diff --git a/proofpoint_tap/README.md b/proofpoint_tap/README.md index 8ba1e3b53493f..efc0898cabb33 100644 --- a/proofpoint_tap/README.md +++ b/proofpoint_tap/README.md @@ -1,39 +1,54 @@ -# Agent Check: Proofpoint TAP - ## Overview -This check monitors [Proofpoint TAP][1]. +[Proofpoint TAP (Targeted Attack Protection)][1] is a cybersecurity solution designed to detect, mitigate, and block advanced threats that target people through email. It uses a next-generation email security platform to provide visibility into all email communications. -## Setup +This integration ingests the following logs: -### Installation +- **Click Events**: These logs provide information about user interactions with links in emails, including whether clicks were permitted or blocked, along with associated threat identification. +- **Message Events**: These logs provide information about email messages analyzed by Proofpoint TAP, including detection outcomes, delivery status (such as delivered or blocked), and threat identification. -The Proofpoint TAP check is included in the [Datadog Agent][2] package. -No additional installation is needed on your server. +This integration gathers and forwards above mentioned events to Datadog for seamless analysis. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. With preconfigured dashboards, the integration offers clear visibility into activities within the Proofpoint TAP platform. Additionally, it includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. + +## Setup -### Configuration +### Generate Service Credentials in Proofpoint TAP -!!! Add list of steps to set up this integration !!! +1. Login to the **Proofpoint TAP** dashboard. +2. Navigate to **Settings > Connected Applications**. +3. Click **Create New Credential**. +4. Name the **new credential set** and click **Generate**. +5. Copy the **Service Principal** and **Secret**. -### Validation +### Connect your Proofpoint TAP Account to Datadog -!!! Add steps to validate integration is functioning as expected !!! +1. Add your Service Principal and Secret. + | Parameters | Description | + | ---------------------------- | ------------------------------------------------------------------------------------------- | + | Service Principal | The Service Principal of your Proofpoint TAP account. | + | Secret | The Secret of your Proofpoint TAP account. | + | Get Click Blocked Events | Control the collection of Click Blocked Events from Proofpoint TAP. Enabled by default. | + | Get Click Permitted Events | Control the collection of Click Permitted Events from Proofpoint TAP. Enabled by default. | + | Get Message Blocked Events | Control the collection of Message Blocked Events from Proofpoint TAP. Enabled by default. | + | Get Message Delivered Events | Control the collection of Message Delivered Events from Proofpoint TAP. Enabled by default. | +2. Click the Save button to save your settings. ## Data Collected +### Logs + +The Proofpoint TAP integration collects and forwards click and message events to Datadog. + ### Metrics -Proofpoint TAP does not include any metrics. +The Proofpoint TAP integration does not include any metrics. ### Events -Proofpoint TAP does not include any events. - -## Troubleshooting +The Proofpoint TAP integration does not include any events. -Need help? Contact [Datadog support][3]. +## Support -[1]: **LINK_TO_INTEGRATION_SITE** -[2]: https://app.datadoghq.com/account/settings/agent/latest -[3]: https://docs.datadoghq.com/help/ +For any further assistance, contact [Datadog support][2]. +[1]: https://www.proofpoint.com/uk/products/advanced-threat-protection/targeted-attack-protection +[2]: https://docs.datadoghq.com/help/ diff --git a/proofpoint_tap/assets/dashboards/proofpoint_tap_clicks_insights.json b/proofpoint_tap/assets/dashboards/proofpoint_tap_clicks_insights.json new file mode 100644 index 0000000000000..edfc90dfa6632 --- /dev/null +++ b/proofpoint_tap/assets/dashboards/proofpoint_tap_clicks_insights.json @@ -0,0 +1,1258 @@ +{ + "title": "Proofpoint TAP - Clicks Insights", + "description": "This dashboard provides insights into clicks on malicious URLs, whether they were permitted or blocked.", + "widgets": [ + { + "id": 6795959842001555, + "definition": { + "type": "image", + "url": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-K.png.webp", + "url_dark_theme": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-Reversed.png.webp", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 4742521996525905, + "definition": { + "type": "note", + "content": "This dashboard provides insights into clicks on malicious URLs, whether they were permitted or blocked.\n\nFor more information, see the [Proofpoint TAP Documentation](https://docs.datadoghq.com/integrations/proofpoint_tap/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5154112403406628, + "definition": { + "title": "Total Clicks Permitted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-permitted $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 4, + "height": 2 + } + }, + { + "id": 6293676326544140, + "definition": { + "title": "Click Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Clicks", + "style": { + "palette": "dd20", + "palette_index": 16 + }, + "formula": "query1" + }, + { + "alias": "Clicks Permitted", + "style": { + "palette": "dd20", + "palette_index": 2 + }, + "formula": "query2" + }, + { + "alias": "Clicks Blocked", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query3" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-permitted $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query3", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-blocked $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 3, + "width": 8, + "height": 4 + } + }, + { + "id": 8294642609820197, + "definition": { + "title": "Total Clicks Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-blocked $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 4, + "height": 2 + } + }, + { + "id": 3846441123230075, + "definition": { + "title": "Users with Most Clicks", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 8535435520108761, + "definition": { + "title": "Top IPs Involved in Click Activity", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 7, + "width": 6, + "height": 4 + } + }, + { + "id": 1687099974370030, + "definition": { + "title": "Top Malicious Email Sender Domains", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_domain $sender $sender_ip $user_email $threat_classification $threat_status $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@senderDomain", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 7035998399330608, + "definition": { + "title": "Top Malicious URL Email Senders", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@sender", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 11, + "width": 6, + "height": 4 + } + }, + { + "id": 4622697226468595, + "definition": { + "title": "Permitted Click Users Locations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-permitted $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 15, + "width": 6, + "height": 6 + } + }, + { + "id": 2263790559508381, + "definition": { + "title": "Blocked Click Users Locations", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-blocked $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@network.client.geoip.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "YlOrRd", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 15, + "width": 6, + "height": 6 + } + }, + { + "id": 6810785589309843, + "definition": { + "title": "Top Malicious URLs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@url", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 21, + "width": 4, + "height": 4 + } + }, + { + "id": 8766422158223043, + "definition": { + "title": "Active Threats Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Active Threat", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) @threatStatus:active $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 4, + "y": 21, + "width": 8, + "height": 4 + } + }, + { + "id": 2421412324118721, + "definition": { + "title": "Threats Classification", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@classification", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "hide_total": false, + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 25, + "width": 6, + "height": 4 + } + }, + { + "id": 819124373457463, + "definition": { + "title": "Threats Status Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threatStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "hide_total": false, + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 25, + "width": 6, + "height": 4 + } + }, + { + "id": 584973508757490, + "definition": { + "title": "Most Targeted Recipients Threat Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@usr.email", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@classification", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@threatStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "text_formats": [ + [ + { + "match": { + "type": "is_not", + "value": "*" + }, + "palette": "black_on_light_green" + } + ], + [ + { + "match": { + "type": "is_not", + "value": "*" + }, + "palette": "black_on_light_yellow" + } + ], + [ + { + "match": { + "type": "is_not", + "value": "*" + }, + "palette": "black_on_light_red" + } + ] + ], + "sort": { + "count": 1000, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "Count", + "formula": "query1", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "red_on_white" + } + ] + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 29, + "width": 6, + "height": 4 + } + }, + { + "id": 20537025487565, + "definition": { + "title": "Threat Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "threatStatus", + "width": "auto" + }, + { + "field": "classification", + "width": "auto" + }, + { + "field": "http.url", + "width": "auto" + }, + { + "field": "threatTime", + "width": "auto" + }, + { + "field": "campaignId", + "width": "auto" + }, + { + "field": "threatID", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 6, + "y": 29, + "width": 6, + "height": 4 + } + }, + { + "id": 1434416129281903, + "definition": { + "title": "Click Events List", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap service:(click-permitted OR click-blocked) $sender_ip $user_email $threat_classification $threat_status $sender_domain $sender $user_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 33, + "width": 12, + "height": 4 + } + } + ], + "template_variables": [ + { + "name": "user_email", + "prefix": "@usr.email", + "available_values": [], + "default": "*" + }, + { + "name": "user_ip", + "prefix": "@network.client.ip", + "available_values": [], + "default": "*" + }, + { + "name": "sender", + "prefix": "@sender", + "available_values": [], + "default": "*" + }, + { + "name": "sender_ip", + "prefix": "@senderIP", + "available_values": [], + "default": "*" + }, + { + "name": "sender_domain", + "prefix": "@senderDomain", + "available_values": [], + "default": "*" + }, + { + "name": "threat_classification", + "prefix": "@classification", + "available_values": [], + "default": "*" + }, + { + "name": "threat_status", + "prefix": "@threatStatus", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/proofpoint_tap/assets/dashboards/proofpoint_tap_messages_insights.json b/proofpoint_tap/assets/dashboards/proofpoint_tap_messages_insights.json new file mode 100644 index 0000000000000..5c117d3feb201 --- /dev/null +++ b/proofpoint_tap/assets/dashboards/proofpoint_tap_messages_insights.json @@ -0,0 +1,2261 @@ +{ + "title": "Proofpoint TAP - Messages Insights", + "description": "This dashboard provides insights into email threats by showing messages that were either blocked or delivered.", + "widgets": [ + { + "id": 6795959842001555, + "definition": { + "type": "image", + "url": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-K.png.webp", + "url_dark_theme": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-Reversed.png.webp", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 4742521996525905, + "definition": { + "type": "note", + "content": "This dashboard provides insights into email threats by showing messages that were either blocked or delivered.\n\nFor more information, see the [Proofpoint TAP Documentation](https://docs.datadoghq.com/integrations/proofpoint_tap/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 6749014560391686, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 8423296124214426, + "definition": { + "title": "Total Messages Delivered", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-delivered $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e3f6f8" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 8294642609820197, + "definition": { + "title": "Total Messages Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 6293676326544140, + "definition": { + "title": "Messages Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Total Messages", + "style": { + "palette": "green", + "palette_index": 7 + }, + "formula": "query1" + }, + { + "alias": "Messages Delivered", + "style": { + "palette": "dd20", + "palette_index": 0 + }, + "formula": "query2" + }, + { + "alias": "Messages Blocked", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query3" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query3", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 0, + "y": 2, + "width": 12, + "height": 4 + } + }, + { + "id": 6300556448575909, + "definition": { + "title": "Rewritten URL Messages", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) @completelyRewritten:true $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 6, + "width": 6, + "height": 2 + } + }, + { + "id": 7658800087547393, + "definition": { + "title": "Non-Rewritten URL Messages", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) @completelyRewritten:false $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 6, + "y": 6, + "width": 6, + "height": 2 + } + }, + { + "id": 2442297210669657, + "definition": { + "title": "Top Senders", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@fromAddress", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 8700843734754617, + "definition": { + "title": "Top Sender IPs", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@senderIP", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 5393275914500460, + "definition": { + "title": "Top Messages Policy Routes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@policyRoutes", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 8, + "width": 4, + "height": 4 + } + }, + { + "id": 3919465972739452, + "definition": { + "title": "Sender Domain and Recipient Details", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@senderDomain", + "limit": 25, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@fromAddress", + "limit": 15, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + }, + { + "facet": "@recipient", + "limit": 15, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 5625, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "yellow_on_white" + } + ], + "cell_display_mode": "number", + "alias": "Count", + "formula": "query1" + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 12, + "width": 12, + "height": 4 + } + }, + { + "id": 5807104704455522, + "definition": { + "title": "Senders Location for Delivered Messages", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-delivered $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@geoSenderIP.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "hostmap_blues", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 6, + "height": 6 + } + }, + { + "id": 315139647063156, + "definition": { + "title": "Senders Location for Blocked Messages", + "title_size": "16", + "title_align": "left", + "type": "geomap", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@geoSenderIP.country.iso_code", + "limit": 250, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 250, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "palette": "YlOrRd", + "palette_flip": false + }, + "view": { + "focus": "WORLD" + } + }, + "layout": { + "x": 6, + "y": 16, + "width": 6, + "height": 6 + } + }, + { + "id": 20537025487565, + "definition": { + "title": "Message Events List", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 22, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 1 + } + }, + { + "id": 6083089200926169, + "definition": { + "title": "Attachments", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 4565615746425002, + "definition": { + "title": "Top Message Delivered Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-delivered $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@messageParts.filename", + "limit": 50, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 50, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 8782757466481323, + "definition": { + "title": "Top Message Blocked Files", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@messageParts.filename", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 4581759719873739, + "definition": { + "title": "Malicious Attachment Hashes", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@messageParts.md5", + "limit": 50, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 50, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 4 + } + }, + { + "id": 1771207532944284, + "definition": { + "title": "Blocked Messages by Quarantine Rule", + "title_size": "16", + "title_align": "left", + "type": "query_table", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@quarantineRule", + "limit": 15, + "sort": { + "aggregation": "cardinality", + "order": "desc", + "metric": "@GUID" + }, + "should_exclude_missing": true + }, + { + "facet": "@quarantineFolder", + "limit": 15, + "sort": { + "aggregation": "cardinality", + "order": "desc", + "metric": "@GUID" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "cardinality", + "metric": "@GUID" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "sort": { + "count": 225, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + }, + "formulas": [ + { + "cell_display_mode": "number", + "alias": "Count", + "formula": "query1", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "red_on_white" + } + ] + } + ] + } + ], + "has_search_bar": "auto" + }, + "layout": { + "x": 0, + "y": 4, + "width": 5, + "height": 4 + } + }, + { + "id": 6159827982022944, + "definition": { + "title": "Attachment Status Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@messageParts.sandboxStatus", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "hide_total": true, + "legend": { + "type": "table" + } + }, + "layout": { + "x": 5, + "y": 4, + "width": 7, + "height": 4 + } + }, + { + "id": 6627305333660364, + "definition": { + "title": "Attachment Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "@messageParts", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 8, + "width": 12, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 1 + } + }, + { + "id": 3359610820383194, + "definition": { + "title": "Threats", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2449999826649366, + "definition": { + "title": "Total Active Threats", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) @threatsInfoMap.threatStatus:active $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": { + "include_zero": true + }, + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 6075580919010232, + "definition": { + "title": "Total False Positive Threats", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) @threatsInfoMap.threatStatus:falsepositive $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 4, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 8157692748746635, + "definition": { + "title": "Total Cleared Threats", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) @threatsInfoMap.threatStatus:cleared $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e5f6ff" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 8, + "y": 0, + "width": 4, + "height": 2 + } + }, + { + "id": 7048565529254061, + "definition": { + "title": "Message Threats Classification", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threatsInfoMap.classification", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "hide_total": true, + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 4 + } + }, + { + "id": 3144476318546724, + "definition": { + "title": "Threats Type Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threatsInfoMap.threatType", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 500, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "hide_total": true, + "legend": { + "type": "table" + } + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 4 + } + }, + { + "id": 8191469682636800, + "definition": { + "title": "Average Malware Score", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@malwareScore" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 6, + "width": 3, + "height": 3 + } + }, + { + "id": 8242142813578734, + "definition": { + "title": "Average Malware Score Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Malware Score", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@malwareScore" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 6, + "width": 9, + "height": 3 + } + }, + { + "id": 6712444281541686, + "definition": { + "title": "Average Phish Score", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@phishScore" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 9, + "width": 3, + "height": 3 + } + }, + { + "id": 432473605231971, + "definition": { + "title": "Average Phish Score Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Phish Score", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@phishScore" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 9, + "width": 9, + "height": 3 + } + }, + { + "id": 4868518237862486, + "definition": { + "title": "Average Spam Score", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@spamScore" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 3 + } + }, + { + "id": 7044789098138421, + "definition": { + "title": "Average Spam Score Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Spam Score", + "style": { + "palette": "classic", + "palette_index": 4 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@spamScore" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 12, + "width": 9, + "height": 3 + } + }, + { + "id": 8308823898614911, + "definition": { + "title": "Average Impostor Score", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@impostorScore" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 0, + "y": 15, + "width": 3, + "height": 3 + } + }, + { + "id": 6454064473654363, + "definition": { + "title": "Average Impostor Scores Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Impostor Score", + "style": { + "palette": "classic", + "palette_index": 4 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "avg", + "metric": "@impostorScore" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 15, + "width": 9, + "height": 3 + } + }, + { + "id": 3738731250435971, + "definition": { + "title": "Top Threats", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@threatsInfoMap.threat", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "white_on_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 18, + "width": 4, + "height": 4 + } + }, + { + "id": 3173472795795513, + "definition": { + "title": "Threat Details", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap service:(message-delivered OR message-blocked) $sender_email $sender_ip $recipient_email", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "@threatsInfoMap", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 18, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 5, + "width": 12, + "height": 1 + } + } + ], + "template_variables": [ + { + "name": "sender_ip", + "prefix": "@senderIP", + "available_values": [], + "default": "*" + }, + { + "name": "sender_email", + "prefix": "@fromAddress", + "available_values": [], + "default": "*" + }, + { + "name": "recipient_email", + "prefix": "@recipient", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/proofpoint_tap/assets/dashboards/proofpoint_tap_overview.json b/proofpoint_tap/assets/dashboards/proofpoint_tap_overview.json new file mode 100644 index 0000000000000..4be072019aa47 --- /dev/null +++ b/proofpoint_tap/assets/dashboards/proofpoint_tap_overview.json @@ -0,0 +1,1290 @@ +{ + "title": "Proofpoint TAP - Overview", + "description": "This dashboard provides a comprehensive summary of proofpoint TAP events.", + "widgets": [ + { + "id": 6795959842001555, + "definition": { + "type": "image", + "url": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-K.png.webp", + "url_dark_theme": "https://www.proofpoint.com/sites/default/files/styles/image_auto_200/public/pr/Proofpoint-logo-reg-Reversed.png.webp", + "sizing": "contain", + "margin": "md", + "has_background": true, + "has_border": true, + "vertical_align": "center", + "horizontal_align": "center" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 4742521996525905, + "definition": { + "type": "note", + "content": "**[Proofpoint TAP](https://www.proofpoint.com/uk/products/advanced-threat-protection/targeted-attack-protection)** is a cybersecurity solution designed to detect, mitigate, and block advanced threats that target people through email. It uses a next-generation email security platform to provide visibility into all email communications.\n\nThis dashboard provides a comprehensive summary of proofpoint TAP events.\n\nFor more information, see the [Proofpoint TAP Documentation](https://docs.datadoghq.com/integrations/proofpoint_tap/).\n\n**Tips**:\n - Use the timeframe selector in the upper-right corner of the dashboard to change the default timeframe.\n - Clone this dashboard to rearrange, modify, and add widgets and visualizations.\n\n", + "background_color": "blue", + "font_size": "14", + "text_align": "left", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 2726996452729540, + "definition": { + "title": "Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 2322940718384910, + "definition": { + "title": "Total Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 4 + } + }, + { + "id": 1391069816416785, + "definition": { + "title": "Events Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": false, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Events", + "style": { + "palette": "green", + "palette_index": 7 + }, + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 0, + "width": 9, + "height": 4 + } + }, + { + "id": 5204055022860869, + "definition": { + "title": "Event Distribution", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "table" + } + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 4 + } + }, + { + "id": 5154112403406628, + "definition": { + "title": "Total Messages Delivered", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-delivered $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "custom_bg", + "custom_bg_color": "#e3f6f8" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 8, + "width": 3, + "height": 2 + } + }, + { + "id": 6293676326544140, + "definition": { + "title": "Messages Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Messages Delivered", + "style": { + "palette": "dd20", + "palette_index": 14 + }, + "formula": "query1" + }, + { + "alias": "Messages Blocked", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-delivered $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 8, + "width": 9, + "height": 4 + } + }, + { + "id": 8294642609820197, + "definition": { + "title": "Total Messages Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:message-blocked $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "yaxis": {}, + "type": "bars" + } + }, + "layout": { + "x": 0, + "y": 10, + "width": 3, + "height": 2 + } + }, + { + "id": 2531314265737150, + "definition": { + "title": "Total Clicks Permitted", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-permitted $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_yellow" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 12, + "width": 3, + "height": 2 + } + }, + { + "id": 6573198605661391, + "definition": { + "title": "Clicks Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Clicks Permitted", + "style": { + "palette": "dd20", + "palette_index": 2 + }, + "formula": "query1" + }, + { + "alias": "Clicks Blocked", + "style": { + "palette": "warm", + "palette_index": 7 + }, + "formula": "query2" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-permitted $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + }, + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-blocked $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 3, + "y": 12, + "width": 9, + "height": 4 + } + }, + { + "id": 7028124086423754, + "definition": { + "title": "Total Clicks Blocked", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "response_format": "scalar", + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap service:click-blocked $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_red" + } + ], + "formulas": [ + { + "formula": "query1" + } + ] + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "bars", + "yaxis": {} + } + }, + "layout": { + "x": 0, + "y": 14, + "width": 3, + "height": 2 + } + }, + { + "id": 8369390369911854, + "definition": { + "title": "Top Sender Domains", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:proofpoint-tap $sender $sender_domain $sender_ip" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@senderDomain", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": ">", + "value": 0, + "palette": "black_on_light_green" + } + ], + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 16, + "width": 4, + "height": 4 + } + }, + { + "id": 2380349282316457, + "definition": { + "title": "Events List", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:proofpoint-tap $sender $sender_domain $sender_ip", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "auto" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 4, + "y": 16, + "width": 8, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 1 + } + }, + { + "id": 2957397572922750, + "definition": { + "title": "Datadog Cloud SIEM", + "title_align": "center", + "background_color": "blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5934800322801051, + "definition": { + "type": "note", + "content": "\nDatadog Cloud SIEM analyzes and correlates **Proofpoint TAP** Events to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", + "background_color": "vivid_blue", + "font_size": "14", + "text_align": "center", + "vertical_align": "center", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 0, + "y": 0, + "width": 12, + "height": 1 + } + }, + { + "id": 6171348664692474, + "definition": { + "title": "CRITICALs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:proofpoint-tap status:critical" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 2665282002933438, + "definition": { + "title": "HIGHs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:proofpoint-tap status:high" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 1, + "width": 2, + "height": 2 + } + }, + { + "id": 1735683081022581, + "definition": { + "title": "Critical Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#bc303c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:proofpoint-tap status:critical" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 4, + "y": 1, + "width": 8, + "height": 4 + } + }, + { + "id": 3954861766671256, + "definition": { + "title": "MEDIUMs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:proofpoint-tap status:medium" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 0, + "y": 3, + "width": 2, + "height": 2 + } + }, + { + "id": 8889477143805712, + "definition": { + "title": "LOWs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#ffb52b", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:proofpoint-tap status:low" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 3, + "width": 2, + "height": 1 + } + }, + { + "id": 3751797707009087, + "definition": { + "title": "INFOs", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#84c1e0", + "palette": "custom_bg", + "value": 0 + } + ], + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "search": { + "query": "source:proofpoint-tap status:info" + } + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "custom_links": [], + "precision": 2 + }, + "layout": { + "x": 2, + "y": 4, + "width": 2, + "height": 1 + } + }, + { + "id": 3594277674829459, + "definition": { + "title": "High Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#d33043", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:proofpoint-tap status:high" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 4 + } + }, + { + "id": 2922079253083058, + "definition": { + "title": "Medium Security Signals", + "type": "toplist", + "requests": [ + { + "conditional_formats": [ + { + "comparator": ">", + "custom_bg_color": "#e5a21c", + "palette": "custom_bg", + "value": 0 + } + ], + "queries": [ + { + "data_source": "security_signals", + "name": "query1", + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [ + { + "facet": "@workflow.rule.name", + "limit": 10, + "sort": { + "order": "desc", + "aggregation": "count" + } + } + ], + "search": { + "query": "source:proofpoint-tap status:medium" + } + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "default_zero(query1)" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "custom_links": [], + "style": {} + }, + "layout": { + "x": 6, + "y": 5, + "width": 6, + "height": 4 + } + } + ] + }, + "layout": { + "x": 0, + "y": 4, + "width": 12, + "height": 10, + "is_column_break": true + } + } + ], + "template_variables": [ + { + "name": "sender", + "prefix": "@sender", + "available_values": [], + "default": "*" + }, + { + "name": "sender_ip", + "prefix": "@senderIP", + "available_values": [], + "default": "*" + }, + { + "name": "sender_domain", + "prefix": "@senderDomain", + "available_values": [], + "default": "*" + } + ], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/proofpoint_tap/assets/logs/proofpoint-tap.yaml b/proofpoint_tap/assets/logs/proofpoint-tap.yaml new file mode 100644 index 0000000000000..31e6210458f0d --- /dev/null +++ b/proofpoint_tap/assets/logs/proofpoint-tap.yaml @@ -0,0 +1,217 @@ +id: proofpoint-tap +metric_id: proofpoint-tap +backend_only: false +facets: + - groups: + - Web Access + name: URL Path + path: http.url + source: log + - groups: + - Web Access + name: User-Agent + path: http.useragent + source: log + - groups: + - Web Access + name: Browser + path: http.useragent_details.browser.family + source: log + - groups: + - Web Access + name: Device + path: http.useragent_details.device.family + source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log + - groups: + - Geoip + name: City Name + path: network.client.geoip.city.name + source: log + - groups: + - Geoip + name: Continent Code + path: network.client.geoip.continent.code + source: log + - groups: + - Geoip + name: Continent Name + path: network.client.geoip.continent.name + source: log + - groups: + - Geoip + name: Country ISO Code + path: network.client.geoip.country.iso_code + source: log + - groups: + - Geoip + name: Country Name + path: network.client.geoip.country.name + source: log + - groups: + - Geoip + name: Subdivision ISO Code + path: network.client.geoip.subdivision.iso_code + source: log + - groups: + - Geoip + name: Subdivision Name + path: network.client.geoip.subdivision.name + source: log + - groups: + - Web Access + name: Client IP + path: network.client.ip + source: log + - groups: + - User + name: User Email + path: usr.email + source: log +pipeline: + type: pipeline + name: Proofpoint TAP + enabled: true + filter: + query: source:proofpoint-tap + processors: + - type: date-remapper + name: Define `eventTime` as the official date of the log + enabled: true + sources: + - eventTime + - type: pipeline + name: Processing click events + enabled: true + filter: + query: service:(click-permitted OR click-blocked) + processors: + - type: attribute-remapper + name: Map `clickIP` to `network.client.ip` + enabled: true + sources: + - clickIP + sourceType: attribute + target: network.client.ip + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `recipient` to `usr.email` + enabled: true + sources: + - recipient + sourceType: attribute + target: usr.email + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `threatURL` to `http.url` + enabled: true + sources: + - threatURL + sourceType: attribute + target: http.url + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: attribute-remapper + name: Map `userAgent` to `http.useragent` + enabled: true + sources: + - userAgent + sourceType: attribute + target: http.useragent + targetType: attribute + preserveSource: false + overrideOnConflict: false + - type: category-processor + name: Category processor for `status` + enabled: true + categories: + - filter: + query: "@classification:(malware OR phish) @threatStatus:active" + name: critical + - filter: + query: "@classification:spam @threatStatus:active" + name: warning + - filter: + query: -(@classification:(malware OR phish) @threatStatus:active) OR + -(@classification:spam @threatStatus:active) + name: info + target: status + - type: geo-ip-parser + name: Extracting geolocation information from `network.client.ip` + enabled: true + sources: + - network.client.ip + target: network.client.geoip + ip_processing_behavior: do-nothing + - type: user-agent-parser + name: Extract details from `http.useragent` + enabled: true + sources: + - http.useragent + target: http.useragent_details + encoded: false + combineVersionDetails: false + - type: pipeline + name: Processing message events + enabled: true + filter: + query: service:(message-delivered OR message-blocked) + processors: + - type: string-builder-processor + name: "%{threatsInfoMap.threatUrl} - in attribute threatUrl" + enabled: true + template: "%{threatsInfoMap.threatUrl}" + target: threatUrl + replaceMissing: true + - type: grok-parser + name: Extract `http.url` from threatUrl + enabled: true + source: threatUrl + samples: + - http://rohan.org/willis,http://rohan.org/willis + grok: + supportRules: "" + matchRules: rule %{data:http.url:array(",")} + - type: category-processor + name: Category Processor for `status` + enabled: true + categories: + - filter: + query: "@threatsInfoMap.threatStatus:active" + name: warning + - filter: + query: -@threatsInfoMap.threatStatus:active + name: info + target: status + - type: status-remapper + name: Define `status` as the official status of the log + enabled: true + sources: + - status + - type: grok-parser + name: Extract `senderDomain` from `sender` + enabled: true + source: sender + samples: + - ranjith.vellaisamy@pacificprime.au + - r@njith.vellaisamy@pacificprime.ai + - 123test123hash@pacificprime + grok: + supportRules: "" + matchRules: extract_sender_domian %{regex(".*(?=@)"):}@%{data:senderDomain} + - type: geo-ip-parser + name: Extracting geolocation information from `senderIP` + enabled: true + sources: + - senderIP + target: geoSenderIP + ip_processing_behavior: do-nothing diff --git a/proofpoint_tap/assets/logs/proofpoint-tap_tests.yaml b/proofpoint_tap/assets/logs/proofpoint-tap_tests.yaml new file mode 100644 index 0000000000000..d3edde81d790e --- /dev/null +++ b/proofpoint_tap/assets/logs/proofpoint-tap_tests.yaml @@ -0,0 +1,704 @@ +id: "proofpoint-tap" +tests: + - + sample: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "malware", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "active" + } + service: "click-blocked" + result: + custom: + GUID: "b27dbea0-87d5-463b-b93c-4e8b708289ce" + campaignId: "46e01b8a-c899-404d-bcd9-189bb393d1a7" + classification: "malware" + clickTime: "2016-06-24T19:17:44.000Z" + eventTime: "2025-06-24T19:17:46.000Z" + geoSenderIP: {} + http: + url: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + useragent: "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0" + useragent_details: + browser: + family: "Firefox" + major: "27" + minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "NT" + id: "8c8b4895-a277-449f-r797-547e3c89b25a" + messageID: "8c6cfedd-3050-4d65-8c09-c5f65c38da81" + network: + client: + geoip: {} + ip: "10.0.0.0" + sender: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz" + senderDomain: "badguy.zz" + senderIP: "192.0.2.255" + status: "critical" + threatID: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + threatStatus: "active" + threatTime: "2016-06-24T19:17:46.000Z" + url: "http://badguy.zz/" + usr: + email: "bruce.wayne@pharmtech.zz" + message: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "malware", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "active" + } + service: "click-blocked" + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1750792666000 + - + sample: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "spam", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "active" + } + service: "click-blocked" + result: + custom: + GUID: "b27dbea0-87d5-463b-b93c-4e8b708289ce" + campaignId: "46e01b8a-c899-404d-bcd9-189bb393d1a7" + classification: "spam" + clickTime: "2016-06-24T19:17:44.000Z" + eventTime: "2025-06-24T19:17:46.000Z" + geoSenderIP: {} + http: + url: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + useragent: "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0" + useragent_details: + browser: + family: "Firefox" + major: "27" + minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "NT" + id: "8c8b4895-a277-449f-r797-547e3c89b25a" + messageID: "8c6cfedd-3050-4d65-8c09-c5f65c38da81" + network: + client: + geoip: {} + ip: "10.0.0.0" + sender: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz" + senderDomain: "badguy.zz" + senderIP: "192.0.2.255" + status: "warning" + threatID: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + threatStatus: "active" + threatTime: "2016-06-24T19:17:46.000Z" + url: "http://badguy.zz/" + usr: + email: "bruce.wayne@pharmtech.zz" + message: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "spam", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "active" + } + service: "click-blocked" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1750792666000 + - + sample: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "spam", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "falsepositive" + } + service: "click-permitted" + result: + custom: + GUID: "b27dbea0-87d5-463b-b93c-4e8b708289ce" + campaignId: "46e01b8a-c899-404d-bcd9-189bb393d1a7" + classification: "spam" + clickTime: "2016-06-24T19:17:44.000Z" + eventTime: "2025-06-24T19:17:46.000Z" + geoSenderIP: {} + http: + url: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + useragent: "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0" + useragent_details: + browser: + family: "Firefox" + major: "27" + minor: "0" + device: + category: "Desktop" + family: "Other" + os: + family: "Windows" + major: "NT" + id: "8c8b4895-a277-449f-r797-547e3c89b25a" + messageID: "8c6cfedd-3050-4d65-8c09-c5f65c38da81" + network: + client: + geoip: {} + ip: "10.0.0.0" + sender: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz" + senderDomain: "badguy.zz" + senderIP: "192.0.2.255" + status: "info" + threatID: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50" + threatStatus: "falsepositive" + threatTime: "2016-06-24T19:17:46.000Z" + url: "http://badguy.zz/" + usr: + email: "bruce.wayne@pharmtech.zz" + message: |- + { + "threatID" : "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "clickIP" : "10.0.0.0", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T19:17:46.000Z", + "GUID" : "b27dbea0-87d5-463b-b93c-4e8b708289ce", + "messageID" : "8c6cfedd-3050-4d65-8c09-c5f65c38da81", + "clickTime" : "2016-06-24T19:17:44.000Z", + "userAgent" : "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "classification" : "spam", + "url" : "http://badguy.zz/", + "sender" : "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", + "eventTime" : "2025-06-24T19:17:46.000Z", + "recipient" : "bruce.wayne@pharmtech.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "threatURL" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", + "senderIP" : "192.0.2.255", + "threatStatus" : "falsepositive" + } + service: "click-permitted" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1750792666000 + - + sample: |- + { + "messageTime" : "2016-06-24T21:18:38.000Z", + "impostorScore" : 0, + "phishScore" : 46, + "quarantineRule" : "module.sandbox.threat", + "subject" : "Please find a totally safe invoice attached.", + "ccAddresses" : [ "bruce.wayne@university-of-education.zz" ], + "messageID" : "20160624211145.62086.mail@evil.zz", + "policyRoutes" : [ "default_inbound", "executives" ], + "clusterId" : "pharmtech_hosted", + "completelyRewritten" : "true", + "headerFrom" : "\"A. Badguy\" ", + "threatsInfoMap" : [ { + "threatId" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "threatType" : "attachment", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T21:18:38.000Z", + "threat" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "classification" : "malware", + "threatUrl" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "threatStatus" : "active" + }, { + "threatID" : "d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "detectionType" : "NONE", + "threatType" : "url", + "threatTime" : "2024-11-20T12:01:07.000Z", + "threat" : "http://rohan.org/willis", + "classification" : "malware", + "threatUrl" : "https://tap-dashboard-staging.lab.ppops.net/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/email/d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e", + "threatStatus" : "active" + } ], + "eventTime" : "2025-06-24T19:17:46.000Z", + "fromAddress" : "badguy@evil.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "messageParts" : [ { + "disposition" : "inline", + "filename" : "text.txt", + "sha256" : "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281", + "oContentType" : "text/plain", + "contentType" : "text/plain", + "sandboxStatus" : "unsupported", + "md5" : "008c5926ca861023c1d2a36653fd88e2" + }, { + "disposition" : "attached", + "filename" : "Invoice for Pharmtech.pdf", + "sha256" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "oContentType" : "application/pdf", + "contentType" : "application/pdf", + "sandboxStatus" : "threat", + "md5" : "5873c7d37608e0d49bcaa6f32b6c731f" + } ], + "GUID" : "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "headerCC" : "\"Bruce Wayne\" ", + "QID" : "r2FNwRHF004109", + "headerTo" : "\"Clark Kent\" ; \"Diana Prince\" ", + "quarantineFolder" : "Attachment Defense", + "modulesRun" : [ "pdr", "sandbox", "spam", "urldefense" ], + "malwareScore" : 100, + "sender" : "e99d7ed5580193f36a51f597bc2c0210@evil.zz", + "spamScore" : 4, + "recipient" : [ "clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz" ], + "senderIP" : "10.0.0.0" + } + service: "message-blocked" + result: + custom: + GUID: "c26dbea0-80d5-463b-b93c-4e8b708219ce" + QID: "r2FNwRHF004109" + ccAddresses: + - "bruce.wayne@university-of-education.zz" + clusterId: "pharmtech_hosted" + completelyRewritten: "true" + eventTime: "2025-06-24T19:17:46.000Z" + fromAddress: "badguy@evil.zz" + geoSenderIP: {} + headerCC: "\"Bruce Wayne\" " + headerFrom: "\"A. Badguy\" " + headerTo: "\"Clark Kent\" ; \"Diana Prince\" " + http: + url: + - "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + - "https://tap-dashboard-staging.lab.ppops.net/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/email/d57d32f7ad46" + id: "8c8b4895-a277-449f-r797-547e3c89b25a" + impostorScore: 0 + malwareScore: 100 + messageID: "20160624211145.62086.mail@evil.zz" + messageParts: + - + disposition: "inline" + filename: "text.txt" + sha256: "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" + oContentType: "text/plain" + contentType: "text/plain" + sandboxStatus: "unsupported" + md5: "008c5926ca861023c1d2a36653fd88e2" + - + disposition: "attached" + filename: "Invoice for Pharmtech.pdf" + sha256: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + oContentType: "application/pdf" + contentType: "application/pdf" + sandboxStatus: "threat" + md5: "5873c7d37608e0d49bcaa6f32b6c731f" + messageTime: "2016-06-24T21:18:38.000Z" + modulesRun: + - "pdr" + - "sandbox" + - "spam" + - "urldefense" + phishScore: 46 + policyRoutes: + - "default_inbound" + - "executives" + quarantineFolder: "Attachment Defense" + quarantineRule: "module.sandbox.threat" + recipient: + - "clark.kent@pharmtech.zz" + - "diana.prince@pharmtech.zz" + sender: "e99d7ed5580193f36a51f597bc2c0210@evil.zz" + senderDomain: "evil.zz" + senderIP: "10.0.0.0" + spamScore: 4 + status: "warning" + subject: "Please find a totally safe invoice attached." + threatUrl: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca,https://tap-dashboard-staging.lab.ppops.net/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/email/d57d32f7ad46" + threatsInfoMap: + - + threatId: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + actors: + - + name: "dash_actor_05cbc5" + id: "000090ac-71c4-4060-9154-c590664b6739" + type: "ACTOR" + threatType: "attachment" + campaignId: "46e01b8a-c899-404d-bcd9-189bb393d1a7" + threatTime: "2016-06-24T21:18:38.000Z" + threat: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + classification: "malware" + threatUrl: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + threatStatus: "active" + - + threatID: "d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e" + actors: + - + name: "dash_actor_05cbc5" + id: "000090ac-71c4-4060-9154-c590664b6739" + type: "ACTOR" + detectionType: "NONE" + threatType: "url" + threatTime: "2024-11-20T12:01:07.000Z" + threat: "http://rohan.org/willis" + classification: "malware" + threatUrl: "https://tap-dashboard-staging.lab.ppops.net/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/email/d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e" + threatStatus: "active" + message: |- + { + "messageTime" : "2016-06-24T21:18:38.000Z", + "impostorScore" : 0, + "phishScore" : 46, + "quarantineRule" : "module.sandbox.threat", + "subject" : "Please find a totally safe invoice attached.", + "ccAddresses" : [ "bruce.wayne@university-of-education.zz" ], + "messageID" : "20160624211145.62086.mail@evil.zz", + "policyRoutes" : [ "default_inbound", "executives" ], + "clusterId" : "pharmtech_hosted", + "completelyRewritten" : "true", + "headerFrom" : "\"A. Badguy\" ", + "threatsInfoMap" : [ { + "threatId" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "threatType" : "attachment", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T21:18:38.000Z", + "threat" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "classification" : "malware", + "threatUrl" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "threatStatus" : "active" + }, { + "threatID" : "d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "detectionType" : "NONE", + "threatType" : "url", + "threatTime" : "2024-11-20T12:01:07.000Z", + "threat" : "http://rohan.org/willis", + "classification" : "malware", + "threatUrl" : "https://tap-dashboard-staging.lab.ppops.net/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/email/d57d32f7ad46db1c233eb586da7fa39bafba67ec0f8d1a4eae03b3df65e2c60e", + "threatStatus" : "active" + } ], + "eventTime" : "2025-06-24T19:17:46.000Z", + "fromAddress" : "badguy@evil.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "messageParts" : [ { + "disposition" : "inline", + "filename" : "text.txt", + "sha256" : "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281", + "oContentType" : "text/plain", + "contentType" : "text/plain", + "sandboxStatus" : "unsupported", + "md5" : "008c5926ca861023c1d2a36653fd88e2" + }, { + "disposition" : "attached", + "filename" : "Invoice for Pharmtech.pdf", + "sha256" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "oContentType" : "application/pdf", + "contentType" : "application/pdf", + "sandboxStatus" : "threat", + "md5" : "5873c7d37608e0d49bcaa6f32b6c731f" + } ], + "GUID" : "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "headerCC" : "\"Bruce Wayne\" ", + "QID" : "r2FNwRHF004109", + "headerTo" : "\"Clark Kent\" ; \"Diana Prince\" ", + "quarantineFolder" : "Attachment Defense", + "modulesRun" : [ "pdr", "sandbox", "spam", "urldefense" ], + "malwareScore" : 100, + "sender" : "e99d7ed5580193f36a51f597bc2c0210@evil.zz", + "spamScore" : 4, + "recipient" : [ "clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz" ], + "senderIP" : "10.0.0.0" + } + service: "message-blocked" + status: "warn" + tags: + - "source:LOGS_SOURCE" + timestamp: 1750792666000 + - + sample: |- + { + "messageTime" : "2016-06-24T21:18:38.000Z", + "impostorScore" : 0, + "phishScore" : 46, + "quarantineRule" : "module.sandbox.threat", + "subject" : "Please find a totally safe invoice attached.", + "ccAddresses" : [ "bruce.wayne@university-of-education.zz" ], + "messageID" : "20160624211145.62086.mail@evil.zz", + "policyRoutes" : [ "default_inbound", "executives" ], + "clusterId" : "pharmtech_hosted", + "completelyRewritten" : "true", + "headerFrom" : "\"A. Badguy\" ", + "threatsInfoMap" : [ { + "threatId" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "threatType" : "attachment", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T21:18:38.000Z", + "threat" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "classification" : "malware", + "threatUrl" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "threatStatus" : "falsepositive" + } ], + "eventTime" : "2025-06-24T19:17:46.000Z", + "fromAddress" : "badguy@evil.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "messageParts" : [ { + "disposition" : "inline", + "filename" : "text.txt", + "sha256" : "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281", + "oContentType" : "text/plain", + "contentType" : "text/plain", + "sandboxStatus" : "unsupported", + "md5" : "008c5926ca861023c1d2a36653fd88e2" + }, { + "disposition" : "attached", + "filename" : "Invoice for Pharmtech.pdf", + "sha256" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "oContentType" : "application/pdf", + "contentType" : "application/pdf", + "sandboxStatus" : "threat", + "md5" : "5873c7d37608e0d49bcaa6f32b6c731f" + } ], + "GUID" : "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "headerCC" : "\"Bruce Wayne\" ", + "QID" : "r2FNwRHF004109", + "headerTo" : "\"Clark Kent\" ; \"Diana Prince\" ", + "quarantineFolder" : "Attachment Defense", + "modulesRun" : [ "pdr", "sandbox", "spam", "urldefense" ], + "malwareScore" : 100, + "sender" : "e99d7ed5580193f36a51f597bc2c0210@evil.zz", + "spamScore" : 4, + "recipient" : [ "clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz" ], + "senderIP" : "10.0.0.0" + } + service: "message-delivered" + result: + custom: + GUID: "c26dbea0-80d5-463b-b93c-4e8b708219ce" + QID: "r2FNwRHF004109" + ccAddresses: + - "bruce.wayne@university-of-education.zz" + clusterId: "pharmtech_hosted" + completelyRewritten: "true" + eventTime: "2025-06-24T19:17:46.000Z" + fromAddress: "badguy@evil.zz" + geoSenderIP: {} + headerCC: "\"Bruce Wayne\" " + headerFrom: "\"A. Badguy\" " + headerTo: "\"Clark Kent\" ; \"Diana Prince\" " + http: + url: + - "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + id: "8c8b4895-a277-449f-r797-547e3c89b25a" + impostorScore: 0 + malwareScore: 100 + messageID: "20160624211145.62086.mail@evil.zz" + messageParts: + - + disposition: "inline" + filename: "text.txt" + sha256: "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" + oContentType: "text/plain" + contentType: "text/plain" + sandboxStatus: "unsupported" + md5: "008c5926ca861023c1d2a36653fd88e2" + - + disposition: "attached" + filename: "Invoice for Pharmtech.pdf" + sha256: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + oContentType: "application/pdf" + contentType: "application/pdf" + sandboxStatus: "threat" + md5: "5873c7d37608e0d49bcaa6f32b6c731f" + messageTime: "2016-06-24T21:18:38.000Z" + modulesRun: + - "pdr" + - "sandbox" + - "spam" + - "urldefense" + phishScore: 46 + policyRoutes: + - "default_inbound" + - "executives" + quarantineFolder: "Attachment Defense" + quarantineRule: "module.sandbox.threat" + recipient: + - "clark.kent@pharmtech.zz" + - "diana.prince@pharmtech.zz" + sender: "e99d7ed5580193f36a51f597bc2c0210@evil.zz" + senderDomain: "evil.zz" + senderIP: "10.0.0.0" + spamScore: 4 + status: "info" + subject: "Please find a totally safe invoice attached." + threatUrl: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + threatsInfoMap: + - + threatId: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + actors: + - + name: "dash_actor_05cbc5" + id: "000090ac-71c4-4060-9154-c590664b6739" + type: "ACTOR" + threatType: "attachment" + campaignId: "46e01b8a-c899-404d-bcd9-189bb393d1a7" + threatTime: "2016-06-24T21:18:38.000Z" + threat: "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + classification: "malware" + threatUrl: "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" + threatStatus: "falsepositive" + message: |- + { + "messageTime" : "2016-06-24T21:18:38.000Z", + "impostorScore" : 0, + "phishScore" : 46, + "quarantineRule" : "module.sandbox.threat", + "subject" : "Please find a totally safe invoice attached.", + "ccAddresses" : [ "bruce.wayne@university-of-education.zz" ], + "messageID" : "20160624211145.62086.mail@evil.zz", + "policyRoutes" : [ "default_inbound", "executives" ], + "clusterId" : "pharmtech_hosted", + "completelyRewritten" : "true", + "headerFrom" : "\"A. Badguy\" ", + "threatsInfoMap" : [ { + "threatId" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "actors" : [ { + "name" : "dash_actor_05cbc5", + "id" : "000090ac-71c4-4060-9154-c590664b6739", + "type" : "ACTOR" + } ], + "threatType" : "attachment", + "campaignId" : "46e01b8a-c899-404d-bcd9-189bb393d1a7", + "threatTime" : "2016-06-24T21:18:38.000Z", + "threat" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "classification" : "malware", + "threatUrl" : "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "threatStatus" : "falsepositive" + } ], + "eventTime" : "2025-06-24T19:17:46.000Z", + "fromAddress" : "badguy@evil.zz", + "id" : "8c8b4895-a277-449f-r797-547e3c89b25a", + "messageParts" : [ { + "disposition" : "inline", + "filename" : "text.txt", + "sha256" : "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281", + "oContentType" : "text/plain", + "contentType" : "text/plain", + "sandboxStatus" : "unsupported", + "md5" : "008c5926ca861023c1d2a36653fd88e2" + }, { + "disposition" : "attached", + "filename" : "Invoice for Pharmtech.pdf", + "sha256" : "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", + "oContentType" : "application/pdf", + "contentType" : "application/pdf", + "sandboxStatus" : "threat", + "md5" : "5873c7d37608e0d49bcaa6f32b6c731f" + } ], + "GUID" : "c26dbea0-80d5-463b-b93c-4e8b708219ce", + "headerCC" : "\"Bruce Wayne\" ", + "QID" : "r2FNwRHF004109", + "headerTo" : "\"Clark Kent\" ; \"Diana Prince\" ", + "quarantineFolder" : "Attachment Defense", + "modulesRun" : [ "pdr", "sandbox", "spam", "urldefense" ], + "malwareScore" : 100, + "sender" : "e99d7ed5580193f36a51f597bc2c0210@evil.zz", + "spamScore" : 4, + "recipient" : [ "clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz" ], + "senderIP" : "10.0.0.0" + } + service: "message-delivered" + status: "info" + tags: + - "source:LOGS_SOURCE" + timestamp: 1750792666000 diff --git a/proofpoint_tap/assets/proofpoint_tap.svg b/proofpoint_tap/assets/proofpoint_tap.svg new file mode 100644 index 0000000000000..7b60565b38079 --- /dev/null +++ b/proofpoint_tap/assets/proofpoint_tap.svg @@ -0,0 +1,16 @@ + + + diff --git a/proofpoint_tap/images/proofpoint_tap_clicks_insights.png b/proofpoint_tap/images/proofpoint_tap_clicks_insights.png new file mode 100644 index 0000000000000..ad3cb2364b13e Binary files /dev/null and b/proofpoint_tap/images/proofpoint_tap_clicks_insights.png differ diff --git a/proofpoint_tap/images/proofpoint_tap_messages_insights.png b/proofpoint_tap/images/proofpoint_tap_messages_insights.png new file mode 100644 index 0000000000000..f6566e76d1093 Binary files /dev/null and b/proofpoint_tap/images/proofpoint_tap_messages_insights.png differ diff --git a/proofpoint_tap/images/proofpoint_tap_overview.png b/proofpoint_tap/images/proofpoint_tap_overview.png new file mode 100644 index 0000000000000..c08c85b0027c6 Binary files /dev/null and b/proofpoint_tap/images/proofpoint_tap_overview.png differ diff --git a/proofpoint_tap/manifest.json b/proofpoint_tap/manifest.json index d8806c2f85c20..0e72866d4e59f 100644 --- a/proofpoint_tap/manifest.json +++ b/proofpoint_tap/manifest.json @@ -10,7 +10,23 @@ "changelog": "CHANGELOG.md", "description": "Gain insights into Proofpoint TAP events", "title": "Proofpoint TAP", - "media": [], + "media": [ + { + "caption": "Proofpoint TAP Overview", + "image_url": "images/proofpoint_tap_overview.png", + "media_type": "image" + }, + { + "caption": "Proofpoint TAP Clicks Insights", + "image_url": "images/proofpoint_tap_clicks_insights.png", + "media_type": "image" + }, + { + "caption": "Proofpoint TAP Messages Insights", + "image_url": "images/proofpoint_tap_messages_insights.png", + "media_type": "image" + } + ], "classifier_tags": [ "Category::Log Collection", "Category::Security", @@ -26,6 +42,14 @@ "events": { "creates_events": false } + }, + "dashboards": { + "Proofpoint TAP - Overview": "assets/dashboards/proofpoint_tap_overview.json", + "Proofpoint TAP - Clicks Insights": "assets/dashboards/proofpoint_tap_clicks_insights.json", + "Proofpoint TAP - Messages Insights": "assets/dashboards/proofpoint_tap_messages_insights.json" + }, + "logs": { + "source": "proofpoint-tap" } }, "author": {