- Bump Version for SOC Opt Uni

Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml

@@ -10,42 +10,42 @@ alert_fields:
 
   # ── File indicators ────────────────────────────────────────────────────────
   action_file_sha256: proofpointsha256          # attachment SHA256 (WildFire grouping)
-  action_file_md5:    proofpointmd5             # attachment MD5
-  action_file_name:   proofpointfilename        # attachment filename
+  action_file_md5: proofpointmd5                # attachment MD5
+  action_file_name: proofpointfilename          # attachment filename
 
   # ── Network indicators ─────────────────────────────────────────────────────
-  action_remote_ip:  senderIP                  # sender IP (grouping + analytics)
-  dns_query_name:    dns_name                  # threat domain (DNS grouping)
-  fw_url_domain:     domain                    # URL domain
+  action_remote_ip: senderIP                   # sender IP (grouping + analytics)
+  dns_query_name: dns_name                     # threat domain (DNS grouping)
+  fw_url_domain: domain                        # URL domain
 
   # ── Email-specific fields ──────────────────────────────────────────────────
-  emailmessageid:           messageID
-  emailsenderip:            senderIP
-  emailsource:              sender
-  fw_email_recipient:       recipient
-  fw_email_sender:          sender
-  fw_email_subject:         subject
+  emailmessageid: messageID
+  emailsenderip: senderIP
+  emailsource: sender
+  fw_email_recipient: recipient
+  fw_email_sender: sender
+  fw_email_subject: subject
 
   # ── Proofpoint TAP extended fields ────────────────────────────────────────
-  proofpointtapcampaignid:    campaignId
+  proofpointtapcampaignid: campaignId
   proofpointtapclassification: classification_all
-  proofpointtapclickip:       clickIP
-  proofpointtapclicktime:     clickTime
-  proofpointtapguid:          GUID
-  proofpointtapheadersfrom:   headerFrom
+  proofpointtapclickip: clickIP
+  proofpointtapclicktime: clickTime
+  proofpointtapguid: GUID
+  proofpointtapheadersfrom: headerFrom
   proofpointtapheadersreplyto: headerReplyTo
-  proofpointtapid:            id
+  proofpointtapid: id
   proofpointtapimposterscore: impostorScore
-  proofpointtapmalwarescore:  malwareScore
-  proofpointtapmessageid:     messageID
-  proofpointtapmessageparts:  messageParts
-  proofpointtapmessagesize:   messageSize
+  proofpointtapmalwarescore: malwareScore
+  proofpointtapmessageid: messageID
+  proofpointtapmessageparts: messageParts
+  proofpointtapmessagesize: messageSize
   proofpointtapphishingscore: phishScore
   proofpointtapreplytoaddress: replyToAddress
-  proofpointtapsenderip:      senderIP
-  proofpointtapsmtpsender:    sender
-  proofpointtapspamscore:     spamScore
-  proofpointtapsubject:       subject
+  proofpointtapsenderip: senderIP
+  proofpointtapsmtpsender: sender
+  proofpointtapspamscore: spamScore
+  proofpointtapsubject: subject
   proofpointtapsuspiciousurl: threat_urls
   proofpointtapthreatid: threat_ids
   proofpointtapthreatinfomap: threatsInfoMap_str
@@ -54,12 +54,10 @@ alert_fields:
   proofpointtapthreaturl: threat_urls
   proofpointtaptype: type
 alert_name: $alert_name
-alert_type: null
-crontab: null
+alert_type:
+crontab:
 dataset: alerts
-description: Unified Proofpoint TAP alert rule covering messages delivered and clicks
-  permitted. Fires on active or malicious threat status only. Suppression is per GUID
-  to preserve full blast-radius visibility for lateral risk detection.
+description: Unified Proofpoint TAP alert rule covering messages delivered and clicks permitted. Fires on active or malicious threat status only. Suppression is per GUID to preserve full blast-radius visibility for lateral risk detection.
 drilldown_query_timeframe: ALERT
 execution_mode: REAL_TIME
 global_rule_id: SOC Proofpoint TAP - Threat Detected
@@ -69,19 +67,19 @@ lookup_mapping: []
 mapping_strategy: CUSTOM
 mitre_defs:
   TA0001 - Initial Access:
-    - T1566 - Phishing
+  - T1566 - Phishing
   TA0009 - Collection:
-    - T1114 - Email Collection
+  - T1114 - Email Collection
 name: SOC Proofpoint TAP - Threat Detected
 rule_id: 0
-search_window: null
+search_window:
 severity: User Defined
-simple_schedule: null
+simple_schedule:
 suppression_duration: 24 hours
 suppression_enabled: true
 suppression_fields:
-  - GUID
-timezone: null
+- GUID
+timezone:
 user_defined_category: alert_category
 user_defined_severity: alert_severity
 xql_query: |

Packs/SocFrameworkProofPointTap/pack_metadata.json

@@ -1,25 +1,25 @@
 {
-  "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM",
-  "id": "soc-proofpoint-tap",
-  "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.",
-  "support": "community",
-  "currentVersion": "1.1.2",
-  "author": "Palo Alto Networks",
-  "url": "https://github.com/Palo-Cortex/soc-optimization-unified",
-  "email": "",
-  "categories": [
-    "Forensics & Malware Analysis"
-  ],
-  "tags": [
-    "SOC",
-    "SOC_Framework",
-    "Utility",
-    "Palo Alto Networks Products",
-    "Phishing"
-  ],
-  "useCases": [],
-  "keywords": [],
-  "marketplaces": [
-    "marketplacev2"
-  ]
+    "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM",
+    "id": "soc-proofpoint-tap",
+    "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.",
+    "support": "community",
+    "currentVersion": "1.1.2",
+    "author": "Palo Alto Networks",
+    "url": "https://github.com/Palo-Cortex/soc-optimization-unified",
+    "email": "",
+    "categories": [
+        "Forensics & Malware Analysis"
+    ],
+    "tags": [
+        "SOC",
+        "SOC_Framework",
+        "Utility",
+        "Palo Alto Networks Products",
+        "Phishing"
+    ],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
 }

Packs/soc-framework-nist-ir/1_0_0.md

@@ -0,0 +1,44 @@
+---
+
+## SOC Framework NIST IR – Release Notes
+
+### Version 1.1.0
+
+#### Overview
+
+This release delivers targeted bug fixes to the **SOC Endpoint Analysis** playbook stack. Fixes address runtime failures caused by array-typed context values being passed to condition operators that require scalar strings, and a product category routing miss in the Endpoint Analysis and Analysis Evaluation playbooks.
+
+---
+
+### Bug Fixes
+
+#### SOC Endpoint Compromise Evaluation — Array type mismatches (Critical)
+
+Three runtime failures were resolved in `SOC_Endpoint_Compromise_Evaluation_V3`:
+
+**SHA256 input — array instead of scalar**
+
+`SOCFramework.Artifacts.File` stores file hashes as a list. The `SHA256` playbook input sourced this field directly, passing an array to condition tasks that use `isEqualString`, `in`, and `notIn` operators. These operators call `InterfaceToString` internally and cannot handle `[]interface{}` values, causing a hard task error.
+
+Fix: Changed the `SHA256` input from a `simple` accessor to a `complex` block with a `join(',')` transformer. This collapses the array to a comma-separated scalar string before the value is passed into any condition evaluation.
+
+**verdict input — wrong source field**
+
+The `verdict` input was sourced from `${SOCFramework.Artifacts.Verdict}`, which is an array set during enrichment. The correct source is `${Analysis.Endpoint.verdict}`, which is a scalar written by `SOC_Endpoint_Verdict_Resolution_V3` after all TI sources and WildFire detonation are aggregated. Using the raw artifacts field bypassed the verdict resolution logic and produced the same `InterfaceToString` failure on the `isEqualString` operator in the "No Evidence?" condition (task 80).
+
+Fix: Changed the `verdict` input value to `${Analysis.Endpoint.verdict}`.
+
+**Task 80 "No Evidence?" — `in`/`notIn` on two arrays**
+
+The "No Evidence?" condition compared `inputs.SHA256` (now a joined scalar) against `inputs.xdm_sourceprocess_executable_sha256` and `inputs.initiator_sha256` using `notIn` and `isEqualString`. When the right-hand side is also an array, `in`/`notIn` fails with the same type error.
+
+Fix: Changed the affected operators in task 80 to `containsGeneral`, which handles both scalar and array right-hand values correctly.
+
+---
+
+### Notes
+
+- All three fixes are isolated to `SOC_Endpoint_Compromise_Evaluation_V3` inputs and task 80 conditions. No other playbooks, outputs, contracts, or context keys were changed.
+- The `SOCFramework.Artifacts.File` array-as-input pattern may affect other playbooks that source from `SOCFramework.Artifacts.*` and evaluate the value in string conditions. Audit recommended before 1.2.0.
+
+---