get('severity')), 'dbotMirrorId': event_id, 'CustomFields': { + 'checkpointhecfarm': event.get('farm'), 'checkpointheccustomer': event.get('customerId'), 'checkpointhecsaas': event.get('saas'), 'checkpointhecentity': event.get('entityId'), - 'checkpointhectype': event.get('type'), + 'checkpointhectype': threat_type, 'state': event.get('state'), # From CommonTypes Pack }, }) - last = incidents[-1]['occurred'] if incidents else datetime.utcnow().isoformat() + if incidents: + last = incidents[-1]['occurred'] + else: + last = (datetime.utcnow() - timedelta(minutes=10)).isoformat() + demisto.setLastRun({ 'last_fetch': last }) @@ -135,17 +222,112 @@ def fetch_incidents(client: Client, first_fetch: str, max_fetch: int): def checkpointhec_get_entity(client: Client, entity: str) -> CommandResults: result = client.get_entity(entity) - if row := result['responseData']: + if entities := result['responseData']: return CommandResults( outputs_prefix='CheckPointHEC.Entity', - outputs_key_field='entity_id', - outputs=row[0]['entityPayload'] + outputs_key_field='internetMessageId', + outputs=entities[0]['entityPayload'] ) raise Exception(f'Entity with id {entity} not found') +def checkpointhec_get_email_info(client: Client, entity: str) -> CommandResults: + result = client.get_email(entity) + if entities := result['responseData']: + return CommandResults( + outputs_prefix='CheckPointHEC.Email', + outputs_key_field='internetMessageId', + outputs=entities[0]['entityPayload'] + ) + else: + return CommandResults( + readable_output=f'Entity with id {entity} not found' + ) + + +def checkpointhec_get_scan_info(client: Client, entity: str) -> CommandResults: + result = client.get_entity(entity) + outputs = {} + if entities := result['responseData']: + sec_result = entities[0]['entitySecurityResult'] + for tool, verdict in sec_result['combinedVerdict'].items(): + if verdict not in (None, 'clean'): + outputs[tool] = json.dumps(sec_result[tool]) + return CommandResults( + outputs_prefix='CheckPointHEC.ScanResult', + outputs=outputs + ) + else: + return CommandResults( + readable_output=f'Entity with id {entity} not found' + ) + + +def checkpointhec_search_emails(client: Client, date_range: str, sender: str = None, subject: str = None) -> CommandResults: + if not sender and not subject: + raise Exception('One param to search emails by sender or subject is required') + + start_date = dateparser.parse(date_range, date_formats=[DATE_FORMAT]) + if start_date: + result = client.search_emails(start_date.isoformat(), sender, subject) + if entities := result['responseData']: + ids = [entity['entityInfo']['entityId'] for entity in entities] + return CommandResults( + outputs_prefix='CheckPointHEC.SearchResult', + outputs={'ids': ids} + ) + else: + return CommandResults( + readable_output=f'Error searching with {sender=} and/or {subject=}' + ) + else: + return CommandResults( + readable_output=f'Could not establish start date with {date_range=} {sender=} and/or {subject=}' + ) + + +def checkpointhec_send_action(client: Client, farm: str, customer: str, entities: list, action: str) -> CommandResults: + result = client.send_action(entities, action, scope=f'{farm}:{customer}') + if resp := result['responseData']: + return CommandResults( + outputs_prefix='CheckPointHEC.Task', + outputs={'task': resp[0]['taskId']} + ) + else: + return CommandResults( + readable_output='Task not queued successfully' + ) + + +def checkpointhec_get_action_result(client: Client, farm: str, customer: str, task: str) -> CommandResults: + result = client.get_task(task, scope=f'{farm}:{customer}') + if resp := result['responseData']: + return CommandResults( + outputs_prefix='CheckPointHEC.ActionResult', + outputs=resp + ) + else: + return CommandResults( + readable_output=f'Cannot get results about task with id {task}' + ) + + +def checkpointhec_send_notification(client: Client, entity: str, emails: List[str]) -> CommandResults: + result = client.send_notification(entity, emails) + if result.get('ok'): + return CommandResults( + outputs_prefix='CheckPointHEC.Notification', + outputs=result + ) + else: + return CommandResults( + readable_output='Error sending notification email' + ) + + def main() -> None: # pragma: no cover + args = demisto.args() params = demisto.params() base_url = params.get('url') client_id = params.get('client_id', {}).get('password') @@ -164,15 +346,33 @@ def main() -> None: # pragma: no cover try: command = demisto.command() if command == 'test-module': - test_module(client) + return_results(test_module(client)) elif command == 'fetch-incidents': first_fetch = params.get('first_fetch') - args = demisto.args() max_fetch = int(args.get('max_fetch', 10)) fetch_incidents(client, first_fetch, max_fetch) elif command == 'checkpointhec-get-entity': - args = demisto.args() return_results(checkpointhec_get_entity(client, args.get('entity'))) + elif command == 'checkpointhec-get-email-info': + return_results(checkpointhec_get_email_info(client, args.get('entity'))) + elif command == 'checkpointhec-get-scan-info': + return_results(checkpointhec_get_scan_info(client, args.get('entity'))) + elif command == 'checkpointhec-search-emails': + return_results(checkpointhec_search_emails( + client, args.get('date_range'), args.get('sender'), args.get('subject') + )) + elif command == 'checkpointhec-send-action': + entities = argToList(args.get('entity')) + return_results(checkpointhec_send_action( + client, args.get('farm'), args.get('customer'), entities, args.get('action') + )) + elif command == 'checkpointhec-get-action-result': + return_results(checkpointhec_get_action_result( + client, args.get('farm'), args.get('customer'), args.get('task') + )) + elif command == 'checkpointhec-send-notification': + emails = argToList(args.get('emails')) + return_results(checkpointhec_send_notification(client, args.get('entity'), emails)) except Exception as e: return_error(f'Failed to execute {demisto.command()} command.\nError:\n{str(e)}') diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.yml b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.yml index b0c39b75d3d1..6b8d4e42cb00 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.yml +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC.yml @@ -168,12 +168,182 @@ script: - contextPath: CheckPointHEC.Entity.restoreRequestTime description: Restore request datetime in iso 8601 format. type: String + - name: checkpointhec-get-email-info + arguments: + - name: entity + description: Email entity id + required: true + description: Retrieve specific email entity + outputs: + - contextPath: CheckPointHEC.Email.fromEmail + description: Email sender. + type: String + - contextPath: CheckPointHEC.Email.to + description: Email main recipients. + - contextPath: CheckPointHEC.Email.replyToEmail + description: Email reply. + type: String + - contextPath: CheckPointHEC.Email.replyToNickname + description: Email reply nickname. + type: String + - contextPath: CheckPointHEC.Email.recipients + description: Recipient email addresses. + - contextPath: CheckPointHEC.Email.subject + description: Email subject. + type: String + - contextPath: CheckPointHEC.Email.cc + description: Email carbon copy recipients. + - contextPath: CheckPointHEC.Email.bcc + description: Email blind carbon copy recipients. + - contextPath: CheckPointHEC.Email.isRead + description: Email has been read. + type: Boolean + - contextPath: CheckPointHEC.Email.received + description: Datetime email was received in iso 8601 format. + type: String + - contextPath: CheckPointHEC.Email.isDeleted + description: Email has been deleted. + type: Boolean + - contextPath: CheckPointHEC.Email.isIncoming + description: Email is from external organization. + type: Boolean + - contextPath: CheckPointHEC.Email.isOutgoing + description: Email is to an external organization. + type: Boolean + - contextPath: CheckPointHEC.Email.internetMessageId + description: Email message id in internet. + type: String + - contextPath: CheckPointHEC.Email.isUserExposed + description: Email reached user inbox + type: Boolean + - name: checkpointhec-get-scan-info + arguments: + - name: entity + description: Scanned entity id + required: true + description: Retrieve specific email scan with positive threats + outputs: + - contextPath: CheckPointHEC.ScanResult.ap + description: Anti-phishing scan results + - contextPath: CheckPointHEC.ScanResult.dlp + description: Data Loss Prevention scan results + - contextPath: CheckPointHEC.ScanResult.clicktimeProtection + description: Click Time Protection scan results + - contextPath: CheckPointHEC.ScanResult.shadowIt + description: Shadow IT scan results + - contextPath: CheckPointHEC.ScanResult.av + description: Antivirus scan results + - name: checkpointhec-search-emails + description: Get email ids with same sender and/or subject + arguments: + - name: date_range + description: Range to search for emails (1 day, 2 weeks, etc.) + required: true + - name: sender + description: Search emails with this sender + - name: subject + description: Search emails with this subject + outputs: + - contextPath: CheckPointHEC.SearchResult.ids + description: List of email ids returned by the search + - name: checkpointhec-send-action + arguments: + - name: farm + description: Customer farm + required: true + - name: customer + description: Customer portal name + required: true + - name: entity + description: One or multiple Email ids to apply action over + isArray: true + required: true + - name: action + description: Action to perform (quarantine or restore) + required: true + auto: PREDEFINED + predefined: + - quarantine + - restore + description: Quarantine or restore an email + outputs: + - contextPath: CheckPointHEC.Task.task + description: Task id of the sent action + type: String + - name: checkpointhec-get-action-result + arguments: + - name: farm + description: Customer farm + required: true + - name: customer + description: Customer portal name + required: true + - name: task + description: Task id to retrieve + required: true + description: Get task info related to a sent action + outputs: + - contextPath: CheckPointHEC.ActionResult.actions + description: Action information for each sent entity + - contextPath: CheckPointHEC.ActionResult.created + description: Date when action was created in iso 8601 format + type: String + - contextPath: CheckPointHEC.ActionResult.customer + description: Customer portal name + type: String + - contextPath: CheckPointHEC.ActionResult.failed + description: Number of failed actions + type: Number + - contextPath: CheckPointHEC.ActionResult.id + description: Action task id + type: Number + - contextPath: CheckPointHEC.ActionResult.name + description: Action name + type: String + - contextPath: CheckPointHEC.ActionResult.owner + description: Action owner + type: String + - contextPath: CheckPointHEC.ActionResult.progress + description: Number of actions in progress + type: Number + - contextPath: CheckPointHEC.ActionResult.sequential + description: Actions are in sequence + type: Boolean + - contextPath: CheckPointHEC.ActionResult.status + description: Action status + type: String + - contextPath: CheckPointHEC.ActionResult.succeed + description: Number of succeed actions + type: Number + - contextPath: CheckPointHEC.ActionResult.total + description: Total of actions + type: Number + - contextPath: CheckPointHEC.ActionResult.type + description: Action internal name + type: String + - contextPath: CheckPointHEC.ActionResult.updated + description: Date when action last updated in iso 8601 format + type: String + - name: checkpointhec-send-notification + arguments: + - name: entity + description: Email entity id + required: true + - name: emails + description: List of emails to send notification + isArray: true + required: true + description: Send notification about user exposition for the specific entity to the list of emails + outputs: + - contextPath: CheckPointHEC.Notification.ok + description: Result of the operation. + type: Boolean isfetch: true runonce: false script: '-' type: python subtype: python3 - dockerimage: demisto/python3:3.10.12.68714 + dockerimage: demisto/python3:3.10.13.72123 fromversion: 6.9.0 tests: - No tests (auto formatted) diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC_test.py b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC_test.py index 6e4bbba6a3db..6da1924f8ed0 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC_test.py +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/CheckPointHEC_test.py @@ -1,9 +1,10 @@ -import demistomock as demisto import json -import pytest - -from CheckPointHEC import Client, fetch_incidents, checkpointhec_get_entity, test_module as check_module +import demistomock as demisto +from CheckPointHEC import (Client, fetch_incidents, checkpointhec_get_entity, checkpointhec_get_email_info, + checkpointhec_get_scan_info, checkpointhec_search_emails, checkpointhec_send_action, + checkpointhec_get_action_result, checkpointhec_send_notification, + test_module as check_module) def util_load_json(path): @@ -11,6 +12,35 @@ def util_load_json(path): return json.loads(f.read()) +def test_generate_signature_with_request_string(): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + assert client._generate_signature( + f"{'0' * 8}-{'0' * 4}-{'0' * 4}-{'0' * 4}-{'0' * 12}", + '2023-08-13T19:08:35.263817', + '/v1.0/soar/test' + ) == '66968b7de6a44c879eedc2a426ec76c254c203d60ce746236645b52b5b5dcddb' + + +def test_generate_signature_with_no_request_string(): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + assert client._generate_signature( + f"{'0' * 8}-{'0' * 4}-{'0' * 4}-{'0' * 4}-{'0' * 12}", + '2023-08-13T19:08:35.263817' + ) == 'ac07ea6ddd026cbbfad8751d45d6e9e1823bc03e227eeb117976834391b629b8' + + def test_token_header(mocker): client = Client( base_url='https://smart-api-example-1-us.avanan-example.net', @@ -32,6 +62,47 @@ def test_token_header(mocker): get_token.assert_called_once() +def test_get_token_empty(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + _token = 'super token' + mocker.patch.object( + Client, + '_http_request', + return_value=_token + ) + + token = client._get_token() + assert token == _token + + +def test_get_token_existing(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + _token = 'super token' + mocker.patch.object( + Client, + '_http_request', + return_value=_token + ) + + client.token = 'nice token' + token = client._get_token() + assert token != _token + + def test_test_module(mocker): client = Client( base_url='https://smart-api-example-1-us.avanan-example.net', @@ -41,17 +112,16 @@ def test_test_module(mocker): proxy=False ) - mock_response = util_load_json('./test_data/checkpointhec-get_scopes.json') - get_scopes = mocker.patch.object( + mock_response = util_load_json('./test_data/checkpointhec-test_api.json') + test_api = mocker.patch.object( Client, - 'get_scopes', + '_call_api', return_value=mock_response, ) - demisto_results = mocker.patch.object(demisto, 'results') - check_module(client) - get_scopes.assert_called_once() - demisto_results.assert_called_once_with('ok') + result = check_module(client) + test_api.assert_called_once() + assert result == 'ok' def test_fetch_incidents(mocker): @@ -66,7 +136,7 @@ def test_fetch_incidents(mocker): mock_response = util_load_json('./test_data/checkpointhec-query_events.json') query_events = mocker.patch.object( Client, - 'query_events', + '_call_api', return_value=mock_response, ) demisto_incidents = mocker.patch.object(demisto, 'incidents') @@ -88,7 +158,7 @@ def test_checkpointhec_get_entity_success(mocker): mock_response = util_load_json('./test_data/checkpointhec-get_entity.json') get_entity = mocker.patch.object( Client, - 'get_entity', + '_call_api', return_value=mock_response, ) @@ -106,12 +176,184 @@ def test_checkpointhec_get_entity_fail(mocker): proxy=False ) - mocker.patch.object( + get_entity = mocker.patch.object( + Client, + '_call_api', + return_value={'responseData': []} + ) + + entity = '00000000000000000000000000000001' + result = checkpointhec_get_scan_info(client, entity) + get_entity.assert_called_once() + assert result.readable_output == f'Entity with id {entity} not found' + + +def test_checkpointhec_get_email_info_success(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-get_email_info.json') + get_entity = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_get_email_info(client, '00000000000000000000000000000000') + get_entity.assert_called_once() + assert result.outputs == mock_response['responseData'][0]['entityPayload'] + + +def test_checkpointhec_get_email_info_fail(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + get_entity = mocker.patch.object( Client, - 'get_entity', + '_call_api', return_value={'responseData': []} ) entity = '00000000000000000000000000000001' - with pytest.raises(Exception, match=f'Entity with id {entity} not found'): - checkpointhec_get_entity(client, entity) + result = checkpointhec_get_scan_info(client, entity) + get_entity.assert_called_once() + assert result.readable_output == f'Entity with id {entity} not found' + + +def test_checkpointhec_get_scan_info_success(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-get_entity.json') + get_entity = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_get_scan_info(client, '00000000000000000000000000000000') + get_entity.assert_called_once() + assert result.outputs == {'av': json.dumps(mock_response['responseData'][0]['entitySecurityResult']['av'])} + + +def test_checkpointhec_get_scan_info_fail(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + get_entity = mocker.patch.object( + Client, + '_call_api', + return_value={'responseData': []} + ) + + entity = '00000000000000000000000000000001' + result = checkpointhec_get_scan_info(client, entity) + get_entity.assert_called_once() + assert result.readable_output == f'Entity with id {entity} not found' + + +def test_checkpointhec_search_emails(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-search_emails.json') + search_emails = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_search_emails(client, '1 day', 'Automation@avtestqa.com') + search_emails.assert_called_once() + ids = [entity['entityInfo']['entityId'] for entity in mock_response['responseData']] + assert result.outputs == {'ids': ids} + + +def test_checkpointhec_send_action(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-send_action.json') + send_action = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_send_action( + client, 'mt-rnd-ng-6', 'avananlab', ['00000000000000000000000000000002'], 'restore' + ) + send_action.assert_called_once() + assert result.outputs == {'task': mock_response['responseData'][0]['taskId']} + + +def test_checkpointhec_get_action_result(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-get_action_result.json') + get_task = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_get_action_result(client, 'mt-rnd-ng-6', 'avananlab', '1691525788820900') + get_task.assert_called_once() + assert result.outputs == mock_response['responseData'] + + +def test_send_notification(mocker): + client = Client( + base_url='https://smart-api-example-1-us.avanan-example.net', + client_id='****', + client_secret='****', + verify=False, + proxy=False + ) + + mock_response = util_load_json('./test_data/checkpointhec-test_api.json') + get_task = mocker.patch.object( + Client, + '_call_api', + return_value=mock_response, + ) + + result = checkpointhec_send_notification(client, '0000', ['a@b.c', 'd@e.f']) + get_task.assert_called_once() + assert result.outputs == mock_response diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/README.md b/Packs/CheckPointHEC/Integrations/CheckPointHEC/README.md index 52a06945e471..dd92b981912b 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/README.md +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/README.md @@ -1,5 +1,5 @@ The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc. -This integration was integrated and tested with version 1.0.0 of CheckPointHEC +This integration was integrated and tested with version 1.0.3 of CheckPointHEC ## Configure Check Point Harmony Email and Collaboration (HEC) on Cortex XSOAR @@ -10,15 +10,15 @@ This integration was integrated and tested with version 1.0.0 of CheckPointHEC | **Parameter** | **Required** | | --- | --- | | Smart API URL (e.g. https://smart-api-dev-1-us.avanan-dev.net) | True | - | Fetch incidents | | - | Incident type | | - | Maximum number of incidents per fetch | | + | Fetch incidents | False | + | Incident type | False | + | Maximum number of incidents per fetch | False | | Client ID | True | | Client Secret | True | - | First fetch time | | - | Trust any certificate (not secure) | | - | Use system proxy settings | | - | Incidents Fetch Interval | | + | First fetch time | False | + | Trust any certificate (not secure) | False | + | Use system proxy settings | False | + | Incidents Fetch Interval | False | 4. Click **Test** to validate the URLs, token, and connection. @@ -81,3 +81,168 @@ Retrieve specific entity | CheckPointHEC.Entity.saasSpamVerdict | String | Spam verdict. | | CheckPointHEC.Entity.SpfResult | String | Sender Policy Framework check result. | | CheckPointHEC.Entity.restoreRequestTime | String | Restore request datetime in iso 8601 format. | + +### checkpointhec-get-email-info + +*** +Retrieve specific email entity + +#### Base Command + +`checkpointhec-get-email-info` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| entity | Email entity id. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.Email.fromEmail | String | Email sender. | +| CheckPointHEC.Email.to | unknown | Email main recipients. | +| CheckPointHEC.Email.replyToEmail | String | Email reply. | +| CheckPointHEC.Email.replyToNickname | String | Email reply nickname. | +| CheckPointHEC.Email.recipients | unknown | Recipient email addresses. | +| CheckPointHEC.Email.subject | String | Email subject. | +| CheckPointHEC.Email.cc | unknown | Email carbon copy recipients. | +| CheckPointHEC.Email.bcc | unknown | Email blind carbon copy recipients. | +| CheckPointHEC.Email.isRead | Boolean | Email has been read. | +| CheckPointHEC.Email.received | String | Datetime email was received in iso 8601 format. | +| CheckPointHEC.Email.isDeleted | Boolean | Email has been deleted. | +| CheckPointHEC.Email.isIncoming | Boolean | Email is from external organization. | +| CheckPointHEC.Email.isOutgoing | Boolean | Email is to an external organization. | +| CheckPointHEC.Email.internetMessageId | String | Email message id in internet. | +| CheckPointHEC.Email.isUserExposed | Boolean | Email reached user inbox | + +### checkpointhec-get-scan-info + +*** +Retrieve specific email scan with positive threats + +#### Base Command + +`checkpointhec-get-scan-info` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| entity | Scanned entity id. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.ScanResult.ap | unknown | Anti-phishing scan results | +| CheckPointHEC.ScanResult.dlp | unknown | Data Loss Prevention scan results | +| CheckPointHEC.ScanResult.clicktimeProtection | unknown | Click Time Protection scan results | +| CheckPointHEC.ScanResult.shadowIt | unknown | Shadow IT scan results | +| CheckPointHEC.ScanResult.av | unknown | Antivirus scan results | + +### checkpointhec-search-emails + +*** +Get email ids with same sender and/or subject + +#### Base Command + +`checkpointhec-search-emails` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| date_range | Range to search for emails (1 day, 2 weeks, etc.). | Required | +| sender | Search emails with this sender. | Optional | +| subject | Search emails with this subject. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.SearchResult.ids | unknown | List of email ids returned by the search | + +### checkpointhec-send-action + +*** +Quarantine or restore an email + +#### Base Command + +`checkpointhec-send-action` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| farm | Customer farm. | Required | +| customer | Customer portal name. | Required | +| entity | One or multiple Email ids to apply action over. | Required | +| action | Action to perform (quarantine or restore). Possible values are: quarantine, restore. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.Task.task | String | Task id of the sent action | + +### checkpointhec-get-action-result + +*** +Get task info related to a sent action + +#### Base Command + +`checkpointhec-get-action-result` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| farm | Customer farm. | Required | +| customer | Customer portal name. | Required | +| task | Task id to retrieve. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.ActionResult.actions | unknown | Action information for each sent entity | +| CheckPointHEC.ActionResult.created | String | Date when action was created in iso 8601 format | +| CheckPointHEC.ActionResult.customer | String | Customer portal name | +| CheckPointHEC.ActionResult.failed | Number | Number of failed actions | +| CheckPointHEC.ActionResult.id | Number | Action task id | +| CheckPointHEC.ActionResult.name | String | Action name | +| CheckPointHEC.ActionResult.owner | String | Action owner | +| CheckPointHEC.ActionResult.progress | Number | Number of actions in progress | +| CheckPointHEC.ActionResult.sequential | Boolean | Actions are in sequence | +| CheckPointHEC.ActionResult.status | String | Action status | +| CheckPointHEC.ActionResult.succeed | Number | Number of succeed actions | +| CheckPointHEC.ActionResult.total | Number | Total of actions | +| CheckPointHEC.ActionResult.type | String | Action internal name | +| CheckPointHEC.ActionResult.updated | String | Date when action last updated in iso 8601 format | + +### checkpointhec-send-notification + +*** +Send notification about user exposition for the specific entity to the list of emails + +#### Base Command + +`checkpointhec-send-notification` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| entity | Email entity id. | Required | +| emails | List of emails to send notification. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| CheckPointHEC.Notification.ok | Boolean | Result of the operation. | diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/command_examples b/Packs/CheckPointHEC/Integrations/CheckPointHEC/command_examples index b111fcf99394..8c34ecfe68cc 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/command_examples +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/command_examples @@ -1 +1 @@ -!checkpointhec-get-entity entity=00000000000000000000000000000000 \ No newline at end of file +!checkpointhec-get-email-info entity=00000000000000000000000000000000 \ No newline at end of file diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_action_result.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_action_result.json new file mode 100644 index 000000000000..13c0411f8231 --- /dev/null +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_action_result.json @@ -0,0 +1,36 @@ +{ + "responseEnvelope": { + "requestId": "53ed36c3-f7bc-420d-b78b-2598333b0fd1", + "responseCode": 200, + "responseText": "", + "recordsNumber": 1, + "scrollId": "" + }, + "responseData": { + "actions": [ + { + "action_created": "2023-08-08 21:16:16.947618", + "action_id": "Restore_a2c6f91ef3dd7215d44e6840d33b7c19", + "action_message": "Message is not quarantined.. log record id: 1843d814-0afd-404e-82f8-c348fa4d291b", + "action_name": "Restore a2c6f91ef3dd7215d44e6840d33b7c19", + "action_status": "completed", + "action_type": "Restore_a2c6f91ef3dd7215d44e6840d33b7c19", + "action_updated": "2023-08-08 21:16:17.945549", + "hash_key": "mt-prod-3##prod-3-con-lab44##1691529376887109" + } + ], + "created": "2023-08-08 21:16:16.887115", + "customer": "prod-3-con-lab44", + "failed": 0, + "id": 1691529376887109, + "name": "Office365 Emails Manual Action", + "owner": "service@avanan.com", + "progress": 1, + "sequential": false, + "status": "completed", + "succeed": 1, + "total": 1, + "type": "office365_emails_manual_action", + "updated": "2023-08-08 21:16:17.761625" + } +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_email_info.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_email_info.json new file mode 100644 index 000000000000..0fd2f4aaf7c4 --- /dev/null +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_email_info.json @@ -0,0 +1,113 @@ +{ + "responseEnvelope": { + "requestId": "b58b1e41-1018-4062-9d1c-bcaeccbfcb93", + "responseCode": 200, + "responseText": "", + "additionalText": "", + "recordsNumber": 1, + "scrollId": "" + }, + "responseData": [ + { + "entityInfo": { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "customerId": "fdolab", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2022-08-15T21:24:27.745655Z", + "entityUpdated": "2022-08-15T21:24:36.979329", + "entityActionState": null + }, + "entityPayload": { + "fromEmail": "example@checkpoint.com", + "to": [ + "unicode@avanandevus1.onmicrosoft.com", + "user1@avanandevus1.onmicrosoft.com" + ], + "replyToEmail": null, + "replyToNickname": null, + "recipients": [ + "user1@avanandevus1.onmicrosoft.com", + "unicode@avanandevus1.onmicrosoft.com" + ], + "subject": "Fw: dnp-split-quarantine-2", + "cc": [], + "bcc": [], + "isRead": null, + "received": "2022-08-15T21:24:15", + "isDeleted": false, + "isIncoming": true, + "isOutgoing": false, + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "isUserExposed": true + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "entityType": "office365_emails_email", + "payload": { + "reasons": [], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + } + ] + } + }, + "score": "225.994363", + "securityResultEntityId": "637d86da7bcf42375cb8431d266e3dc3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "entityType": "office365_emails_email", + "payload": { + "domain": "", + "subject": "Fw: dnp-split-quarantine-2", + "from": "example@checkpoint.com" + }, + "score": "0", + "securityResultEntityId": "637d86da7bcf42375cb8431d266e3dc3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + } + ] +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_entity.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_entity.json index 373b163f9289..3b5759ff08bf 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_entity.json +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_entity.json @@ -99,7 +99,7 @@ ], "Domain Impersonation": [ { - "short_text": "SPF check failed when checking sending IP: 54.240.9.35 for domain avtestqa.com", + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", "full_text": "The email 'from' address doesn't pass the SPF-check" } ], diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_scopes.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_scopes.json deleted file mode 100644 index fbab31033998..000000000000 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-get_scopes.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "responseEnvelope": { - "requestId": "2e802d0c-5d02-49f0-8fb7-ac0d507d0a76", - "responseCode": 200, - "responseText": "", - "additionalText": "", - "recordsNumber": 2, - "scrollId": "" - }, - "responseData": [ - "mt-prod-3:prod-3-con-lab44" - ] -} diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-query_events.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-query_events.json index 15fac60c8b8e..11197c5c26c0 100644 --- a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-query_events.json +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-query_events.json @@ -12,14 +12,14 @@ "eventId": "99c2f9b654514dc5b3f950044bf1b056", "customerId": "prod-3-con-lab44", "saas": "office365_emails", - "entityId": "24dfc0f6bd9c7f2eaf5f8457b8c593d3", + "entityId": "00000000000000000000000000000000", "state": "remediated", "type": "malicious_url", "confidenceIndicator": "malicious_url", "eventCreated": "2023-06-30T15:14:58.463039+00:00", "severity": "4", "description": "A user clicked a malicious URL in an email from Automation@avtestqa.com - 'AUT-clicktime-qa-1-blacklist_300623_18_11_20_314397' (user2@avananlab44.onmicrosoft.com's mailbox)", - "data": "A user #{\"entity_id\": \"24dfc0f6bd9c7f2eaf5f8457b8c593d3\", \"entity_type\": \"clicktime_protection_scan\", \"label\": \"clicked a malicious URL\"} in an email from #{\"entity_id\": \"fc90ec7c-f056-4e6b-9629-c3609bf8bf11\", \"entity_type\": \"office365_emails_user\", \"disable_link\": true, \"label\": \"Automation@avtestqa.com\"} - '#{\"entity_id\": \"24dfc0f6bd9c7f2eaf5f8457b8c593d3\", \"entity_type\": \"office365_emails_email\", \"label\": \"AUT-clicktime-qa-1-blacklist_300623_18_11_20_314397\"}' (#{\"entity_id\": \"04df0456-6328-4cfe-a285-e41e3d035e9e\", \"entity_type\": \"office365_emails_user\", \"label\": \"user2@avananlab44.onmicrosoft.com\"}'s mailbox)", + "data": "A user #{\"entity_id\": \"00000000000000000000000000000000\", \"entity_type\": \"clicktime_protection_scan\", \"label\": \"clicked a malicious URL\"} in an email from #{\"entity_id\": \"fc90ec7c-f056-4e6b-9629-c3609bf8bf11\", \"entity_type\": \"office365_emails_user\", \"disable_link\": true, \"label\": \"Automation@avtestqa.com\"} - '#{\"entity_id\": \"00000000000000000000000000000000\", \"entity_type\": \"office365_emails_email\", \"label\": \"AUT-clicktime-qa-1-blacklist_300623_18_11_20_314397\"}' (#{\"entity_id\": \"04df0456-6328-4cfe-a285-e41e3d035e9e\", \"entity_type\": \"office365_emails_user\", \"label\": \"user2@avananlab44.onmicrosoft.com\"}'s mailbox)", "additionalData": null, "availableEventActions": null, "actions": [] diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-search_emails.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-search_emails.json new file mode 100644 index 000000000000..2b76121c35a3 --- /dev/null +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-search_emails.json @@ -0,0 +1,17260 @@ +{ + "responseEnvelope": { + "requestId": "73c59f66-8a46-4421-83e2-4e0ff7ad3a39", + "responseCode": 200, + "responseText": "", + "additionalText": "", + "recordsNumber": 1302, + "scrollId": "9c4e7ee44c664aaf826551227fd7ec94" + }, + "responseData": [ + { + "entityInfo": { + "entityId": "1217545e0a4903451080e20c82e8faeb", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:01:30.128277Z", + "entityUpdated": "2023-08-07T00:01:45.907811Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_01_23_263568", + "received": "2023-08-07T00:01:25Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "1217545e0a4903451080e20c82e8faeb", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "1217545e0a4903451080e20c82e8faeb", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "1217545e0a4903451080e20c82e8faeb", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "1217545e0a4903451080e20c82e8faeb", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "1217545e0a4903451080e20c82e8faeb", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "1217545e0a4903451080e20c82e8faeb", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "1217545e0a4903451080e20c82e8faeb", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_01_23_263568", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "1217545e0a4903451080e20c82e8faeb", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:01:30.412509Z", + "entityUpdated": "2023-08-07T00:02:49.068182Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_01_22_663114", + "received": "2023-08-07T00:01:24Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "275.646318", + "securityResultEntityId": "c574ca39a9e3ae0491f0942edc6850e2", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c574ca39a9e3ae0491f0942edc6850e2", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "malicious_url_clicks": [ + "http://www.xvira-malwareavrad.com" + ] + }, + "score": "0", + "securityResultEntityId": "c574ca39a9e3ae0491f0942edc6850e2", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "3619", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "c574ca39a9e3ae0491f0942edc6850e2", + "event": "block", + "brand": "avanan", + "request_id": "9d7d40e26b0d3afc", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "39ad0ac72cd940e48ac3c80e2cea89b2", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "227e", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "c574ca39a9e3ae0491f0942edc6850e2", + "event": "block", + "brand": "avanan", + "request_id": "826ef435d21f30e5", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "4b6acaa8425c4060b0cf817ea89d27e9", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "c574ca39a9e3ae0491f0942edc6850e2", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_01_22_663114", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c574ca39a9e3ae0491f0942edc6850e2", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:01:30.412509Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:01:30.412509Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "41052bc90c612c3333e0dfff159191d1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:01:30.643231Z", + "entityUpdated": "2023-08-07T00:05:39.499711Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_01_24_402228", + "received": "2023-08-07T00:01:26Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "41052bc90c612c3333e0dfff159191d1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "41052bc90c612c3333e0dfff159191d1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "41052bc90c612c3333e0dfff159191d1", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "41052bc90c612c3333e0dfff159191d1", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "41052bc90c612c3333e0dfff159191d1", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "41052bc90c612c3333e0dfff159191d1", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "41052bc90c612c3333e0dfff159191d1", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_01_24_402228", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "41052bc90c612c3333e0dfff159191d1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:01:30.643231Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:01:30.643231Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "702f2101b082cf83a06e0a333717de0b", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:01:30.829448Z", + "entityUpdated": "2023-08-07T00:01:43.435232Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_01_24_965888", + "received": "2023-08-07T00:01:26Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "702f2101b082cf83a06e0a333717de0b", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "702f2101b082cf83a06e0a333717de0b", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "702f2101b082cf83a06e0a333717de0b", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "702f2101b082cf83a06e0a333717de0b", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "702f2101b082cf83a06e0a333717de0b", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "702f2101b082cf83a06e0a333717de0b", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "702f2101b082cf83a06e0a333717de0b", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_01_24_965888", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "702f2101b082cf83a06e0a333717de0b", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:01:30.829448Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:01:30.829448Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "363f26ed96712bb58f31f16be3ecbc46", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:01:32.358069Z", + "entityUpdated": "2023-08-07T00:01:43.438062Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_01_23_819440", + "received": "2023-08-07T00:01:25Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "363f26ed96712bb58f31f16be3ecbc46", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "363f26ed96712bb58f31f16be3ecbc46", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "363f26ed96712bb58f31f16be3ecbc46", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "363f26ed96712bb58f31f16be3ecbc46", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "363f26ed96712bb58f31f16be3ecbc46", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "363f26ed96712bb58f31f16be3ecbc46", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "363f26ed96712bb58f31f16be3ecbc46", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_01_23_819440", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "363f26ed96712bb58f31f16be3ecbc46", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:01:32.358069Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:01:32.358069Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "79e44e516892fe9d1f686ed315c3ef66", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:05:13.144224Z", + "entityUpdated": "2023-08-07T00:05:27.153353Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd4fd2d2-7a504979-e610-42ab-8b7b-a7812c5ab927-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_05_07_877621", + "received": "2023-08-07T00:05:08Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "79e44e516892fe9d1f686ed315c3ef66", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "112.199243", + "securityResultEntityId": "79e44e516892fe9d1f686ed315c3ef66", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "79e44e516892fe9d1f686ed315c3ef66", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "79e44e516892fe9d1f686ed315c3ef66", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "79e44e516892fe9d1f686ed315c3ef66", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "79e44e516892fe9d1f686ed315c3ef66", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "79e44e516892fe9d1f686ed315c3ef66", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_05_07_877621", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "79e44e516892fe9d1f686ed315c3ef66", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "8b689e19885c25a027f74f1ac2645084", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:05:13.392563Z", + "entityUpdated": "2023-08-07T00:05:26.890327Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd4fd23f-8ad56d58-249d-4c12-b3f0-0b5aaeda57fc-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_05_07_725804]", + "received": "2023-08-07T00:05:09Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "8b689e19885c25a027f74f1ac2645084", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "8b689e19885c25a027f74f1ac2645084", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "8b689e19885c25a027f74f1ac2645084", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "8b689e19885c25a027f74f1ac2645084", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "8b689e19885c25a027f74f1ac2645084", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "8b689e19885c25a027f74f1ac2645084", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "8b689e19885c25a027f74f1ac2645084", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_05_07_725804", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "8b689e19885c25a027f74f1ac2645084", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:05:13.392563Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:05:13.392563Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:05:13.392563Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "122885ead93b2ebc9a63705cc01b79db", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:05:14.801418Z", + "entityUpdated": "2023-08-07T00:05:27.636917Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd4fd1b5-37ca593a-89fa-460e-82c1-8ec9443d0314-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_05_07_591877", + "received": "2023-08-07T00:05:08Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_59_070823_00_05_07_1691366707.pdf", + "mimetype": "application/pdf", + "size": 2071, + "MD5": "91783a7d37185ee9d8cf21b8dcc072e8" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "122885ead93b2ebc9a63705cc01b79db", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "33.833035", + "securityResultEntityId": "122885ead93b2ebc9a63705cc01b79db", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "122885ead93b2ebc9a63705cc01b79db", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "122885ead93b2ebc9a63705cc01b79db", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "1773f31fd53799315e5de707298aed22bc36f8b4", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "1773f31fd53799315e5de707298aed22bc36f8b4", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "122885ead93b2ebc9a63705cc01b79db", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "122885ead93b2ebc9a63705cc01b79db", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "122885ead93b2ebc9a63705cc01b79db", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_05_07_591877", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "122885ead93b2ebc9a63705cc01b79db", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "1773f31fd53799315e5de707298aed22bc36f8b4", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "1773f31fd53799315e5de707298aed22bc36f8b4", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:05:26.757482Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "3ca56002e74f2fd867a9b709aeb2ea41", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:06:10.210214Z", + "entityUpdated": "2023-08-07T00:06:18.748541Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd4fd423-70667a4d-f17a-4915-b1c3-777a8e9907f4-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_05_08_041294]", + "received": "2023-08-07T00:05:09Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "3ca56002e74f2fd867a9b709aeb2ea41", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "230.291001", + "securityResultEntityId": "3ca56002e74f2fd867a9b709aeb2ea41", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "3ca56002e74f2fd867a9b709aeb2ea41", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_05_08_041294", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "3ca56002e74f2fd867a9b709aeb2ea41", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:06:10.210214Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:06:10.210214Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "f6184ec30a36f0ede3e6fb473c59129a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:06:11.733389Z", + "entityUpdated": "2023-08-07T00:06:26.773075Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd4fd5c8-2e99ec91-2fdb-46ee-928d-7ab4ad680455-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_05_08_640371", + "received": "2023-08-07T00:05:10Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_13_070823_00_05_08_1691366708.pdf", + "mimetype": "application/pdf", + "size": 2070, + "MD5": "e67c2377f05efb30eac41f8bc67dc134" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "f6184ec30a36f0ede3e6fb473c59129a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.397321", + "securityResultEntityId": "f6184ec30a36f0ede3e6fb473c59129a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "f6184ec30a36f0ede3e6fb473c59129a", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_05_08_640371", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "f6184ec30a36f0ede3e6fb473c59129a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "ce4baf72c22442107e7da49ccbdf625c12a92deb", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "ce4baf72c22442107e7da49ccbdf625c12a92deb", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:06:18.857992Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2cd7e22f49be04b5abb989d00d8ef76f", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:09.709766Z", + "entityUpdated": "2023-08-07T00:16:10.494616Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd553a32-a141b17c-b9fe-4591-8e1c-fa9f2918a219-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_11_01_952862", + "received": "2023-08-07T00:11:03Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "2cd7e22f49be04b5abb989d00d8ef76f", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "96.863378", + "securityResultEntityId": "2cd7e22f49be04b5abb989d00d8ef76f", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "2cd7e22f49be04b5abb989d00d8ef76f", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_11_01_952862", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2cd7e22f49be04b5abb989d00d8ef76f", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "31b69d5b6d41aac688be9b892d792922", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:23.562136Z", + "entityUpdated": "2023-08-07T00:11:32.920763Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_11_18_982345", + "received": "2023-08-07T00:11:20Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "spam", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "31b69d5b6d41aac688be9b892d792922", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "275.646318", + "securityResultEntityId": "31b69d5b6d41aac688be9b892d792922", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "spam" + } + ], + "dlp": [ + { + "entityId": "31b69d5b6d41aac688be9b892d792922", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "31b69d5b6d41aac688be9b892d792922", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "31b69d5b6d41aac688be9b892d792922", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "31b69d5b6d41aac688be9b892d792922", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "31b69d5b6d41aac688be9b892d792922", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_11_18_982345", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "31b69d5b6d41aac688be9b892d792922", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:11:31.946750Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:26.892283Z", + "entityUpdated": "2023-08-07T00:11:34.744164Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_11_19_353425", + "received": "2023-08-07T00:11:20Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_11_19_353425", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "d32e2ee26d71cc0b7a29cd47aba0767d", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "7840796fbbdcfed7e339329ff6d54ac4", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:27.475406Z", + "entityUpdated": "2023-08-07T00:15:00.448858Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_11_20_525146", + "received": "2023-08-07T00:11:22Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "7840796fbbdcfed7e339329ff6d54ac4", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category": { + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [ + "First Time Sender" + ], + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ] + }, + "score": "52.964422", + "securityResultEntityId": "7840796fbbdcfed7e339329ff6d54ac4", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "7840796fbbdcfed7e339329ff6d54ac4", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "7840796fbbdcfed7e339329ff6d54ac4", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "7840796fbbdcfed7e339329ff6d54ac4", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "7840796fbbdcfed7e339329ff6d54ac4", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "7840796fbbdcfed7e339329ff6d54ac4", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_11_20_525146", + "domain": "", + "from": "Automation@avtestqa.com" + }, + "score": "0", + "securityResultEntityId": "7840796fbbdcfed7e339329ff6d54ac4", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:11:27.475406Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:11:27.475406Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "eed07b7021643963a36037a9ac83c1d3", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:27.703194Z", + "entityUpdated": "2023-08-07T00:11:43.760130Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_11_21_097209", + "received": "2023-08-07T00:11:22Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "eed07b7021643963a36037a9ac83c1d3", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "eed07b7021643963a36037a9ac83c1d3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "eed07b7021643963a36037a9ac83c1d3", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "eed07b7021643963a36037a9ac83c1d3", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "eed07b7021643963a36037a9ac83c1d3", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "eed07b7021643963a36037a9ac83c1d3", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "eed07b7021643963a36037a9ac83c1d3", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_11_21_097209", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "eed07b7021643963a36037a9ac83c1d3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:11:27.703194Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:11:27.703194Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "d32e918d7417fa4a3002f424c74ac4a6", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:11:30.331874Z", + "entityUpdated": "2023-08-07T00:11:43.962165Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_11_19_929121", + "received": "2023-08-07T00:11:22Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "d32e918d7417fa4a3002f424c74ac4a6", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "d32e918d7417fa4a3002f424c74ac4a6", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "d32e918d7417fa4a3002f424c74ac4a6", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "d32e918d7417fa4a3002f424c74ac4a6", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "d32e918d7417fa4a3002f424c74ac4a6", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "d32e918d7417fa4a3002f424c74ac4a6", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "d32e918d7417fa4a3002f424c74ac4a6", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_11_19_929121", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "d32e918d7417fa4a3002f424c74ac4a6", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:11:30.331874Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:11:30.331874Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "96237f22c52798520bafa9f763b99ce0", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:27.784239Z", + "entityUpdated": "2023-08-07T00:14:42.092962Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd584801-934c5cb3-d00b-4336-b5ac-52cb0e10278b-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_14_21_927924", + "received": "2023-08-07T00:14:23Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "96237f22c52798520bafa9f763b99ce0", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "96237f22c52798520bafa9f763b99ce0", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "96237f22c52798520bafa9f763b99ce0", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "96237f22c52798520bafa9f763b99ce0", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "96237f22c52798520bafa9f763b99ce0", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "96237f22c52798520bafa9f763b99ce0", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "96237f22c52798520bafa9f763b99ce0", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_14_21_927924", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "96237f22c52798520bafa9f763b99ce0", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c606e93cc9e5014307753251017bdd4c", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:28.695200Z", + "entityUpdated": "2023-08-07T00:14:34.455413Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_00_14_16_330231", + "received": "2023-08-07T00:14:17Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c606e93cc9e5014307753251017bdd4c", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "c606e93cc9e5014307753251017bdd4c", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "c606e93cc9e5014307753251017bdd4c", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_00_14_16_330231", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c606e93cc9e5014307753251017bdd4c", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "b858066dab59209d1410f6a948a82623", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:30.013633Z", + "entityUpdated": "2023-08-07T00:14:45.268104Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd58464a-76f39896-0ab0-44fe-b693-cd1f5f42acf9-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_14_21_545683]", + "received": "2023-08-07T00:14:23Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "b858066dab59209d1410f6a948a82623", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "b858066dab59209d1410f6a948a82623", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "b858066dab59209d1410f6a948a82623", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "b858066dab59209d1410f6a948a82623", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "b858066dab59209d1410f6a948a82623", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "b858066dab59209d1410f6a948a82623", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "b858066dab59209d1410f6a948a82623", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_14_21_545683", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "b858066dab59209d1410f6a948a82623", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:14:30.013633Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:14:30.013633Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:14:30.013633Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:30.120385Z", + "entityUpdated": "2023-08-07T00:14:54.848875Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd5844ed-128832d9-8636-4496-baa4-07d2c2a5f82f-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_14_21_043366", + "received": "2023-08-07T00:14:22Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_48_070823_00_14_21_1691367261.pdf", + "mimetype": "application/pdf", + "size": 2070, + "MD5": "8f9e46069203e4fd7f0d7303dd8bc26d" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "38.152973", + "securityResultEntityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c289af4177baea0d3508e1d789532e3964da4ae3", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c289af4177baea0d3508e1d789532e3964da4ae3", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_14_21_043366", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "5b34e57b97bcd29a3db4fc97d3a69285", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "c289af4177baea0d3508e1d789532e3964da4ae3", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "c289af4177baea0d3508e1d789532e3964da4ae3", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:14:42.425667Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "8c6ab95b797c0d5ff8e773b96a371ba3", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:30.920207Z", + "entityUpdated": "2023-08-07T00:14:46.904906Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd584a39-ce0ed875-197c-4466-a447-fdb287a58fe5-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_14_22_355685]", + "received": "2023-08-07T00:14:23Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "8c6ab95b797c0d5ff8e773b96a371ba3", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "207.210314", + "securityResultEntityId": "8c6ab95b797c0d5ff8e773b96a371ba3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "8c6ab95b797c0d5ff8e773b96a371ba3", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_14_22_355685", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "8c6ab95b797c0d5ff8e773b96a371ba3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:14:30.920207Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:14:30.920207Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2b918c1a320bfc274efda5549b94081c", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:14:36.237712Z", + "entityUpdated": "2023-08-07T00:14:49.363078Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd584f73-15f33510-d01f-4f3b-b964-872756f50460-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_14_23_293851", + "received": "2023-08-07T00:14:26Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_29_070823_00_14_24_1691367264.pdf", + "mimetype": "application/pdf", + "size": 2071, + "MD5": "ee2b13e4a5460d009223bf9ebb6e9b40" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "2b918c1a320bfc274efda5549b94081c", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.397321", + "securityResultEntityId": "2b918c1a320bfc274efda5549b94081c", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "2b918c1a320bfc274efda5549b94081c", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_14_23_293851", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2b918c1a320bfc274efda5549b94081c", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "5e6bbfd3c4778d640567885544ef2a17a7f31d89", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "5e6bbfd3c4778d640567885544ef2a17a7f31d89", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:14:41.932257Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "784e91debd228c28b22a578c6bf38578", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:18:41.821385Z", + "entityUpdated": "2023-08-07T00:23:43.623674Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd5c23ea-3c9018cb-29f4-4c69-88e2-2b99cfa22cf0-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_18_35_043583", + "received": "2023-08-07T00:18:36Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "784e91debd228c28b22a578c6bf38578", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "96.863378", + "securityResultEntityId": "784e91debd228c28b22a578c6bf38578", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "784e91debd228c28b22a578c6bf38578", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_18_35_043583", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "784e91debd228c28b22a578c6bf38578", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "da9f3f5ce6f5a531a90a86f8a45ce079", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:20:15.512625Z", + "entityUpdated": "2023-08-07T00:20:18.614064Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "0.7617977524613935Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_10_41_429820", + "received": "2023-08-05T16:35:06.828791Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": null, + "SpfResult": null, + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "da9f3f5ce6f5a531a90a86f8a45ce079", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Sender Reputation" + ], + "reasons_by_category": { + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "59.53873", + "securityResultEntityId": "da9f3f5ce6f5a531a90a86f8a45ce079", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "da9f3f5ce6f5a531a90a86f8a45ce079", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_10_41_429820", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "da9f3f5ce6f5a531a90a86f8a45ce079", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "55ea95e1e23438a7a645b8c8795ccca7", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:21:32.099063Z", + "entityUpdated": "2023-08-07T00:21:39.188965Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_21_22_301043", + "received": "2023-08-07T00:21:23Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "55ea95e1e23438a7a645b8c8795ccca7", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "55ea95e1e23438a7a645b8c8795ccca7", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "55ea95e1e23438a7a645b8c8795ccca7", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "55ea95e1e23438a7a645b8c8795ccca7", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "55ea95e1e23438a7a645b8c8795ccca7", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "55ea95e1e23438a7a645b8c8795ccca7", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "55ea95e1e23438a7a645b8c8795ccca7", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_21_22_301043", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "55ea95e1e23438a7a645b8c8795ccca7", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:21:32.099063Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:21:32.099063Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "df97084fb8f4b8c7ba64176ea48a5666", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:21:32.318877Z", + "entityUpdated": "2023-08-07T00:21:39.195962Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_21_21_311286", + "received": "2023-08-07T00:21:22Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "df97084fb8f4b8c7ba64176ea48a5666", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "df97084fb8f4b8c7ba64176ea48a5666", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "df97084fb8f4b8c7ba64176ea48a5666", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "df97084fb8f4b8c7ba64176ea48a5666", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "df97084fb8f4b8c7ba64176ea48a5666", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "df97084fb8f4b8c7ba64176ea48a5666", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "df97084fb8f4b8c7ba64176ea48a5666", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_21_21_311286", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "df97084fb8f4b8c7ba64176ea48a5666", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:21:32.318877Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:21:32.318877Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "fac394e980fc25c29e08517568e86574", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:21:32.598778Z", + "entityUpdated": "2023-08-07T00:21:39.189442Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_21_20_739982", + "received": "2023-08-07T00:21:22Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "fac394e980fc25c29e08517568e86574", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "fac394e980fc25c29e08517568e86574", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "fac394e980fc25c29e08517568e86574", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "fac394e980fc25c29e08517568e86574", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "fac394e980fc25c29e08517568e86574", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "fac394e980fc25c29e08517568e86574", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "fac394e980fc25c29e08517568e86574", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_21_20_739982", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "fac394e980fc25c29e08517568e86574", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "e47f688c992f426d94fe45566f5383dc", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:21:32.599909Z", + "entityUpdated": "2023-08-07T00:21:40.090650Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_21_20_166278", + "received": "2023-08-07T00:21:21Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "spam", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "e47f688c992f426d94fe45566f5383dc", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "O365 clarifications", + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "O365 clarifications": [ + { + "short_text": "Microsoft SCL value was -1", + "full_text": "Microsoft SCL value was -1" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "275.646318", + "securityResultEntityId": "e47f688c992f426d94fe45566f5383dc", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "spam" + } + ], + "dlp": [ + { + "entityId": "e47f688c992f426d94fe45566f5383dc", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "e47f688c992f426d94fe45566f5383dc", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "e47f688c992f426d94fe45566f5383dc", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "e47f688c992f426d94fe45566f5383dc", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "e47f688c992f426d94fe45566f5383dc", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_21_20_166278", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "e47f688c992f426d94fe45566f5383dc", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:21:38.966569Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "17b2af20d0e385c30900dfbe0ae999e6", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:21:32.599043Z", + "entityUpdated": "2023-08-07T00:24:51.642998Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_21_21_730212", + "received": "2023-08-07T00:21:23Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "17b2af20d0e385c30900dfbe0ae999e6", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "17b2af20d0e385c30900dfbe0ae999e6", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "17b2af20d0e385c30900dfbe0ae999e6", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "17b2af20d0e385c30900dfbe0ae999e6", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "17b2af20d0e385c30900dfbe0ae999e6", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "17b2af20d0e385c30900dfbe0ae999e6", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "17b2af20d0e385c30900dfbe0ae999e6", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_21_21_730212", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "17b2af20d0e385c30900dfbe0ae999e6", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:21:32.599043Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:21:32.599043Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a03e6cdd6fcd1fba7c5aa32a08429a3b", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:24:46.475878Z", + "entityUpdated": "2023-08-07T00:24:52.099515Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_00_23_48_851272", + "received": "2023-08-07T00:23:50Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "a03e6cdd6fcd1fba7c5aa32a08429a3b", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "a03e6cdd6fcd1fba7c5aa32a08429a3b", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "a03e6cdd6fcd1fba7c5aa32a08429a3b", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_00_23_48_851272", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a03e6cdd6fcd1fba7c5aa32a08429a3b", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "13b7686006d8f9e071081d3a99704ea3", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:25:24.400836Z", + "entityUpdated": "2023-08-07T00:25:37.392194Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd6240e9-4cb1a317-60f2-4454-b17a-34a2be65a1e5-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_25_15_699019", + "received": "2023-08-07T00:25:16Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_49_070823_00_25_15_1691367915.pdf", + "mimetype": "application/pdf", + "size": 2071, + "MD5": "c99144ee5a87c6178774a7a96e93a582" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "13b7686006d8f9e071081d3a99704ea3", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.397321", + "securityResultEntityId": "13b7686006d8f9e071081d3a99704ea3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "13b7686006d8f9e071081d3a99704ea3", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_25_15_699019", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "13b7686006d8f9e071081d3a99704ea3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "cf8881c8136165595092c1f385048942573fca6c", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "cf8881c8136165595092c1f385048942573fca6c", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:25:33.294687Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "7235fa131fa6ee89215b3587c5264291", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:25:26.842611Z", + "entityUpdated": "2023-08-07T00:25:40.460607Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd624043-5c3e89fd-5d42-4f0e-8c39-dbb4c9479cd2-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_25_15_531319]", + "received": "2023-08-07T00:25:17Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "7235fa131fa6ee89215b3587c5264291", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "230.313577", + "securityResultEntityId": "7235fa131fa6ee89215b3587c5264291", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "7235fa131fa6ee89215b3587c5264291", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_25_15_531319", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "7235fa131fa6ee89215b3587c5264291", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:25:26.842611Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:25:26.842611Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "766cde81cd1f9d33b7b95c0ab8181485", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:25:27.389539Z", + "entityUpdated": "2023-08-07T00:25:36.809815Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd623f13-241388f7-4231-458c-834a-bcf0978891c4-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_25_15_236455]", + "received": "2023-08-07T00:25:16Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "766cde81cd1f9d33b7b95c0ab8181485", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "766cde81cd1f9d33b7b95c0ab8181485", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "766cde81cd1f9d33b7b95c0ab8181485", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "766cde81cd1f9d33b7b95c0ab8181485", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "766cde81cd1f9d33b7b95c0ab8181485", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "766cde81cd1f9d33b7b95c0ab8181485", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "766cde81cd1f9d33b7b95c0ab8181485", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_25_15_236455", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "766cde81cd1f9d33b7b95c0ab8181485", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:25:27.389539Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:25:27.389539Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:25:27.389539Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2d563f39c9f9f83da3fba11677497878", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:25:27.390819Z", + "entityUpdated": "2023-08-07T00:25:42.757858Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd623f9e-a4670489-f19a-4115-84b0-c8e3a6d0e5da-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_25_15_363407", + "received": "2023-08-07T00:25:16Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "2d563f39c9f9f83da3fba11677497878", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "2d563f39c9f9f83da3fba11677497878", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "2d563f39c9f9f83da3fba11677497878", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "2d563f39c9f9f83da3fba11677497878", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "2d563f39c9f9f83da3fba11677497878", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "2d563f39c9f9f83da3fba11677497878", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "2d563f39c9f9f83da3fba11677497878", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_25_15_363407", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2d563f39c9f9f83da3fba11677497878", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:25:27.571626Z", + "entityUpdated": "2023-08-07T00:25:42.008390Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd623e6d-b1bf33a0-9888-4f1c-88db-ef5de5d6ceeb-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_25_15_054392", + "received": "2023-08-07T00:25:16Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_18_070823_00_25_15_1691367915.pdf", + "mimetype": "application/pdf", + "size": 2068, + "MD5": "7f8b6a4f6f56a8faeb6b7a924dbf6811" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "33.833035", + "securityResultEntityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "516e288cf9ebce6cfa7741710f7e56846b81d4b7", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "516e288cf9ebce6cfa7741710f7e56846b81d4b7", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_25_15_054392", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a8ccb2e818b2a25ebbf1ac196c5fe9d0", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "516e288cf9ebce6cfa7741710f7e56846b81d4b7", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "516e288cf9ebce6cfa7741710f7e56846b81d4b7", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:25:41.274512Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "04361493c5a90b0445cbafbbca2618f9", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:29:18.493869Z", + "entityUpdated": "2023-08-07T00:34:16.449330Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd65cf85-6a3cb067-7958-47c9-b2c2-d6b53bfad919-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_29_08_799594", + "received": "2023-08-07T00:29:09Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "04361493c5a90b0445cbafbbca2618f9", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "04361493c5a90b0445cbafbbca2618f9", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "04361493c5a90b0445cbafbbca2618f9", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_29_08_799594", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "04361493c5a90b0445cbafbbca2618f9", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:31:26.131555Z", + "entityUpdated": "2023-08-07T00:33:02.036563Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_31_18_209515", + "received": "2023-08-07T00:31:19Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "275.646318", + "securityResultEntityId": "7f2aac8b146c749881c560745ffe5287", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "7f2aac8b146c749881c560745ffe5287", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "malicious_url_clicks": [ + "http://www.xvira-malwareavrad.com" + ] + }, + "score": "0", + "securityResultEntityId": "7f2aac8b146c749881c560745ffe5287", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "a76f", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "7f2aac8b146c749881c560745ffe5287", + "event": "block", + "brand": "avanan", + "request_id": "4eb54d3f146b403f", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "574bba05708e4e0bbdb061d5ad4bb9f8", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "22f0", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "7f2aac8b146c749881c560745ffe5287", + "event": "block", + "brand": "avanan", + "request_id": "d07a52c232c860ea", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "293ec8f2761748f1b82742d35c383a01", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "7f2aac8b146c749881c560745ffe5287", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_31_18_209515", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "7f2aac8b146c749881c560745ffe5287", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:31:26.131555Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:31:26.131555Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "6e5882cd54a4b970e42889e3d1006300", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:31:26.438665Z", + "entityUpdated": "2023-08-07T00:35:42.143121Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_31_19_329573", + "received": "2023-08-07T00:31:20Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "6e5882cd54a4b970e42889e3d1006300", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "6e5882cd54a4b970e42889e3d1006300", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "6e5882cd54a4b970e42889e3d1006300", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "6e5882cd54a4b970e42889e3d1006300", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "6e5882cd54a4b970e42889e3d1006300", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "6e5882cd54a4b970e42889e3d1006300", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "6e5882cd54a4b970e42889e3d1006300", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_31_19_329573", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "6e5882cd54a4b970e42889e3d1006300", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:31:26.438665Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:31:26.438665Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:31:26.768023Z", + "entityUpdated": "2023-08-07T00:31:56.890247Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_31_18_641789", + "received": "2023-08-07T00:31:20Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_31_18_641789", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a5c8d4306614f9bea0fb3d01bb44d33d", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "00de1eca4442681e175bc52e099dd451", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:31:27.024477Z", + "entityUpdated": "2023-08-07T00:31:58.905203Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_31_18_969962", + "received": "2023-08-07T00:31:20Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "00de1eca4442681e175bc52e099dd451", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "00de1eca4442681e175bc52e099dd451", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "00de1eca4442681e175bc52e099dd451", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "00de1eca4442681e175bc52e099dd451", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "00de1eca4442681e175bc52e099dd451", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "00de1eca4442681e175bc52e099dd451", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "00de1eca4442681e175bc52e099dd451", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_31_18_969962", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "00de1eca4442681e175bc52e099dd451", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:31:27.024477Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:31:27.024477Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c2bddd74c8296899cebaa41f544b00fa", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:31:27.286650Z", + "entityUpdated": "2023-08-07T00:31:57.894455Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_31_19_662869", + "received": "2023-08-07T00:31:21Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c2bddd74c8296899cebaa41f544b00fa", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "c2bddd74c8296899cebaa41f544b00fa", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c2bddd74c8296899cebaa41f544b00fa", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c2bddd74c8296899cebaa41f544b00fa", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "c2bddd74c8296899cebaa41f544b00fa", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "c2bddd74c8296899cebaa41f544b00fa", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "c2bddd74c8296899cebaa41f544b00fa", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_31_19_662869", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c2bddd74c8296899cebaa41f544b00fa", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:31:27.286650Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:31:27.286650Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "eb13f2e0e566edb8f59751eb41bc9337", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:36:14.740115Z", + "entityUpdated": "2023-08-07T00:36:27.923921Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd6c322b-b4fc7590-110c-41cb-9327-fbf0ffbb8a2c-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_36_07_281790", + "received": "2023-08-07T00:36:08Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_55_070823_00_36_07_1691368567.pdf", + "mimetype": "application/pdf", + "size": 2067, + "MD5": "6f77dfce15b49b4de0068bd5950a6f4f" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "eb13f2e0e566edb8f59751eb41bc9337", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "38.152973", + "securityResultEntityId": "eb13f2e0e566edb8f59751eb41bc9337", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "eb13f2e0e566edb8f59751eb41bc9337", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "eb13f2e0e566edb8f59751eb41bc9337", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "b435d1581d3030f3979923f57d4fffc9c49c7089", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "b435d1581d3030f3979923f57d4fffc9c49c7089", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "eb13f2e0e566edb8f59751eb41bc9337", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "eb13f2e0e566edb8f59751eb41bc9337", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "eb13f2e0e566edb8f59751eb41bc9337", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_36_07_281790", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "eb13f2e0e566edb8f59751eb41bc9337", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "b435d1581d3030f3979923f57d4fffc9c49c7089", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "b435d1581d3030f3979923f57d4fffc9c49c7089", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:36:24.072880Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2be800dd1703fd4ac512350652891119", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:36:14.965820Z", + "entityUpdated": "2023-08-07T00:36:21.640350Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd6c3391-019bb1ef-e9d8-44d6-b60f-5e924d5abc23-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_36_07_650110", + "received": "2023-08-07T00:36:08Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "2be800dd1703fd4ac512350652891119", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "2be800dd1703fd4ac512350652891119", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "2be800dd1703fd4ac512350652891119", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "2be800dd1703fd4ac512350652891119", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "2be800dd1703fd4ac512350652891119", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "2be800dd1703fd4ac512350652891119", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "2be800dd1703fd4ac512350652891119", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_36_07_650110", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2be800dd1703fd4ac512350652891119", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2c895639803507df2a32afc092166a84", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:36:15.162479Z", + "entityUpdated": "2023-08-07T00:36:24.038472Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd6c32c0-3f71d004-0cd0-4937-be22-06042ba6ff71-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_36_07_439014]", + "received": "2023-08-07T00:36:08Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "2c895639803507df2a32afc092166a84", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "210.879967", + "securityResultEntityId": "2c895639803507df2a32afc092166a84", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "2c895639803507df2a32afc092166a84", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "2c895639803507df2a32afc092166a84", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "2c895639803507df2a32afc092166a84", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "2c895639803507df2a32afc092166a84", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "2c895639803507df2a32afc092166a84", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_36_07_439014", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2c895639803507df2a32afc092166a84", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:36:15.162479Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:36:15.162479Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:36:15.162479Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a92c5cf71cfb128d6cb1bc7f8203a710", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:36:15.185435Z", + "entityUpdated": "2023-08-07T00:36:22.192022Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd6c35d9-6247d610-8e33-4daa-9646-bb2917d4ea83-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_36_07_968164", + "received": "2023-08-07T00:36:09Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_23_070823_00_36_08_1691368568.pdf", + "mimetype": "application/pdf", + "size": 2068, + "MD5": "09be6f7a8375d04964aaaa9c500cb519" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "a92c5cf71cfb128d6cb1bc7f8203a710", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.394969", + "securityResultEntityId": "a92c5cf71cfb128d6cb1bc7f8203a710", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "a92c5cf71cfb128d6cb1bc7f8203a710", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_36_07_968164", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a92c5cf71cfb128d6cb1bc7f8203a710", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "5cae1a11f1787a1624e518ae4bc198170aee6543", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "5cae1a11f1787a1624e518ae4bc198170aee6543", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:36:21.957155Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "5244bc1edcda7b4eb1394cfd5caae536", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:36:17.554898Z", + "entityUpdated": "2023-08-07T00:36:29.019312Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd6c3435-85994fcf-f157-45dd-b04c-0f54e6b251b9-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_36_07_808755]", + "received": "2023-08-07T00:36:09Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "5244bc1edcda7b4eb1394cfd5caae536", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "230.313577", + "securityResultEntityId": "5244bc1edcda7b4eb1394cfd5caae536", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "5244bc1edcda7b4eb1394cfd5caae536", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_36_07_808755", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "5244bc1edcda7b4eb1394cfd5caae536", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:36:17.554898Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:36:17.554898Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "387791d2a40b948abee1cdd0f19ab478", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:38:40.203026Z", + "entityUpdated": "2023-08-07T00:43:36.226074Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd6e578c-879f8da0-ae88-49d2-9b5e-684911078aed-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_38_27_657038", + "received": "2023-08-07T00:38:29Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "387791d2a40b948abee1cdd0f19ab478", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "387791d2a40b948abee1cdd0f19ab478", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "387791d2a40b948abee1cdd0f19ab478", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_38_27_657038", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "387791d2a40b948abee1cdd0f19ab478", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "f0fda7b572e69176188bf0332fc59188", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:04.618352Z", + "entityUpdated": "2023-08-07T00:41:10.282286Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_00_40_49_014194", + "received": "2023-08-07T00:40:50Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "f0fda7b572e69176188bf0332fc59188", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "f0fda7b572e69176188bf0332fc59188", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "f0fda7b572e69176188bf0332fc59188", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_00_40_49_014194", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "f0fda7b572e69176188bf0332fc59188", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:24.013944Z", + "entityUpdated": "2023-08-07T00:41:30.743911Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_41_18_715975", + "received": "2023-08-07T00:41:19Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "spam", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "275.646318", + "securityResultEntityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "spam" + } + ], + "dlp": [ + { + "entityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_41_18_715975", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "3f7e45cd636b4fc78b347f681f0b18f3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:41:29.033072Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:24.487466Z", + "entityUpdated": "2023-08-07T00:41:38.238913Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_41_19_103913", + "received": "2023-08-07T00:41:20Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_41_19_103913", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "0568b67f6f3e6f3ad946ffdb63375b5a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "b7dfff40a7838d204f1c21e85711cedd", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:24.520346Z", + "entityUpdated": "2023-08-07T00:44:52.588539Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_41_19_868416", + "received": "2023-08-07T00:41:20Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "b7dfff40a7838d204f1c21e85711cedd", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "b7dfff40a7838d204f1c21e85711cedd", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "b7dfff40a7838d204f1c21e85711cedd", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "b7dfff40a7838d204f1c21e85711cedd", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "b7dfff40a7838d204f1c21e85711cedd", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "b7dfff40a7838d204f1c21e85711cedd", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "b7dfff40a7838d204f1c21e85711cedd", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_41_19_868416", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "b7dfff40a7838d204f1c21e85711cedd", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:41:24.520346Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:41:24.520346Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:25.650768Z", + "entityUpdated": "2023-08-07T00:41:36.347426Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_41_19_509772", + "received": "2023-08-07T00:41:20Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_41_19_509772", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c2815b63c3caadbf0c89ef67e86b6f4a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:41:25.650768Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:41:25.650768Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "6454cedfa600c62c8831f8d434ebe473", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:41:27.916864Z", + "entityUpdated": "2023-08-07T00:41:42.471251Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_41_20_217946", + "received": "2023-08-07T00:41:22Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "6454cedfa600c62c8831f8d434ebe473", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "6454cedfa600c62c8831f8d434ebe473", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "6454cedfa600c62c8831f8d434ebe473", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "6454cedfa600c62c8831f8d434ebe473", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "6454cedfa600c62c8831f8d434ebe473", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "6454cedfa600c62c8831f8d434ebe473", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "6454cedfa600c62c8831f8d434ebe473", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_41_20_217946", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "6454cedfa600c62c8831f8d434ebe473", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:41:27.916864Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:41:27.916864Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "06d41d4c112802af7dfd250d05dbd103", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:44:53.987615Z", + "entityUpdated": "2023-08-07T00:44:57.791695Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_00_44_44_526852", + "received": "2023-08-07T00:44:45Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "06d41d4c112802af7dfd250d05dbd103", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "06d41d4c112802af7dfd250d05dbd103", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "06d41d4c112802af7dfd250d05dbd103", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_00_44_44_526852", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "06d41d4c112802af7dfd250d05dbd103", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "06c484917b9ae7737ef6c145de89dbda", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:44:57.313659Z", + "entityUpdated": "2023-08-07T00:45:05.318853Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd74260c-f2f896a5-9b2a-42b6-9aba-111eb6e4f3f3-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_44_48_474253", + "received": "2023-08-07T00:44:50Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_53_070823_00_44_48_1691369088.pdf", + "mimetype": "application/pdf", + "size": 2066, + "MD5": "57a1ace5e373537ef2d0c5b6f5b536c3" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "06c484917b9ae7737ef6c145de89dbda", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.394969", + "securityResultEntityId": "06c484917b9ae7737ef6c145de89dbda", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "06c484917b9ae7737ef6c145de89dbda", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_44_48_474253", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "06c484917b9ae7737ef6c145de89dbda", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "fdf469fe67e26c66d49551da4588c8f358fb8f30", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "fdf469fe67e26c66d49551da4588c8f358fb8f30", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:45:05.064158Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "cb7714713336eac22c45052af41635f4", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:44:59.424099Z", + "entityUpdated": "2023-08-07T00:45:13.768062Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd7424a8-c1683679-e937-4cf4-9002-62cc1c7bef48-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_44_48_125774", + "received": "2023-08-07T00:44:49Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "cb7714713336eac22c45052af41635f4", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "cb7714713336eac22c45052af41635f4", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "cb7714713336eac22c45052af41635f4", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "cb7714713336eac22c45052af41635f4", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "cb7714713336eac22c45052af41635f4", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "cb7714713336eac22c45052af41635f4", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "cb7714713336eac22c45052af41635f4", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_44_48_125774", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "cb7714713336eac22c45052af41635f4", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "3fcb8ec01d38974550554f99b8838efc", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:44:59.546368Z", + "entityUpdated": "2023-08-07T00:45:14.538074Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd742347-2d92ce4c-5529-46bc-a11b-ad9e85a0c390-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_44_47_764454", + "received": "2023-08-07T00:44:49Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_57_070823_00_44_47_1691369087.pdf", + "mimetype": "application/pdf", + "size": 2069, + "MD5": "0b0cad0167740b88ab914e0e50905b71" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "3fcb8ec01d38974550554f99b8838efc", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "33.833035", + "securityResultEntityId": "3fcb8ec01d38974550554f99b8838efc", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "3fcb8ec01d38974550554f99b8838efc", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "3fcb8ec01d38974550554f99b8838efc", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "23d153ad643cfe3ec30748849367f3d3a8186513", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "23d153ad643cfe3ec30748849367f3d3a8186513", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "3fcb8ec01d38974550554f99b8838efc", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "3fcb8ec01d38974550554f99b8838efc", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "3fcb8ec01d38974550554f99b8838efc", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_44_47_764454", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "3fcb8ec01d38974550554f99b8838efc", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "23d153ad643cfe3ec30748849367f3d3a8186513", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "23d153ad643cfe3ec30748849367f3d3a8186513", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:45:12.685968Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:44:59.800856Z", + "entityUpdated": "2023-08-07T00:45:14.478277Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd742405-d34efd8e-259a-4920-b75c-053bcfbee5bc-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_44_47_955222]", + "received": "2023-08-07T00:44:49Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_44_47_955222", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "d7a2bb4ec0ede75e1e4f369c74d96fe1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:44:59.800856Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:44:59.800856Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:44:59.800856Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c81c680d7a9bca2374d5b8fd8c3286e1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:45:06.510217Z", + "entityUpdated": "2023-08-07T00:45:14.359683Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd742556-bbb6894d-0c22-431a-bf16-a31100df6ff9-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_44_48_301117]", + "received": "2023-08-07T00:44:52Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c81c680d7a9bca2374d5b8fd8c3286e1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "230.313577", + "securityResultEntityId": "c81c680d7a9bca2374d5b8fd8c3286e1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "c81c680d7a9bca2374d5b8fd8c3286e1", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_44_48_301117", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c81c680d7a9bca2374d5b8fd8c3286e1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:45:06.510217Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:45:06.510217Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "1caad6b8d760c5677a63fb2563bf9bd1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:48:37.699839Z", + "entityUpdated": "2023-08-07T00:53:26.460785Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd77828a-94889b82-9d23-4b78-94c7-deee90f04644-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_48_28_346652", + "received": "2023-08-07T00:48:30Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "1caad6b8d760c5677a63fb2563bf9bd1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "1caad6b8d760c5677a63fb2563bf9bd1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "1caad6b8d760c5677a63fb2563bf9bd1", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_48_28_346652", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "1caad6b8d760c5677a63fb2563bf9bd1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "db3b2d4f21e8f73364da558407db769b", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:50:12.687054Z", + "entityUpdated": "2023-08-07T00:50:17.232705Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "0.14662166908162633Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_40_53_318272", + "received": "2023-08-05T16:35:06.828791Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": null, + "SpfResult": null, + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "db3b2d4f21e8f73364da558407db769b", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Sender Reputation" + ], + "reasons_by_category": { + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "59.53873", + "securityResultEntityId": "db3b2d4f21e8f73364da558407db769b", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "db3b2d4f21e8f73364da558407db769b", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_40_53_318272", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "db3b2d4f21e8f73364da558407db769b", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "33dcb85fd41503c33070552de4dc69dc", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:51:31.962844Z", + "entityUpdated": "2023-08-07T00:51:39.231516Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_51_20_909818", + "received": "2023-08-07T00:51:21Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "33dcb85fd41503c33070552de4dc69dc", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "33dcb85fd41503c33070552de4dc69dc", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "33dcb85fd41503c33070552de4dc69dc", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "33dcb85fd41503c33070552de4dc69dc", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "33dcb85fd41503c33070552de4dc69dc", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "33dcb85fd41503c33070552de4dc69dc", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "33dcb85fd41503c33070552de4dc69dc", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_03_51_20_909818", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "33dcb85fd41503c33070552de4dc69dc", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:51:31.988926Z", + "entityUpdated": "2023-08-07T00:52:43.051969Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_03_51_20_487453", + "received": "2023-08-07T00:51:21Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "275.646318", + "securityResultEntityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "malicious_url_clicks": [ + "http://www.xvira-malwareavrad.com" + ] + }, + "score": "0", + "securityResultEntityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "433a", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "0e0b0ed8fb1e848838d3003be88eb56f", + "event": "block", + "brand": "avanan", + "request_id": "7bdcb2417638fb53", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "bb79754b964b44eea859cf51455750b7", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "528e", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "0e0b0ed8fb1e848838d3003be88eb56f", + "event": "block", + "brand": "avanan", + "request_id": "b77060e5e6ab2043", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "4fb0c7573fc943ea9d0baf414a627486", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_03_51_20_487453", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "0e0b0ed8fb1e848838d3003be88eb56f", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:51:31.988926Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:51:31.988926Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:51:32.009466Z", + "entityUpdated": "2023-08-07T00:51:47.893499Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_51_21_233726", + "received": "2023-08-07T00:51:24Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_03_51_21_233726", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c3d66a7f324acfd2474a439c9c6c8ee1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:51:32.009466Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:51:32.009466Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "097dc1e5a899373d35e2d9231296bcc2", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:51:32.269766Z", + "entityUpdated": "2023-08-07T00:51:39.227774Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_51_21_987971", + "received": "2023-08-07T00:51:23Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "097dc1e5a899373d35e2d9231296bcc2", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "097dc1e5a899373d35e2d9231296bcc2", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "097dc1e5a899373d35e2d9231296bcc2", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "097dc1e5a899373d35e2d9231296bcc2", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "097dc1e5a899373d35e2d9231296bcc2", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "097dc1e5a899373d35e2d9231296bcc2", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "097dc1e5a899373d35e2d9231296bcc2", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_03_51_21_987971", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "097dc1e5a899373d35e2d9231296bcc2", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:51:32.269766Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:51:32.269766Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "218422382b1a09f96871a85d7b159a57", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:51:32.474494Z", + "entityUpdated": "2023-08-07T00:55:33.553249Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_51_21_565745", + "received": "2023-08-07T00:51:23Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "218422382b1a09f96871a85d7b159a57", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "218422382b1a09f96871a85d7b159a57", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "218422382b1a09f96871a85d7b159a57", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "218422382b1a09f96871a85d7b159a57", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "218422382b1a09f96871a85d7b159a57", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "218422382b1a09f96871a85d7b159a57", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "218422382b1a09f96871a85d7b159a57", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_03_51_21_565745", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "218422382b1a09f96871a85d7b159a57", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:51:32.474494Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:51:32.474494Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "0c7e634c8be8243bb529bbecfb2db455", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:52:20.064866Z", + "entityUpdated": "2023-08-07T00:52:24.265441Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_00_51_15_113583", + "received": "2023-08-07T00:51:16Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "0c7e634c8be8243bb529bbecfb2db455", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "0c7e634c8be8243bb529bbecfb2db455", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "0c7e634c8be8243bb529bbecfb2db455", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_00_51_15_113583", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "0c7e634c8be8243bb529bbecfb2db455", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "068418362c897bf22a2a21ec5cdf9aef", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:54:29.334880Z", + "entityUpdated": "2023-08-07T00:54:43.218079Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd7cdcaa-79608eea-18c5-42e9-ae04-479d682e297b-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_54_19_500895", + "received": "2023-08-07T00:54:20Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "068418362c897bf22a2a21ec5cdf9aef", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "068418362c897bf22a2a21ec5cdf9aef", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "068418362c897bf22a2a21ec5cdf9aef", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "068418362c897bf22a2a21ec5cdf9aef", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "068418362c897bf22a2a21ec5cdf9aef", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "068418362c897bf22a2a21ec5cdf9aef", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "068418362c897bf22a2a21ec5cdf9aef", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_54_19_500895", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "068418362c897bf22a2a21ec5cdf9aef", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:54:29.640129Z", + "entityUpdated": "2023-08-07T00:54:48.047862Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd7cdb3b-b2c4aba0-2abb-4fe3-bb5b-a452f9e75a9f-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_54_19_146130", + "received": "2023-08-07T00:54:21Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_25_070823_00_54_19_1691369659.pdf", + "mimetype": "application/pdf", + "size": 2072, + "MD5": "598e9716152a194a367f4935055be067" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "38.152973", + "securityResultEntityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "9e64ff90ff47a3e2b168a0d1625bcad050444c1d", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "9e64ff90ff47a3e2b168a0d1625bcad050444c1d", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_54_19_146130", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "3afce0e438f6ea96076ebe8ae3fe3124", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "9e64ff90ff47a3e2b168a0d1625bcad050444c1d", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "9e64ff90ff47a3e2b168a0d1625bcad050444c1d", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:54:42.293457Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:54:29.824380Z", + "entityUpdated": "2023-08-07T00:54:43.199954Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd7cdbe8-e82d2d81-ce6d-4e68-bb14-09bbaccea2d3-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_54_19_320200]", + "received": "2023-08-07T00:54:21Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_54_19_320200", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "6ac87cdcd82a6fab8c7b09a3570764e0", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:54:29.824380Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:54:29.824380Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T00:54:29.824380Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "1883a190b821f30ea867bffe34d60ddd", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:54:30.841426Z", + "entityUpdated": "2023-08-07T00:54:43.798884Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd7cde04-0f8bbac4-2054-4472-bc57-2953217fc549-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_00_54_19_855951", + "received": "2023-08-07T00:54:21Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_40_070823_00_54_19_1691369659.pdf", + "mimetype": "application/pdf", + "size": 2067, + "MD5": "3ddc54374219cf8406aa94028f463fca" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "1883a190b821f30ea867bffe34d60ddd", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.397321", + "securityResultEntityId": "1883a190b821f30ea867bffe34d60ddd", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "1883a190b821f30ea867bffe34d60ddd", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_00_54_19_855951", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "1883a190b821f30ea867bffe34d60ddd", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "f43ba83e7356aa36f4eb59047145d19b0a5097fb", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "f43ba83e7356aa36f4eb59047145d19b0a5097fb", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T00:54:37.811132Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "7591a93e7f7e480af4353e0290f38ae6", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:55:15.350150Z", + "entityUpdated": "2023-08-07T00:55:24.493433Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd7cdd35-537343b9-7622-4c97-8243-a2faed339fd6-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_00_54_19_660403]", + "received": "2023-08-07T00:54:21Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "7591a93e7f7e480af4353e0290f38ae6", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "207.210314", + "securityResultEntityId": "7591a93e7f7e480af4353e0290f38ae6", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "7591a93e7f7e480af4353e0290f38ae6", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_00_54_19_660403", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "7591a93e7f7e480af4353e0290f38ae6", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T00:55:15.350150Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T00:55:15.350150Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "cb08860eb761386df1874bc6a658f80a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T00:58:36.673369Z", + "entityUpdated": "2023-08-07T01:03:35.914763Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd80a83c-d4a2ff7a-d639-4f57-ac55-33896fb5efd4-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_00_58_28_191873", + "received": "2023-08-07T00:58:29Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "cb08860eb761386df1874bc6a658f80a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "cb08860eb761386df1874bc6a658f80a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "cb08860eb761386df1874bc6a658f80a", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_00_58_28_191873", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "cb08860eb761386df1874bc6a658f80a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "11ccb8f77d8324207ef36ab3d8575732", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:11.742127Z", + "entityUpdated": "2023-08-07T01:01:22.255795Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_01_01_04_511406", + "received": "2023-08-07T01:01:05Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "11ccb8f77d8324207ef36ab3d8575732", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "11ccb8f77d8324207ef36ab3d8575732", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "11ccb8f77d8324207ef36ab3d8575732", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_01_01_04_511406", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "11ccb8f77d8324207ef36ab3d8575732", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "087400ea554227eb0adae2be07469526", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:24.246920Z", + "entityUpdated": "2023-08-07T01:02:44.671831Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_04_01_18_397334", + "received": "2023-08-07T01:01:19Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "275.646318", + "securityResultEntityId": "087400ea554227eb0adae2be07469526", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "087400ea554227eb0adae2be07469526", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "malicious_url_clicks": [ + "http://www.xvira-malwareavrad.com" + ] + }, + "score": "0", + "securityResultEntityId": "087400ea554227eb0adae2be07469526", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "9480", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "087400ea554227eb0adae2be07469526", + "event": "block", + "brand": "avanan", + "request_id": "7b13c7823fd738c4", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "f7f0fba3af324bddaee1e8fdb1db7b92", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + }, + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "result": { + "entity_type": "office365_emails_email", + "guid": "c477", + "ip_address": "10.10.10.10, 10.10.10.11", + "entity_id": "087400ea554227eb0adae2be07469526", + "event": "block", + "brand": "avanan", + "request_id": "45e07307bfd3f552", + "url": "http://www.xvira-malwareavrad.com/", + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "customer": "prod-3-con-lab44", + "farm_id": "mt-prod-3", + "detection_info": null + }, + "link": "http://www.xvira-malwareavrad.com", + "client_ip_address": null, + "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.92 Safari/537.36", + "detection_info": "{}" + }, + "score": "0.0", + "securityResultEntityId": "ae46baba09cb49a0867f62d9f8671bf1", + "securityResultEntityType": "clicktime_protection_scan_clicks", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "087400ea554227eb0adae2be07469526", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_04_01_18_397334", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "087400ea554227eb0adae2be07469526", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:01:24.246920Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:01:24.246920Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "128abc0143af989ab3cadd43708cd89e", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:25.287665Z", + "entityUpdated": "2023-08-07T01:01:41.820281Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_04_01_18_818776", + "received": "2023-08-07T01:01:19Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "128abc0143af989ab3cadd43708cd89e", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "128abc0143af989ab3cadd43708cd89e", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "128abc0143af989ab3cadd43708cd89e", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "128abc0143af989ab3cadd43708cd89e", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "128abc0143af989ab3cadd43708cd89e", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "128abc0143af989ab3cadd43708cd89e", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "128abc0143af989ab3cadd43708cd89e", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_04_01_18_818776", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "128abc0143af989ab3cadd43708cd89e", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:26.746646Z", + "entityUpdated": "2023-08-07T01:01:38.823390Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_01_19_174675", + "received": "2023-08-07T01:01:20Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_01_19_174675", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "f429a07ec0f09b85d5ca2272ab3958dd", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:01:26.746646Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:01:26.746646Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "bef4d11a149787aa89b9e648c8dacb26", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:27.613323Z", + "entityUpdated": "2023-08-07T01:01:41.806748Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_04_01_19_845846", + "received": "2023-08-07T01:01:21Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "bef4d11a149787aa89b9e648c8dacb26", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "bef4d11a149787aa89b9e648c8dacb26", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "bef4d11a149787aa89b9e648c8dacb26", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "bef4d11a149787aa89b9e648c8dacb26", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "bef4d11a149787aa89b9e648c8dacb26", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "bef4d11a149787aa89b9e648c8dacb26", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "bef4d11a149787aa89b9e648c8dacb26", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_04_01_19_845846", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "bef4d11a149787aa89b9e648c8dacb26", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:01:27.613323Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:01:27.613323Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:01:27.656534Z", + "entityUpdated": "2023-08-07T01:05:35.321752Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_01_19_505540", + "received": "2023-08-07T01:01:20Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_01_19_505540", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "813f8857dc2b8edd5d6eae35e4c8a5c9", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:01:27.656534Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:01:27.656534Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "2ce0186f007a8bef228c02ab54e292c1", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:04:54.388941Z", + "entityUpdated": "2023-08-07T01:05:00.694193Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd8667f2-92d1fe86-9587-436e-b849-78190f64989d-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_01_04_44_980095]", + "received": "2023-08-07T01:04:45Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "2ce0186f007a8bef228c02ab54e292c1", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "2ce0186f007a8bef228c02ab54e292c1", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "2ce0186f007a8bef228c02ab54e292c1", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "2ce0186f007a8bef228c02ab54e292c1", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "2ce0186f007a8bef228c02ab54e292c1", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "2ce0186f007a8bef228c02ab54e292c1", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "2ce0186f007a8bef228c02ab54e292c1", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_01_04_44_980095", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "2ce0186f007a8bef228c02ab54e292c1", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T01:04:54.388941Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:04:54.388941Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:04:54.388941Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "adb34788c6b2173b21650bd63bcf75a8", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:04:55.020706Z", + "entityUpdated": "2023-08-07T01:05:03.057577Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd8668b1-f5817e0a-2422-46f2-9a6a-e1f366c0fafb-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_01_04_45_188850", + "received": "2023-08-07T01:04:46Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "adb34788c6b2173b21650bd63bcf75a8", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "125.763193", + "securityResultEntityId": "adb34788c6b2173b21650bd63bcf75a8", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "adb34788c6b2173b21650bd63bcf75a8", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "adb34788c6b2173b21650bd63bcf75a8", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "adb34788c6b2173b21650bd63bcf75a8", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "adb34788c6b2173b21650bd63bcf75a8", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "adb34788c6b2173b21650bd63bcf75a8", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_04_45_188850", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "adb34788c6b2173b21650bd63bcf75a8", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "0386fd95a190b68d4092886b0a5f9067", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:04:55.201147Z", + "entityUpdated": "2023-08-07T01:05:13.171380Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd866710-4276d808-f1e0-4c77-a383-3adb901faadf-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_01_04_44_734694", + "received": "2023-08-07T01:04:46Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_21_070823_01_04_44_1691370284.pdf", + "mimetype": "application/pdf", + "size": 2073, + "MD5": "8a1ddab9304a47998cf441cd883194ad" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "0386fd95a190b68d4092886b0a5f9067", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "39.256369", + "securityResultEntityId": "0386fd95a190b68d4092886b0a5f9067", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "0386fd95a190b68d4092886b0a5f9067", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "0386fd95a190b68d4092886b0a5f9067", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "14ffb0b6ae7557aa9ae9d1b6824fe6ebe4ff63a9", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "14ffb0b6ae7557aa9ae9d1b6824fe6ebe4ff63a9", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "0386fd95a190b68d4092886b0a5f9067", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "0386fd95a190b68d4092886b0a5f9067", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "0386fd95a190b68d4092886b0a5f9067", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_01_04_44_734694", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "0386fd95a190b68d4092886b0a5f9067", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "14ffb0b6ae7557aa9ae9d1b6824fe6ebe4ff63a9", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "14ffb0b6ae7557aa9ae9d1b6824fe6ebe4ff63a9", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T01:05:09.382124Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "ccbe60faf67e92360f44c3499ca3e07c", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:04:56.515885Z", + "entityUpdated": "2023-08-07T01:05:09.451338Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd86696e-0db2a1ca-4bd7-45ea-84a6-d377727cf16e-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_01_04_45_385921]", + "received": "2023-08-07T01:04:46Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "ccbe60faf67e92360f44c3499ca3e07c", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "207.210314", + "securityResultEntityId": "ccbe60faf67e92360f44c3499ca3e07c", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "ccbe60faf67e92360f44c3499ca3e07c", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_01_04_45_385921", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "ccbe60faf67e92360f44c3499ca3e07c", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T01:04:56.515885Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:04:56.515885Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "9a9e1ba6c1444933f526209834a8405b", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:04:56.520204Z", + "entityUpdated": "2023-08-07T01:05:05.980938Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd866a54-5427d66d-4bc6-473e-bc8e-66e3ca107d18-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_01_04_45_506213", + "received": "2023-08-07T01:04:46Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_50_070823_01_04_45_1691370285.pdf", + "mimetype": "application/pdf", + "size": 2076, + "MD5": "f3506ac6586cd9f97b23707ea1bbcdc3" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "9a9e1ba6c1444933f526209834a8405b", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "34.122053", + "securityResultEntityId": "9a9e1ba6c1444933f526209834a8405b", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "9a9e1ba6c1444933f526209834a8405b", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_01_04_45_506213", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "9a9e1ba6c1444933f526209834a8405b", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "db7640f87e8fcc166ee737bc769b103260e8c7a5", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "db7640f87e8fcc166ee737bc769b103260e8c7a5", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T01:05:05.765986Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "ebb837acc2552bf71e2efe90a2544a49", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:08:30.025500Z", + "entityUpdated": "2023-08-07T01:13:32.538105Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd89c0b0-9ac33532-b80a-4b8e-b392-3baf2b9b6213-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_01_08_24_320854", + "received": "2023-08-07T01:08:25Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "ebb837acc2552bf71e2efe90a2544a49", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "ebb837acc2552bf71e2efe90a2544a49", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "ebb837acc2552bf71e2efe90a2544a49", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_08_24_320854", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "ebb837acc2552bf71e2efe90a2544a49", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:11:22.664337Z", + "entityUpdated": "2023-08-07T01:11:29.658947Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_11_18_450645", + "received": "2023-08-07T01:11:19Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_11_18_450645", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a18ca9708c1fc1da749c5a23c08fb0bc", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:11:22.664337Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:11:22.664337Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "62b922c1027893bb2b65e005e87c3095", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:11:22.985852Z", + "entityUpdated": "2023-08-07T01:14:55.878047Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_11_18_860261", + "received": "2023-08-07T01:11:19Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "62b922c1027893bb2b65e005e87c3095", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "62b922c1027893bb2b65e005e87c3095", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "62b922c1027893bb2b65e005e87c3095", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "62b922c1027893bb2b65e005e87c3095", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "62b922c1027893bb2b65e005e87c3095", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "62b922c1027893bb2b65e005e87c3095", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "62b922c1027893bb2b65e005e87c3095", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_11_18_860261", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "62b922c1027893bb2b65e005e87c3095", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:11:22.985852Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:11:22.985852Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "63beff0cc4104b4009f20c3f597ed8b5", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:11:23.060534Z", + "entityUpdated": "2023-08-07T01:11:30.856636Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1_070823_04_11_17_763736", + "received": "2023-08-07T01:11:18Z", + "size": null, + "emailLinks": [ + "http://www.xvira-malwareavrad.com", + "https://google.com", + "https://stackoverflow.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "spam", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "63beff0cc4104b4009f20c3f597ed8b5", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "O365 clarifications", + "Email Headers", + "Sender Reputation", + "Links", + "Email Text" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + }, + { + "short_text": "Suspicious-looking link", + "full_text": "The email presents a link that can be misleading (link text vs. actual URL)" + } + ], + "O365 clarifications": [ + { + "short_text": "Microsoft SCL value was -1", + "full_text": "Microsoft SCL value was -1" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Text": [ + { + "short_text": "Suspicious-looking email text", + "full_text": "NLP analysis of the email text indicates a suspicious-looking email content" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "275.646318", + "securityResultEntityId": "63beff0cc4104b4009f20c3f597ed8b5", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "spam" + } + ], + "dlp": [ + { + "entityId": "63beff0cc4104b4009f20c3f597ed8b5", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "63beff0cc4104b4009f20c3f597ed8b5", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "63beff0cc4104b4009f20c3f597ed8b5", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "63beff0cc4104b4009f20c3f597ed8b5", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "63beff0cc4104b4009f20c3f597ed8b5", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1_070823_04_11_17_763736", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "63beff0cc4104b4009f20c3f597ed8b5", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T01:11:30.019896Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "c5938cac8f1e7dbafaafbe880c462128", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:11:23.285730Z", + "entityUpdated": "2023-08-07T01:11:30.676056Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-special-urls_070823_04_11_19_284114", + "received": "2023-08-07T01:11:20Z", + "size": null, + "emailLinks": [ + "https://hengold.github.io/clicktime_url/?url=!*", + "https://hengold.github.io/clicktime_url/?url=!*'();:@&=+$,/?%#[]/", + "https://hengold.github.io/clicktime_url/?\u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u043e/", + "https://hengold.github.io/clicktime_url/?\u05d1\u05e2\u05d1\u05e8\u05d9\u05ea/", + "https://hengold.github.io/clicktime_url/?\u4e2d\u6587/" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "c5938cac8f1e7dbafaafbe880c462128", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Suspicious-looking link", + "full_text": "Some of the links in the email has suspicious format - often used by Phishing emails" + }, + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "45.599355", + "securityResultEntityId": "c5938cac8f1e7dbafaafbe880c462128", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "c5938cac8f1e7dbafaafbe880c462128", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "c5938cac8f1e7dbafaafbe880c462128", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "c5938cac8f1e7dbafaafbe880c462128", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "c5938cac8f1e7dbafaafbe880c462128", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "c5938cac8f1e7dbafaafbe880c462128", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-special-urls_070823_04_11_19_284114", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "c5938cac8f1e7dbafaafbe880c462128", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:11:23.285730Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:11:23.285730Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:11:26.192797Z", + "entityUpdated": "2023-08-07T01:11:39.423173Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_04_11_18_114733", + "received": "2023-08-07T01:11:18Z", + "size": null, + "emailLinks": [ + "https://mail.google.com", + "https://www.youtube.com", + "https://yardiasp14.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "68.697515", + "securityResultEntityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-ignorelist_070823_04_11_18_114733", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "3dea53e0acbbe5fbd1c46102fa30f2f4", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "292a704793170989d9eddf3c06106a55", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:14:26.523104Z", + "entityUpdated": "2023-08-07T01:14:41.409973Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<01000189cd8f2732-bedd5da4-9950-4b5c-bc4f-d200c25a5a27-000000@email.amazonses.com>-alert", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_01_14_18_245274]", + "received": "2023-08-07T01:14:20Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "292a704793170989d9eddf3c06106a55", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "234.309006", + "securityResultEntityId": "292a704793170989d9eddf3c06106a55", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": [ + { + "entityId": "292a704793170989d9eddf3c06106a55", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "292a704793170989d9eddf3c06106a55", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "292a704793170989d9eddf3c06106a55", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "292a704793170989d9eddf3c06106a55", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "292a704793170989d9eddf3c06106a55", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_01_14_18_245274", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "292a704793170989d9eddf3c06106a55", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T01:14:26.523104Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:14:26.523104Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:14:26.523104Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:14:26.725693Z", + "entityUpdated": "2023-08-07T01:14:38.582875Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd8f27c5-b0fa1044-1b18-464f-869b-ec00f3f65baa-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_01_14_18_393995", + "received": "2023-08-07T01:14:19Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "112.199243", + "securityResultEntityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_14_18_393995", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "9b2313721d0cc4101c3c0e3746b4d78c", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:14:27.139177Z", + "entityUpdated": "2023-08-07T01:14:39.789466Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd8f268e-83e08a30-5caf-4fb3-9825-97fbde4bd126-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_01_14_18_072262", + "received": "2023-08-07T01:14:19Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_23_070823_01_14_18_1691370858.pdf", + "mimetype": "application/pdf", + "size": 2064, + "MD5": "66a4d7541cbde9f76e3edfdd35c88ee2" + } + ], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "no_links_replaced", + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "38.152973", + "securityResultEntityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + }, + { + "entityId": "dd9ede8b2b3b84ff06935d0d27f307f376f22c3f", + "entityType": "office365_emails_attachment", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "dd9ede8b2b3b84ff06935d0d27f307f376f22c3f", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "no_links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_01_14_18_072262", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "e23f5137a03bc0c9f3d934d6ab65af37", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "dd9ede8b2b3b84ff06935d0d27f307f376f22c3f", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "dd9ede8b2b3b84ff06935d0d27f307f376f22c3f", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T01:14:38.000385Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "1cfd1fadcf25fdf2a59192d54b465683", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:14:29.537222Z", + "entityUpdated": "2023-08-07T01:14:39.726531Z", + "entityActionState": "body_changed" + }, + "entityPayload": { + "internetMessageId": "<01000189cd8f285b-f596252e-dae6-4d37-a48b-3b7f3962dd48-000000@email.amazonses.com>", + "subject": "Phishing Alert! [aut_phish_prod3_17__070823_01_14_18_542558]", + "received": "2023-08-07T01:14:19Z", + "size": null, + "emailLinks": [ + "http://operatf.xyz/redirect53dfhbhfhfhb" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "1cfd1fadcf25fdf2a59192d54b465683", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ] + }, + "reasons": [] + }, + "score": "230.313577", + "securityResultEntityId": "1cfd1fadcf25fdf2a59192d54b465683", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "1cfd1fadcf25fdf2a59192d54b465683", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_phish_prod3_17__070823_01_14_18_542558", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "1cfd1fadcf25fdf2a59192d54b465683", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "subject_change", + "entityActionDate": "2023-08-07T01:14:29.537222Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "subject_changed" + }, + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:14:29.537222Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "27ad96048d30d3964a0a031a42b3ed3f", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:14:31.049314Z", + "entityUpdated": "2023-08-07T01:14:38.413831Z", + "entityActionState": "quarantined" + }, + "entityPayload": { + "internetMessageId": "<01000189cd8f28df-9fbc757f-d4c9-4c7d-bd23-da235cddcf4f-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__070823_01_14_18_669295", + "received": "2023-08-07T01:14:19Z", + "size": null, + "emailLinks": [], + "attachmentCount": 1, + "attachments": [ + { + "name": "avanan_malicious_49_070823_01_14_18_1691370858.pdf", + "mimetype": "application/pdf", + "size": 2065, + "MD5": "99fb19b41c9c7cfea1eda8596ba29c22" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": true, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": true, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "27ad96048d30d3964a0a031a42b3ed3f", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "37.394969", + "securityResultEntityId": "27ad96048d30d3964a0a031a42b3ed3f", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "27ad96048d30d3964a0a031a42b3ed3f", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__070823_01_14_18_669295", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "27ad96048d30d3964a0a031a42b3ed3f", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "eab9214c29c587d370ce71a1e888b954821ae161", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "eab9214c29c587d370ce71a1e888b954821ae161", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [ + { + "entityActionName": "quarantine", + "entityActionDate": "2023-08-07T01:14:38.167717Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "quarantined" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "4d2a66b2c4cf412d28d476c25f20e7ab", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:15:03.933095Z", + "entityUpdated": "2023-08-07T01:15:08.933362Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clean-qa1-4-_070823_01_14_55_462368", + "received": "2023-08-07T01:14:56Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "4d2a66b2c4cf412d28d476c25f20e7ab", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "42.792424", + "securityResultEntityId": "4d2a66b2c4cf412d28d476c25f20e7ab", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "4d2a66b2c4cf412d28d476c25f20e7ab", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clean-qa1-4-_070823_01_14_55_462368", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "4d2a66b2c4cf412d28d476c25f20e7ab", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "a7b57135b3d89dba6755b0234ad40a13", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:18:40.645095Z", + "entityUpdated": "2023-08-07T01:23:41.527697Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<01000189cd92f9f4-5213674b-0b60-4cbc-9df2-fb401285d5ec-000000@email.amazonses.com>", + "subject": "aut_clean_prod3_17__070823_01_18_28_801633", + "received": "2023-08-07T01:18:30Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user4@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user4@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "37bf0b54-5136-49e7-82c8-58f85d42b333", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": true, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "a7b57135b3d89dba6755b0234ad40a13", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Domain Impersonation", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "108.677335", + "securityResultEntityId": "a7b57135b3d89dba6755b0234ad40a13", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "a7b57135b3d89dba6755b0234ad40a13", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_18_28_801633", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "a7b57135b3d89dba6755b0234ad40a13", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "83061da7291971bc23d3911341a70da7", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:19:41.328852Z", + "entityUpdated": "2023-08-07T01:19:45.529883Z", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "0.6796415769381349Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_10_29_199799", + "received": "2023-08-05T17:14:47.564045Z", + "size": null, + "emailLinks": [], + "attachmentCount": 0, + "attachments": [], + "mode": "monitor", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": null, + "SpfResult": null, + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "83061da7291971bc23d3911341a70da7", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Sender Reputation" + ], + "reasons_by_category": { + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "59.53873", + "securityResultEntityId": "83061da7291971bc23d3911341a70da7", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "83061da7291971bc23d3911341a70da7", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_clean_prod3_17__070823_01_10_29_199799", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "83061da7291971bc23d3911341a70da7", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "956c09c2f46bbbb06df0a7521e9e924a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:21:22.980805Z", + "entityUpdated": "2023-08-07T01:21:33.622809Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_21_17_055759", + "received": "2023-08-07T01:21:18Z", + "size": null, + "emailLinks": [ + "http://www.xvirb-malwareavrad.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "links_replaced", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "956c09c2f46bbbb06df0a7521e9e924a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation", + "Links" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "148.308417", + "securityResultEntityId": "956c09c2f46bbbb06df0a7521e9e924a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "956c09c2f46bbbb06df0a7521e9e924a", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "956c09c2f46bbbb06df0a7521e9e924a", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "956c09c2f46bbbb06df0a7521e9e924a", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "956c09c2f46bbbb06df0a7521e9e924a", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "links_replaced" + } + ], + "shadowIt": [ + { + "entityId": "956c09c2f46bbbb06df0a7521e9e924a", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "AUT-clicktime-qa-1-whitelist_070823_04_21_17_055759", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "956c09c2f46bbbb06df0a7521e9e924a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:21:22.980805Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:21:22.980805Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + }, + { + "entityInfo": { + "entityId": "4329568f02e82eafdf288e652fe3fb4a", + "customerId": "prod-3-con-lab44", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-08-07T01:21:23.191075Z", + "entityUpdated": "2023-08-07T01:24:46.410148Z", + "entityActionState": "links_replaced" + }, + "entityPayload": { + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_21_17_393872", + "received": "2023-08-07T01:21:18Z", + "size": null, + "emailLinks": [ + "https://facebook.com" + ], + "attachmentCount": 0, + "attachments": [], + "mode": "inline", + "recipients": [ + "user2@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user2@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "04df0456-6328-4cfe-a285-e41e3d035e9e", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": "Automation@avtestqa.com", + "replyToNickname": "", + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": "clean", + "clicktimeProtection": "malicious_url", + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "4329568f02e82eafdf288e652fe3fb4a", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category_list": [ + "Email Headers", + "Sender Reputation" + ], + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "52.964422", + "securityResultEntityId": "4329568f02e82eafdf288e652fe3fb4a", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": [ + { + "entityId": "4329568f02e82eafdf288e652fe3fb4a", + "entityType": "office365_emails_email", + "payload": { + "matches_dlp_rules": [], + "found_text": [], + "scan_details": [], + "hit_count": 0 + }, + "score": "0", + "securityResultEntityId": "4329568f02e82eafdf288e652fe3fb4a", + "securityResultEntityType": "avanan_dlp", + "statusCode": "0", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "clicktimeProtection": [ + { + "entityId": "4329568f02e82eafdf288e652fe3fb4a", + "entityType": "office365_emails_email", + "payload": null, + "score": "0", + "securityResultEntityId": "4329568f02e82eafdf288e652fe3fb4a", + "securityResultEntityType": "clicktime_protection_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "malicious_url" + } + ], + "shadowIt": [ + { + "entityId": "4329568f02e82eafdf288e652fe3fb4a", + "entityType": "office365_emails_email", + "payload": { + "subject": "AUT-clicktime-qa-1-blacklist_070823_04_21_17_393872", + "from": "Automation@avtestqa.com", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "4329568f02e82eafdf288e652fe3fb4a", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [ + { + "entityActionName": "body_change", + "entityActionDate": "2023-08-07T01:21:23.191075Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "body_changed" + }, + { + "entityActionName": "links_replace", + "entityActionDate": "2023-08-07T01:21:23.191075Z", + "entityActionResponseCode": null, + "entityActionResponseText": null, + "entityActionState": "links_replaced" + } + ], + "entityAvailableActions": [] + } + ] +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-send_action.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-send_action.json new file mode 100644 index 000000000000..cc82c73d381e --- /dev/null +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-send_action.json @@ -0,0 +1,16 @@ +{ + "responseEnvelope": { + "requestId": "e5d1ca37-f789-4115-933c-fce0708cd446", + "responseCode": 200, + "responseText": "", + "additionalText": "", + "recordsNumber": 1, + "scrollId": "" + }, + "responseData": [ + { + "entityId": "00000000000000000000000000000002", + "taskId": "1691525788820900" + } + ] +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-test_api.json b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-test_api.json new file mode 100644 index 000000000000..0287aedde69e --- /dev/null +++ b/Packs/CheckPointHEC/Integrations/CheckPointHEC/test_data/checkpointhec-test_api.json @@ -0,0 +1,3 @@ +{ + "ok": true +} diff --git a/Packs/CheckPointHEC/Layouts/layoutscontainer-CheckPointHEC_Security_Event_Layout.json b/Packs/CheckPointHEC/Layouts/layoutscontainer-CheckPointHEC_Security_Event_Layout.json index 7281c3815903..514597fd4bf0 100644 --- a/Packs/CheckPointHEC/Layouts/layoutscontainer-CheckPointHEC_Security_Event_Layout.json +++ b/Packs/CheckPointHEC/Layouts/layoutscontainer-CheckPointHEC_Security_Event_Layout.json @@ -1,413 +1,817 @@ { - "description": "CheckPointHEC Incidents Layout", - "detailsV2": { - "tabs": [ - { - "id": "summary", - "name": "Legacy Summary", - "type": "summary" - }, - { - "hidden": false, - "id": "u9xzifnfzu", - "name": "Check Point Info", - "sections": [ - { - "displayType": "CARD", - "h": 2, - "hideName": false, - "i": "u9xzifnfzu-caseinfoid-8da75b40-1f89-11ee-a584-e72e916fb060", - "items": [ - { - "endCol": 2, - "fieldId": "checkpointheccustomer", - "height": 53, - "id": "a4340fc0-1f89-11ee-a584-e72e916fb060", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "checkpointhecsaas", - "height": 53, - "id": "aaa2ca40-1f89-11ee-a584-e72e916fb060", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "state", - "height": 53, - "id": "b0885790-1f89-11ee-a584-e72e916fb060", - "index": 2, - "listId": "u9xzifnfzu-caseinfoid-8da75b40-1f89-11ee-a584-e72e916fb060", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "checkpointhectype", - "height": 53, - "id": "a89b1360-1f89-11ee-a584-e72e916fb060", - "index": 0, - "listId": "u9xzifnfzu-caseinfoid-8da75b40-1f89-11ee-a584-e72e916fb060", - "sectionItemType": "field", - "startCol": 2 - }, - { - "endCol": 4, - "fieldId": "checkpointhecentity", - "height": 53, - "id": "7405be00-202b-11ee-b262-3763e4f7e303", - "index": 1, - "sectionItemType": "field", - "startCol": 2 - } - ], - "maxW": 3, - "minH": 1, - "moved": false, - "name": "Security Event Info", - "static": false, - "w": 2, - "x": 0, - "y": 0 - } - ], - "type": "custom" - }, - { - "id": "caseinfoid", - "name": "Incident Info", - "sections": [ - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "type", - "height": 22, - "id": "incident-type-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "severity", - "height": 22, - "id": "incident-severity-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "owner", - "height": 22, - "id": "incident-owner-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourcebrand", - "height": 22, - "id": "incident-sourceBrand-field", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourceinstance", - "height": 22, - "id": "incident-sourceInstance-field", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "playbookid", - "height": 22, - "id": "incident-playbookId-field", - "index": 6, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Case Details", - "static": false, - "w": 1, - "x": 0, - "y": 0 - }, - { - "h": 2, - "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Notes", - "static": false, - "type": "notes", - "w": 1, - "x": 2, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Work Plan", - "static": false, - "type": "workplan", - "w": 1, - "x": 1, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "maxW": 3, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 1, - "x": 1, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 2, - "y": 4 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", - "maxW": 3, - "moved": false, - "name": "Evidence", - "static": false, - "type": "evidence", - "w": 1, - "x": 2, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", - "maxW": 3, - "moved": false, - "name": "Team Members", - "static": false, - "type": "team", - "w": 1, - "x": 2, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", - "maxW": 3, - "moved": false, - "name": "Indicators", - "query": "", - "queryType": "input", - "static": false, - "type": "indicators", - "w": 2, - "x": 0, - "y": 4 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", - "items": [ - { - "endCol": 1, - "fieldId": "occurred", - "height": 22, - "id": "incident-occurred-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 1, - "fieldId": "dbotmodified", - "height": 22, - "id": "incident-modified-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 22, - "id": "incident-dueDate-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotcreated", - "height": 22, - "id": "incident-created-field", - "index": 0, - "sectionItemType": "field", - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-closed-field", - "index": 1, - "sectionItemType": "field", - "startCol": 1 - } - ], - "maxW": 3, - "moved": false, - "name": "Timeline Information", - "static": false, - "w": 1, - "x": 1, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-dbotClosed-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closereason", - "height": 22, - "id": "incident-closeReason-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closenotes", - "height": 22, - "id": "incident-closeNotes-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Closing Information", - "static": false, - "w": 1, - "x": 0, - "y": 6 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "details", - "height": 22, - "id": "incident-details-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Investigation Data", - "static": false, - "w": 1, - "x": 0, - "y": 2 - } - ], - "type": "custom" - }, - { - "id": "warRoom", - "name": "War Room", - "type": "warRoom" - }, - { - "id": "workPlan", - "name": "Work Plan", - "type": "workPlan" - }, - { - "id": "evidenceBoard", - "name": "Evidence Board", - "type": "evidenceBoard" - }, - { - "id": "relatedIncidents", - "name": "Related Incidents", - "type": "relatedIncidents" - }, - { - "id": "canvas", - "name": "Canvas", - "type": "canvas" - } - ] - }, - "group": "incident", - "id": "CheckPointHEC Security Event Layout", + "description": "Check Point HEC Incidents Layout", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "hidden": false, + "id": "zsgh4yoppk", + "name": "Check Point HEC Info", + "sections": [ + { + "displayType": "CARD", + "h": 3, + "hideName": false, + "i": "zsgh4yoppk-caseinfoid-e3d26b30-30a1-11ee-a2f1-bb0fdfd31f7a", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "checkpointhecfarm", + "height": 53, + "id": "bc5fbb10-362e-11ee-b944-c7997e9b1fa5", + "index": 0, + "listId": "zsgh4yoppk-caseinfoid-e3d26b30-30a1-11ee-a2f1-bb0fdfd31f7a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "checkpointheccustomer", + "height": 53, + "id": "e7844fa0-30a1-11ee-a2f1-bb0fdfd31f7a", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "checkpointhecsaas", + "height": 53, + "id": "ec22de00-30a1-11ee-a2f1-bb0fdfd31f7a", + "index": 2, + "listId": "zsgh4yoppk-caseinfoid-e3d26b30-30a1-11ee-a2f1-bb0fdfd31f7a", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "checkpointhectype", + "height": 53, + "id": "f6421d60-30a1-11ee-a2f1-bb0fdfd31f7a", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "state", + "height": 53, + "id": "ce02f060-357c-11ee-b33b-21e4a1f3ca81", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Security Event Info", + "static": false, + "w": 2, + "x": 0, + "y": 0 + }, + { + "h": 3, + "i": "zsgh4yoppk-28abc140-3302-11ee-ae75-252a1de5d493", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Email Info", + "query": "ShowCPEmailInfo", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 3, + "x": 0, + "y": 3 + }, + { + "displayType": "CARD", + "h": 3, + "hideItemTitleOnlyOne": false, + "hideName": false, + "i": "zsgh4yoppk-722daf70-3570-11ee-b33b-21e4a1f3ca81", + "items": [ + { + "args": { + "action": { + "simple": "quarantine" + }, + "customer": { + "complex": { + "accessor": "checkpointheccustomer", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "entity": { + "complex": { + "accessor": "checkpointhecentity", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "farm": { + "complex": { + "accessor": "checkpointhecfarm", + "filters": [], + "root": "incident", + "transformers": [] + } + } + }, + "buttonClass": "warning", + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "state" + } + }, + "operator": "isEqualString", + "right": { + "isContext": false, + "value": { + "simple": "new" + } + }, + "type": "shortText" + } + ], + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointhectask" + } + }, + "operator": "isEmpty", + "right": null, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "c7f88c20-323e-11ee-a6a3-6fc59c892e47", + "index": 0, + "listId": "zsgh4yoppk-caseinfoid-cd39e4f0-30a3-11ee-a2f1-bb0fdfd31f7a", + "name": "Quarantine Email", + "scriptId": "SendCPAction", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "action": { + "simple": "restore" + }, + "customer": { + "complex": { + "accessor": "checkpointheccustomer", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "entity": { + "complex": { + "accessor": "checkpointhecentity", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "farm": { + "complex": { + "accessor": "checkpointhecfarm", + "filters": [], + "root": "incident", + "transformers": [] + } + } + }, + "buttonClass": "success", + "dropEffect": "move", + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "state" + } + }, + "operator": "isEqualString", + "right": { + "isContext": false, + "value": { + "simple": "remediated" + } + }, + "type": "shortText" + } + ], + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointhectask" + } + }, + "operator": "isEmpty", + "right": null, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "680e2530-323f-11ee-a6a3-6fc59c892e47", + "index": 1, + "listId": "zsgh4yoppk-722daf70-3570-11ee-b33b-21e4a1f3ca81", + "name": "Release from Quarantine", + "scriptId": "SendCPAction", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "customer": { + "complex": { + "accessor": "checkpointheccustomer", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "farm": { + "complex": { + "accessor": "checkpointhecfarm", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "task": { + "complex": { + "accessor": "checkpointhectask", + "filters": [], + "root": "incident", + "transformers": [] + } + } + }, + "buttonClass": "primary", + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointhectask" + } + }, + "operator": "isNotEmpty", + "right": null, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "abaa10c0-3635-11ee-b944-c7997e9b1fa5", + "index": 2, + "name": "Get Action Result", + "scriptId": "CheckPointHEC|||checkpointhec-get-action-result", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": {}, + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointhectype" + } + }, + "operator": "isEqualString", + "right": { + "isContext": false, + "value": { + "simple": "alert" + } + }, + "type": "shortText" + } + ], + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointheccampaigntask" + } + }, + "operator": "isEmpty", + "right": null, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "c412e950-3245-11ee-a6a3-6fc59c892e47", + "index": 3, + "name": "Run Phishing Campaign", + "scriptId": "RunCPPhishingCampaign", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "customer": { + "complex": { + "accessor": "checkpointheccustomer", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "farm": { + "complex": { + "accessor": "checkpointhecfarm", + "filters": [], + "root": "incident", + "transformers": [] + } + }, + "task": { + "complex": { + "accessor": "checkpointheccampaigntask", + "filters": [], + "root": "incident", + "transformers": [] + } + } + }, + "buttonClass": "primary", + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointheccampaigntask" + } + }, + "operator": "isNotEmpty", + "right": null, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "d46a3d40-4806-11ee-8b3e-2fd74623537f", + "index": 4, + "name": "Get Campaign Result", + "scriptId": "CheckPointHEC|||checkpointhec-get-action-result", + "sectionItemType": "button", + "startCol": 0 + }, + { + "args": { + "entity": { + "complex": { + "accessor": "checkpointhecentity", + "filters": [], + "root": "incident", + "transformers": [] + } + } + }, + "buttonClass": "error", + "endCol": 2, + "fieldId": "", + "filters": [ + [ + { + "ignoreCase": false, + "left": { + "isContext": true, + "value": { + "simple": "checkpointhectype" + } + }, + "operator": "isNotEqualString", + "right": { + "isContext": false, + "value": { + "simple": "alert" + } + }, + "type": "shortText" + } + ] + ], + "height": 53, + "id": "4754b380-3452-11ee-972b-17833fbd34fb", + "index": 5, + "name": "Send Warning", + "scriptId": "CheckPointHEC|||checkpointhec-send-notification", + "sectionItemType": "button", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Email Actions", + "static": false, + "w": 1, + "wrapLabels": false, + "x": 2, + "y": 0 + }, + { + "h": 3, + "i": "zsgh4yoppk-8e43d870-3579-11ee-b33b-21e4a1f3ca81", + "items": [], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Scan Info", + "query": "ShowCPScanInfo", + "queryType": "script", + "static": false, + "type": "dynamic", + "w": 3, + "x": 0, + "y": 6 + } + ], + "type": "custom" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "zsgh4yoppk-caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "zsgh4yoppk-caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 4 + }, + { + "displayType": "CARD", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "zsgh4yoppk-caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "CP HEC Security Event Layout", "marketplaces": [ "xsoar" ], - "name": "CheckPointHEC Security Event Layout", + "name": "CP HEC Security Event Layout", "system": false, "version": -1, "fromVersion": "6.9.0" diff --git a/Packs/CheckPointHEC/ReleaseNotes/1_0_3.md b/Packs/CheckPointHEC/ReleaseNotes/1_0_3.md new file mode 100644 index 000000000000..b284c8764023 --- /dev/null +++ b/Packs/CheckPointHEC/ReleaseNotes/1_0_3.md @@ -0,0 +1,67 @@ + +#### Scripts + +##### New: RunCPPhishingCampaign + +- New: Search other emails by sender and/or subject and quarantine + +##### New: SendCPAction + +- New: Send quarantine or restore action and update action task id + +##### New: ShowCPEmailInfo + +- New: Get email info from Check Point Smart API + +##### New: ShowCPScanInfo + +- New: Get scan info from Check Point Smart API + + +#### Incident Types + +- **CheckPointHEC Security Event** + + +#### Integrations + +##### Check Point Harmony Email and Collaboration (HEC) + +- Updated the Docker image to: *demisto/python3:3.10.13.72123*. +- New command to get email info +- New command to get email scan info +- New command to search emails by sender and/or subject +- New command to quarantine/restore emails +- New command to get the result of the quarantine/restore actions +- New command to send email notification with the information about if end user was exposed to email + + +#### Incident Fields + +- New: **CP HEC Campaign Task** + +- **CP HEC Customer** + +- New: **CP HEC Email Sender** + +- New: **CP HEC Email Subject** + +- **CP HEC Entity** + +- New: **CP HEC Farm** + +- **CP HEC Saas** + +- New: **CP HEC Task** + +- **CP HEC Type** + + +#### Layouts + +##### CP HEC Security Event Layout + +- New section with actions for emails +- New section with email info in table format +- New section with scan info in JSON format + diff --git a/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/README.md b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/README.md new file mode 100644 index 000000000000..072cbb90b0c0 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/README.md @@ -0,0 +1,25 @@ +Search other emails by sender and/or subject and quarantine + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Cortex XSOAR Version | 6.9.0 | + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| date_range | Range to cover from the past | +| by_sender | Get emails from the same sender | +| by_subject | Get emails with the same subject | + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.py b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.py new file mode 100644 index 000000000000..ce7b022cb2ce --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.py @@ -0,0 +1,63 @@ +from CommonServerPython import * + + +def search_and_quarantine(farm: str, customer: str, date_range: str, sender: str, subject: str): + result = demisto.executeCommand( + "checkpointhec-search-emails", + { + 'date_range': date_range, + 'sender': sender, + 'subject': subject + } + ) + if ids := result[0].get('Contents', {}).get('ids'): + result = demisto.executeCommand( + "checkpointhec-send-action", + { + 'farm': farm, + 'customer': customer, + 'entity': ids, + 'action': 'quarantine' + } + ) + task = result[0]['Contents']['task'] + demisto.executeCommand( + "setIncident", + { + 'customFields': json.dumps({ + 'checkpointheccampaigntask': task + }) + } + ) + return result + + +def main(): # pragma: no cover + try: + args = demisto.args() + date_range = args.get('date_range') + by_sender = args.get('by_sender') == 'true' + by_subject = args.get('by_subject') == 'true' + + if not by_sender and not by_subject: + raise Exception('Need to select at least one option to search for') + + custom_fields = demisto.incident()['CustomFields'] + sender = subject = '' + if by_sender: + sender = custom_fields.get('checkpointhecemailsender') + if by_subject: + subject = custom_fields.get('checkpointhecemailsubject') + + farm = custom_fields.get('checkpointhecfarm') + customer = custom_fields.get('checkpointheccustomer') + return_results( + search_and_quarantine(farm, customer, date_range, sender, subject) + ) + except Exception as ex: + demisto.error(traceback.format_exc()) + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover + main() diff --git a/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.yml b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.yml new file mode 100644 index 000000000000..31b2466cd677 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign.yml @@ -0,0 +1,36 @@ +commonfields: + id: RunCPPhishingCampaign + version: -1 +name: RunCPPhishingCampaign +script: "" +type: python +tags: [] +comment: Search other emails by sender and/or subject and quarantine +enabled: true +args: +- name: date_range + required: true + type: String + description: Range to cover from the past +- name: by_sender + required: true + auto: PREDEFINED + predefined: + - "false" + - "true" + description: Get emails from the same sender +- name: by_subject + required: true + auto: PREDEFINED + predefined: + - "false" + - "true" + description: Get emails with the same subject +scripttarget: 0 +subtype: python3 +runonce: false +dockerimage: demisto/python3:3.10.13.72123 +runas: DBotWeakRole +fromversion: 6.9.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign_test.py b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign_test.py new file mode 100644 index 000000000000..b1912440a73a --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/RunCPPhishingCampaign/RunCPPhishingCampaign_test.py @@ -0,0 +1,37 @@ +import demistomock as demisto +from RunCPPhishingCampaign import search_and_quarantine + +FARM = 'mt-rnd-ng-6' +CUSTOMER = 'avananlab' + + +def test_search_and_quarantine_with_results(mocker): + def execute_command(name, args): + if name == 'checkpointhec-search-emails': + return [{'Contents': {'ids': ['1', '2']}}] + + if name == 'checkpointhec-send-action': + return [{'Contents': {'task': 1}}] + + if name == 'setIncident': + return [{'Contents': None}] + + raise ValueError(f'Error: Unknown command or command/argument pair: {name} {args!r}') + + mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = search_and_quarantine(FARM, CUSTOMER, '1 day', 'a@b.test', '') + assert result == [{'Contents': {'task': 1}}] + + +def test_search_and_quarantine_with_no_results(mocker): + def execute_command(name, args): + if name == 'checkpointhec-search-emails': + return [{'Contents': {'ids': []}}] + + raise ValueError(f'Error: Unknown command or command/argument pair: {name} {args!r}') + + mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = search_and_quarantine(FARM, CUSTOMER, '1 day', 'a@b.test', '') + assert result == [{'Contents': {'ids': []}}] diff --git a/Packs/CheckPointHEC/Scripts/SendCPAction/README.md b/Packs/CheckPointHEC/Scripts/SendCPAction/README.md new file mode 100644 index 000000000000..0dc3ce6b65ef --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/SendCPAction/README.md @@ -0,0 +1,33 @@ +Send quarantine or restore action and update action task id + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Cortex XSOAR Version | 6.9.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* checkpointhec-send-action + +## Inputs + +--- + +| **Argument Name** | **Description** | +| --- | --- | +| farm | Customer farm | +| customer | Customer portal name | +| entity | Email entity id | +| action | Action name | + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.py b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.py new file mode 100644 index 000000000000..f39b89e6cd5f --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.py @@ -0,0 +1,39 @@ +from CommonServerPython import * + + +def send_action_and_update_incident(farm: str, customer: str, entity: str, action: str): + result = demisto.executeCommand( + "checkpointhec-send-action", + { + 'farm': farm, + 'customer': customer, + 'entity': entity, + 'action': action, + } + ) + demisto.executeCommand( + "setIncident", + { + 'customFields': json.dumps({ + 'checkpointhectask': result[0]['Contents']['task'] + }) + } + ) + return result + + +def main(): # pragma: no cover + try: + args = demisto.args() + farm = args.get('farm') + customer = args.get('customer') + entity = args.get('entity') + action = args.get('action') + return_results(send_action_and_update_incident(farm, customer, entity, action)) + except Exception as ex: + demisto.error(traceback.format_exc()) + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover + main() diff --git a/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.yml b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.yml new file mode 100644 index 000000000000..c9efb6af5c69 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction.yml @@ -0,0 +1,40 @@ +commonfields: + id: SendCPAction + version: -1 +name: SendCPAction +script: "" +type: python +tags: [] +comment: Send quarantine or restore action and update action task id +enabled: true +args: +- name: farm + required: true + type: String + description: Customer farm +- name: customer + required: true + type: String + description: Customer portal name +- name: entity + required: true + type: String + description: Email entity id +- name: action + required: true + auto: PREDEFINED + predefined: + - quarantine + - restore + description: Action name +scripttarget: 0 +subtype: python3 +dependson: + must: + - CheckPointHEC|||checkpointhec-send-action +runonce: false +dockerimage: demisto/python3:3.10.13.72123 +runas: DBotWeakRole +fromversion: 6.9.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction_test.py b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction_test.py new file mode 100644 index 000000000000..9cf299915112 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/SendCPAction/SendCPAction_test.py @@ -0,0 +1,21 @@ +import demistomock as demisto +from SendCPAction import send_action_and_update_incident + +FARM = 'mt-rnd-ng-6' +CUSTOMER = 'avananlab' + + +def test_send_action_and_update_incident(mocker): + def execute_command(name, args): + if name == 'checkpointhec-send-action': + return [{'Contents': {'task': 1}}] + + if name == 'setIncident': + return None + + raise ValueError(f'Error: Unknown command or command/argument pair: {name} {args!r}') + + mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = send_action_and_update_incident(FARM, CUSTOMER, '0000', 'quarantine') + assert result == [{'Contents': {'task': 1}}] diff --git a/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/README.md b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/README.md new file mode 100644 index 000000000000..23243dae5e35 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/README.md @@ -0,0 +1,27 @@ +Get email info from Check Point Smart API + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Cortex XSOAR Version | 6.9.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* checkpointhec-get-email-info + +## Inputs + +--- +There are no inputs for this script. + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.py b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.py new file mode 100644 index 000000000000..10fb7801da06 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.py @@ -0,0 +1,47 @@ +from CommonServerPython import * + + +def get_email_info(entity: str): + result = demisto.executeCommand( + "checkpointhec-get-email-info", + {'entity': entity} + ) + email_info = result[0]['Contents'] + demisto.executeCommand( + "setIncident", + { + 'customFields': json.dumps({ + 'checkpointhecemailsender': email_info['fromEmail'], + 'checkpointhecemailsubject': email_info['subject'] + }) + } + ) + return result + + +def dict_to_md(info: dict) -> str: + lines = ['|field|value|', '|-|-|'] + for key, value in info.items(): + if value: + _value = ', '.join(value) if isinstance(value, list) else value + lines.append(f'|{key}|{_value}|') + return '\n'.join(lines) + + +def main(): # pragma: no cover + try: + custom_fields = demisto.incident()['CustomFields'] + result = get_email_info(custom_fields['checkpointhecentity']) + email_info = result[0]['Contents'] + return_results({ + 'ContentsFormat': EntryFormat.MARKDOWN, + 'Type': EntryType.NOTE, + 'Contents': dict_to_md(email_info), + }) + except Exception as ex: + demisto.error(traceback.format_exc()) + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover + main() diff --git a/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.yml b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.yml new file mode 100644 index 000000000000..483c61e50f8c --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo.yml @@ -0,0 +1,20 @@ +commonfields: + id: ShowCPEmailInfo + version: -1 +name: ShowCPEmailInfo +script: '-' +type: python +tags: [] +comment: Get email info from Check Point Smart API +enabled: true +scripttarget: 0 +subtype: python3 +dependson: + must: + - CheckPointHEC|||checkpointhec-get-email-info +runonce: false +dockerimage: demisto/python3:3.10.13.72123 +runas: DBotWeakRole +fromversion: 6.9.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo_test.py b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo_test.py new file mode 100644 index 000000000000..7e4bedf5e118 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/ShowCPEmailInfo_test.py @@ -0,0 +1,52 @@ +import json + +import demistomock as demisto +from ShowCPEmailInfo import get_email_info, dict_to_md + + +def util_load_json(path): + with open(path, encoding='utf-8') as f: + return json.loads(f.read()) + + +def test_get_email_info(mocker): + mock_response = util_load_json('./test_data/checkpointhec-get_email_info.json') + + def execute_command(name, args): + if name == 'checkpointhec-get-email-info': + return [{'Contents': mock_response['responseData'][0]['entityPayload']}] + + if name == 'setIncident': + return None + + raise ValueError(f'Error: Unknown command or command/argument pair: {name} {args!r}') + + mocked_ec = mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = get_email_info('0000') + email_info = result[0]['Contents'] + custom_fields = json.dumps({ + 'checkpointhecemailsender': email_info['fromEmail'], + 'checkpointhecemailsubject': email_info['subject'] + }) + assert result == [{'Contents': mock_response['responseData'][0]['entityPayload']}] + assert mocked_ec.call_args_list[1][0][0] == 'setIncident' + assert mocked_ec.call_args_list[1][0][1] == {'customFields': custom_fields} + + +def test_dict_to_md(): + mock_response = util_load_json('./test_data/checkpointhec-get_email_info.json') + md = dict_to_md(mock_response['responseData'][0]['entityPayload']) + lines = [ + '|field|value|', + '|-|-|', + '|fromEmail|example@checkpoint.com|', + '|to|unicode@avanandevus1.onmicrosoft.com, user1@avanandevus1.onmicrosoft.com|', + '|recipients|user1@avanandevus1.onmicrosoft.com, unicode@avanandevus1.onmicrosoft.com|', + '|subject|Fw: dnp-split-quarantine-2|', + '|received|2022-08-15T21:24:15|', + '|isIncoming|True|', + '|internetMessageId|<00000000.00000000000000.00000000000000.00000000@mail.example.com>|', + '|isUserExposed|True|' + ] + assert md == '\n'.join(lines) diff --git a/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/test_data/checkpointhec-get_email_info.json b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/test_data/checkpointhec-get_email_info.json new file mode 100644 index 000000000000..0fd2f4aaf7c4 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPEmailInfo/test_data/checkpointhec-get_email_info.json @@ -0,0 +1,113 @@ +{ + "responseEnvelope": { + "requestId": "b58b1e41-1018-4062-9d1c-bcaeccbfcb93", + "responseCode": 200, + "responseText": "", + "additionalText": "", + "recordsNumber": 1, + "scrollId": "" + }, + "responseData": [ + { + "entityInfo": { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "customerId": "fdolab", + "customerOem": "Avanan", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2022-08-15T21:24:27.745655Z", + "entityUpdated": "2022-08-15T21:24:36.979329", + "entityActionState": null + }, + "entityPayload": { + "fromEmail": "example@checkpoint.com", + "to": [ + "unicode@avanandevus1.onmicrosoft.com", + "user1@avanandevus1.onmicrosoft.com" + ], + "replyToEmail": null, + "replyToNickname": null, + "recipients": [ + "user1@avanandevus1.onmicrosoft.com", + "unicode@avanandevus1.onmicrosoft.com" + ], + "subject": "Fw: dnp-split-quarantine-2", + "cc": [], + "bcc": [], + "isRead": null, + "received": "2022-08-15T21:24:15", + "isDeleted": false, + "isIncoming": true, + "isOutgoing": false, + "internetMessageId": "<00000000.00000000000000.00000000000000.00000000@mail.example.com>", + "isUserExposed": true + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "phishing", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": null + }, + "ap": [ + { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "entityType": "office365_emails_email", + "payload": { + "reasons": [], + "reasons_by_category": { + "Links": [ + { + "short_text": "Link to a low-traffic site", + "full_text": "The email contains link to low-traffic web-sites - often indicating low-trust domains" + } + ], + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + } + ] + } + }, + "score": "225.994363", + "securityResultEntityId": "637d86da7bcf42375cb8431d266e3dc3", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "phishing" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "637d86da7bcf42375cb8431d266e3dc3", + "entityType": "office365_emails_email", + "payload": { + "domain": "", + "subject": "Fw: dnp-split-quarantine-2", + "from": "example@checkpoint.com" + }, + "score": "0", + "securityResultEntityId": "637d86da7bcf42375cb8431d266e3dc3", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": null + }, + "entityActions": [], + "entityAvailableActions": [] + } + ] +} \ No newline at end of file diff --git a/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/README.md b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/README.md new file mode 100644 index 000000000000..124f846193e9 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/README.md @@ -0,0 +1,27 @@ +Get scan info from Check Point Smart API + +## Script Data + +--- + +| **Name** | **Description** | +| --- | --- | +| Script Type | python3 | +| Cortex XSOAR Version | 6.9.0 | + +## Dependencies + +--- +This script uses the following commands and scripts. + +* checkpointhec-get-scan-info + +## Inputs + +--- +There are no inputs for this script. + +## Outputs + +--- +There are no outputs for this script. diff --git a/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.py b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.py new file mode 100644 index 000000000000..f14098884f31 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.py @@ -0,0 +1,30 @@ +from CommonServerPython import * + + +def get_scan_info(entity: str): + return demisto.executeCommand( + "checkpointhec-get-scan-info", + {'entity': entity} + ) + + +def main(): # pragma: no cover + try: + custom_fields = demisto.incident()['CustomFields'] + result = get_scan_info(custom_fields['checkpointhecentity']) + scan_info = result[0]['Contents'] + for k, v in scan_info.items(): + scan_info[k] = json.loads(v) + + return_results({ + 'ContentsFormat': EntryFormat.JSON, + 'Type': EntryType.NOTE, + 'Contents': json.dumps(scan_info) + }) + except Exception as ex: + demisto.error(traceback.format_exc()) + return_error(f'Failed to execute BaseScript. Error: {str(ex)}') + + +if __name__ in ('__main__', '__builtin__', 'builtins'): # pragma: no cover + main() diff --git a/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.yml b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.yml new file mode 100644 index 000000000000..cf4123f57b28 --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo.yml @@ -0,0 +1,20 @@ +commonfields: + id: ShowCPScanInfo + version: -1 +name: ShowCPScanInfo +script: '-' +type: python +tags: [] +comment: Get scan info from Check Point Smart API +enabled: true +scripttarget: 0 +subtype: python3 +dependson: + must: + - CheckPointHEC|||checkpointhec-get-scan-info +runonce: false +dockerimage: demisto/python3:3.10.13.72123 +runas: DBotWeakRole +fromversion: 6.9.0 +tests: +- No tests (auto formatted) diff --git a/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo_test.py b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo_test.py new file mode 100644 index 000000000000..5454c0af8b1f --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/ShowCPScanInfo_test.py @@ -0,0 +1,24 @@ +import json + +import demistomock as demisto +from ShowCPScanInfo import get_scan_info + + +def util_load_json(path): + with open(path, encoding='utf-8') as f: + return json.loads(f.read()) + + +def test_get_scan_info(mocker): + mock_response = util_load_json('./test_data/checkpointhec-get_entity.json') + + def execute_command(name, args): + if name == 'checkpointhec-get-scan-info': + return [{'Contents': {'av': mock_response['responseData'][0]['entitySecurityResult']['av']}}] + + raise ValueError(f'Error: Unknown command or command/argument pair: {name} {args!r}') + + mocker.patch.object(demisto, 'executeCommand', side_effect=execute_command) + + result = get_scan_info('0000') + assert result == [{'Contents': {'av': mock_response['responseData'][0]['entitySecurityResult']['av']}}] diff --git a/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/test_data/checkpointhec-get_entity.json b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/test_data/checkpointhec-get_entity.json new file mode 100644 index 000000000000..3b5759ff08bf --- /dev/null +++ b/Packs/CheckPointHEC/Scripts/ShowCPScanInfo/test_data/checkpointhec-get_entity.json @@ -0,0 +1,185 @@ +{ + "responseEnvelope": { + "requestId": "8854aa3a-ef63-49d5-ba63-ec8b667b1a75", + "responseCode": 200, + "responseText": "", + "additionalText": "", + "recordsNumber": 1, + "scrollId": "" + }, + "responseData": [ + { + "entityInfo": { + "entityId": "0ab5b49860cdaa57506769821ddea425", + "customerId": "prod-3-con-lab44", + "saas": "office365_emails", + "saasEntityType": "office365_emails_email", + "entityCreated": "2023-06-30T15:15:06.759583Z", + "entityUpdated": "2023-06-30T15:15:14.074234", + "entityActionState": null + }, + "entityPayload": { + "internetMessageId": "<010001890cdf0d62-8195ad70-a237-4fbc-bbbf-4aaed7a55aa8-000000@email.amazonses.com>", + "subject": "aut_quar_prod3_17__300623_15_14_51_445699", + "received": "2023-06-30T15:14:53Z", + "size": null, + "emailLinks": [], + "attachmentCount": 2, + "attachments": [ + { + "name": "avanan_malicious_33_300623_15_14_51_1688138091.pdf", + "mimetype": "application/pdf", + "size": 2071, + "MD5": "d5e719c11cb2a209c306b06ffff4cd39" + }, + { + "name": "avanan_malicious_1.pdf", + "mimetype": "application/pdf", + "size": 3028, + "MD5": "4b41a3475132bd861b30a878e30aa56a" + } + ], + "mode": "monitor", + "recipients": [ + "user3@avananlab44.onmicrosoft.com" + ], + "fromEmail": "Automation@avtestqa.com", + "fromDomain": "avtestqa.com", + "fromUser": {}, + "fromName": "", + "to": [ + "user3@avananlab44.onmicrosoft.com" + ], + "toUser": [ + { + "entity_id": "1ec5d519-54a5-40fa-9651-19d7286710df", + "entity_type": "office365_emails_user", + "mail": null + } + ], + "cc": [], + "ccUser": [], + "bcc": [], + "bccUser": [], + "replyToEmail": null, + "replyToNickname": null, + "isRead": null, + "isDeleted": false, + "isIncoming": true, + "isInternal": false, + "isOutgoing": false, + "isQuarantined": false, + "isQuarantineNotification": false, + "isRestored": false, + "isRestoreRequested": false, + "isRestoreDeclined": false, + "saasSpamVerdict": "-1", + "SpfResult": "pass", + "restoreRequestTime": null + }, + "entitySecurityResult": { + "combinedVerdict": { + "ap": "clean", + "dlp": null, + "clicktimeProtection": null, + "shadowIt": "clean", + "av": "malicious" + }, + "ap": [ + { + "entityId": "0ab5b49860cdaa57506769821ddea425", + "entityType": "office365_emails_email", + "payload": { + "reasons_by_category": { + "Email Headers": [ + { + "short_text": "Missing DMARC", + "full_text": "The email's header suggest that DMARC signature is missing/invalid" + } + ], + "Domain Impersonation": [ + { + "short_text": "SPF check failed when checking sending IP: 10.10.10.10 for domain avtestqa.com", + "full_text": "The email 'from' address doesn't pass the SPF-check" + } + ], + "Sender Reputation": [ + { + "short_text": "Insignificant historical reputation with sender", + "full_text": "The sending email address hasn't established significant historical reputation with your domain" + }, + { + "short_text": "Low-traffic 'From'-domain", + "full_text": "The sender's domain has very low traffic - often indicating low-trust domains" + } + ] + }, + "reasons": [ + "First Time Sender" + ] + }, + "score": "22.119542", + "securityResultEntityId": "0ab5b49860cdaa57506769821ddea425", + "securityResultEntityType": "avanan_ap_scan", + "statusCode": "0", + "statusDescription": null, + "verdict": "clean" + } + ], + "dlp": null, + "clicktimeProtection": null, + "shadowIt": [ + { + "entityId": "0ab5b49860cdaa57506769821ddea425", + "entityType": "office365_emails_email", + "payload": { + "from": "Automation@avtestqa.com", + "subject": "aut_quar_prod3_17__300623_15_14_51_445699", + "domain": "" + }, + "score": "0", + "securityResultEntityId": "0ab5b49860cdaa57506769821ddea425", + "securityResultEntityType": "shadow_it_emails_scan", + "statusCode": "clean", + "statusDescription": "Clean", + "verdict": "clean" + } + ], + "av": [ + { + "entityId": "abc11b586de3efca8e5bf22fe5193edd2b729ba8", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "abc11b586de3efca8e5bf22fe5193edd2b729ba8", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + }, + { + "entityId": "3aad8378b7edd5a69f6f063280037c2f7379faa8", + "entityType": "office365_emails_attachment", + "payload": { + "scan_details": [ + "Dummy Core Detection" + ] + }, + "score": "100", + "securityResultEntityId": "3aad8378b7edd5a69f6f063280037c2f7379faa8", + "securityResultEntityType": "checkpoint2", + "statusCode": "0", + "statusDescription": "Dummy Core Detection", + "verdict": "malicious" + } + ] + }, + "entityActions": [], + "entityAvailableActions": [] + } + ] +} diff --git a/Packs/CheckPointHEC/pack_metadata.json b/Packs/CheckPointHEC/pack_metadata.json index c08122b10ff0..e11f4182ba9a 100644 --- a/Packs/CheckPointHEC/pack_metadata.json +++ b/Packs/CheckPointHEC/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Check Point Harmony Email and Collaboration (HEC)", "description": "The Best Way to Protect Enterprise Email & Collaboration from phishing, malware, account takeover, data loss, etc.", "support": "partner", - "currentVersion": "1.0.2", + "currentVersion": "1.0.3", "author": "Check Point Harmony Email & Collaboration (HEC)", "url": "https://supportcenter.checkpoint.com/", "email": "EmailSecurity_Support@checkpoint.com",