diff --git a/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml b/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml index 5006ce6e..b049bdf1 100644 --- a/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml +++ b/Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml @@ -10,42 +10,42 @@ alert_fields: # ── File indicators ──────────────────────────────────────────────────────── action_file_sha256: proofpointsha256 # attachment SHA256 (WildFire grouping) - action_file_md5: proofpointmd5 # attachment MD5 - action_file_name: proofpointfilename # attachment filename + action_file_md5: proofpointmd5 # attachment MD5 + action_file_name: proofpointfilename # attachment filename # ── Network indicators ───────────────────────────────────────────────────── - action_remote_ip: senderIP # sender IP (grouping + analytics) - dns_query_name: dns_name # threat domain (DNS grouping) - fw_url_domain: domain # URL domain + action_remote_ip: senderIP # sender IP (grouping + analytics) + dns_query_name: dns_name # threat domain (DNS grouping) + fw_url_domain: domain # URL domain # ── Email-specific fields ────────────────────────────────────────────────── - emailmessageid: messageID - emailsenderip: senderIP - emailsource: sender - fw_email_recipient: recipient - fw_email_sender: sender - fw_email_subject: subject + emailmessageid: messageID + emailsenderip: senderIP + emailsource: sender + fw_email_recipient: recipient + fw_email_sender: sender + fw_email_subject: subject # ── Proofpoint TAP extended fields ──────────────────────────────────────── - proofpointtapcampaignid: campaignId + proofpointtapcampaignid: campaignId proofpointtapclassification: classification_all - proofpointtapclickip: clickIP - proofpointtapclicktime: clickTime - proofpointtapguid: GUID - proofpointtapheadersfrom: headerFrom + proofpointtapclickip: clickIP + proofpointtapclicktime: clickTime + proofpointtapguid: GUID + proofpointtapheadersfrom: headerFrom proofpointtapheadersreplyto: headerReplyTo - proofpointtapid: id + proofpointtapid: id proofpointtapimposterscore: impostorScore - proofpointtapmalwarescore: malwareScore - proofpointtapmessageid: messageID - proofpointtapmessageparts: messageParts - proofpointtapmessagesize: messageSize + proofpointtapmalwarescore: malwareScore + proofpointtapmessageid: messageID + proofpointtapmessageparts: messageParts + proofpointtapmessagesize: messageSize proofpointtapphishingscore: phishScore proofpointtapreplytoaddress: replyToAddress - proofpointtapsenderip: senderIP - proofpointtapsmtpsender: sender - proofpointtapspamscore: spamScore - proofpointtapsubject: subject + proofpointtapsenderip: senderIP + proofpointtapsmtpsender: sender + proofpointtapspamscore: spamScore + proofpointtapsubject: subject proofpointtapsuspiciousurl: threat_urls proofpointtapthreatid: threat_ids proofpointtapthreatinfomap: threatsInfoMap_str @@ -54,12 +54,10 @@ alert_fields: proofpointtapthreaturl: threat_urls proofpointtaptype: type alert_name: $alert_name -alert_type: null -crontab: null +alert_type: +crontab: dataset: alerts -description: Unified Proofpoint TAP alert rule covering messages delivered and clicks - permitted. Fires on active or malicious threat status only. Suppression is per GUID - to preserve full blast-radius visibility for lateral risk detection. +description: Unified Proofpoint TAP alert rule covering messages delivered and clicks permitted. Fires on active or malicious threat status only. Suppression is per GUID to preserve full blast-radius visibility for lateral risk detection. drilldown_query_timeframe: ALERT execution_mode: REAL_TIME global_rule_id: SOC Proofpoint TAP - Threat Detected @@ -69,19 +67,19 @@ lookup_mapping: [] mapping_strategy: CUSTOM mitre_defs: TA0001 - Initial Access: - - T1566 - Phishing + - T1566 - Phishing TA0009 - Collection: - - T1114 - Email Collection + - T1114 - Email Collection name: SOC Proofpoint TAP - Threat Detected rule_id: 0 -search_window: null +search_window: severity: User Defined -simple_schedule: null +simple_schedule: suppression_duration: 24 hours suppression_enabled: true suppression_fields: - - GUID -timezone: null +- GUID +timezone: user_defined_category: alert_category user_defined_severity: alert_severity xql_query: | diff --git a/Packs/SocFrameworkProofPointTap/pack_metadata.json b/Packs/SocFrameworkProofPointTap/pack_metadata.json index 66ceec9e..ad32d715 100644 --- a/Packs/SocFrameworkProofPointTap/pack_metadata.json +++ b/Packs/SocFrameworkProofPointTap/pack_metadata.json @@ -1,25 +1,25 @@ { - "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", - "id": "soc-proofpoint-tap", - "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.", - "support": "community", - "currentVersion": "1.1.2", - "author": "Palo Alto Networks", - "url": "https://github.com/Palo-Cortex/soc-optimization-unified", - "email": "", - "categories": [ - "Forensics & Malware Analysis" - ], - "tags": [ - "SOC", - "SOC_Framework", - "Utility", - "Palo Alto Networks Products", - "Phishing" - ], - "useCases": [], - "keywords": [], - "marketplaces": [ - "marketplacev2" - ] + "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", + "id": "soc-proofpoint-tap", + "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.", + "support": "community", + "currentVersion": "1.1.2", + "author": "Palo Alto Networks", + "url": "https://github.com/Palo-Cortex/soc-optimization-unified", + "email": "", + "categories": [ + "Forensics & Malware Analysis" + ], + "tags": [ + "SOC", + "SOC_Framework", + "Utility", + "Palo Alto Networks Products", + "Phishing" + ], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] } diff --git a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml index 00db334f..71bb2126 100644 --- a/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml +++ b/Packs/soc-framework-nist-ir/Playbooks/SOC_Email_Exposure_Evaluation_V3.yml @@ -1,934 +1,548 @@ adopted: true -id: SOC Email Exposure Evaluation_V3 -name: SOC Email Exposure Evaluation_V3 +id: SOC Email Exposure Evaluation V3 +name: SOC Email Exposure Evaluation V3 version: -1 -fromversion: 6.10.0 -description: "NIST IR 800-61 — Detection & Analysis — Email Exposure Evaluation\n\nAnswers: how far did this threat get, how\ - \ many users were affected, and does this involve a high-value target?\n\nValue Driver: VD1 (Reduce Risk) — blast radius\ - \ determines MTTC urgency.\nValue Driver: VD3 (Efficiency) — automated scope assessment replaces manual log review.\n\n\ - Execution:\n 1. XQL query — proofpoint_tap_v2_generic_alert_raw — 7-day window, filter by ThreatURL or ThreatID\n 2. Fan-out\ - \ extract: ClickCount, DeliveredCount, MessageID, MailboxCount\n 3. Classification — issue.proofpointtapclassification\n\ - \ 4. ExposureLevel — clicked / delivered / blocked\n 5. RecipientScope — single / multi / tenant_wide (MapRangeValues\ - \ on MailboxCount)\n 6. High Value User check — against SOCFramework VIP Users list\n\nContext keys produced (consumed\ - \ by Containment and SOC Analysis Evaluation_V3):\n SOCFramework.Email.TAP.ClickCount\n SOCFramework.Email.TAP.DeliveredCount\n\ - \ SOCFramework.Email.TAP.MailboxCount\n SOCFramework.Email.TAP.Classification\n SOCFramework.Artifacts.Email.MessageID\n\ - \ SOCFramework.Email.HighValueUserInvolved\n Analysis.Email.ExposureLevel\n Analysis.Email.RecipientScope" +fromversion: 5.0.0 +description: Evaluates Proofpoint TAP email exposure via Universal Command. Determines click/delivered/blocked exposure level, recipient scope, and high-value user involvement. No XQL dependency. tags: -- SOC -- SOC_Framework_Unified -- Detection & Analysis -- NIST 800-61 -- Email -starttaskid: '0' + - Email + - SOCFramework + - Analysis +starttaskid: "0" + +inputs: [] + +outputs: [] + tasks: - '0': - id: '0' - taskid: 5bf92436-0255-43c5-95b0-56d02b381267 + "0": + id: "0" + taskid: "0" type: start task: - id: 40710707-3cf8-4174-b83f-76ab8a5a811e - version: -1 - name: '' + id: "0" + name: "" iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '1' + - "1" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 50\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '1': - id: '1' - taskid: 700564aa-e23f-401f-a873-2ec3f9274ac1 + continueonerrortype: "" + + "1": + id: "1" + taskid: "1" type: title task: - id: 240769a1-033d-42f9-af38-ece10abafd10 - version: -1 + id: "1" name: Query Delivery & Click Events type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '2' + - "2" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 195\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '2': - id: '2' - taskid: b84acd4e-bc4b-48d9-82a8-881c7065411f - type: regular - task: - id: b84acd4e-bc4b-48d9-82a8-881c7065411f - version: -1 - name: XQL — Proofpoint TAP Delivery & Click Events - description: 'Query proofpoint_tap_v2_generic_alert_raw for all click and delivery events matching this alert''s ThreatURL - or ThreatID within a 7-day window. - - Returns: type (messages delivered / clicks permitted), threatID, recipient. + "2": + id: "2" + taskid: "2" + type: condition + task: + id: "2" + name: Is Click Event? + description: Checks alert.type directly to determine whether the triggering event is a click or delivery event. No XQL required. If click, seeds click_count=1 before API call so count is never zero even if API interval misses this event. + type: condition + iscommand: false + brand: "" + conditions: + - label: "YES" + condition: + - - operator: isEqualString + left: + value: + simple: ${alert.type} + iscontext: true + right: + value: + simple: clicks permitted + ignorecase: true + nexttasks: + "YES": + - "3" + '#default#': + - "4" + separatecontext: false - Results fan-out to parallel set tasks for ClickCount, DeliveredCount, MessageID, and MailboxCount.' - script: '|||xdr-xql-generic-query' - type: regular - iscommand: true - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + "3": + id: "3" + taskid: "3" + type: regular + task: + id: "3" + name: Seed Click Count - Alert Is Click Event + description: Sets click_count=1 as a floor. Subsequent Set Click Count task uses SetAndHandleEmpty which will only overwrite if the API returns a non-empty result. If API interval misses this event, the seed of 1 is preserved. + script: SetAndHandleEmpty + iscommand: false + brand: "" + scriptarguments: + key: + simple: Email.Exposure.click_count + value: + simple: "1" + append: + simple: "false" nexttasks: '#none#': - - '20' - scriptarguments: - query: - simple: 'dataset = proofpoint_tap_v2_generic_alert_raw - - | filter type = "messages delivered" or type = "clicks permitted" - - | alter threatURL = threatsInfoMap -> [0].threatUrl - - | fields threatURL, type, messageID, threatID, recipient + - "4" + separatecontext: false - | filter threatURL = "${issue.proofpointtapthreaturl}" or threatID = "${issue.proofpointtapthreatid}"' - query_name: - simple: SOC Email Exposure Query - time_frame: - simple: 7 days + "4": + id: "4" + taskid: "4" + type: regular + task: + id: "4" + name: Get Email Events via Universal Command + description: Calls soc-get-email-events via SOCCommandWrapper. Runs proofpoint-get-messages-delivered and proofpoint-get-clicks-permitted against the threat URL. shadow_mode=false so enrichment is never suppressed. + script: SOCCommandWrapper + iscommand: false + brand: "" + scriptarguments: + action: + simple: soc-get-email-events + list_name: + simple: SOCFrameworkActions_V3 + nexttasks: + '#none#': + - "5" separatecontext: false - continueonerror: true - continueonerrortype: errorPath - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 365\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '3': - id: '3' - taskid: 4fa53006-42a2-4fb8-b622-f0633cbff648 + continueonerrortype: "" + + "5": + id: "5" + taskid: "5" type: regular task: - id: 4ad692bb-5bb1-4611-8308-51678de7212e - version: -1 - name: Set Click Count - description: Count of click events from XQL results. Drives ExposureLevel and response_recommended routing in Verdict - Resolution. - scriptName: SetAndHandleEmpty - type: regular + id: "5" + name: Get Email Forensics via Universal Command + description: Calls soc-get-email-forensics via SOCCommandWrapper. Runs proofpoint-get-forensics with threatId and campaignId. shadow_mode=false so enrichment is never suppressed. + script: SOCCommandWrapper iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" + scriptarguments: + action: + simple: soc-get-email-forensics + list_name: + simple: SOCFrameworkActions_V3 nexttasks: '#none#': - - '7' + - "6" + separatecontext: false + continueonerrortype: "" + + "6": + id: "6" + taskid: "6" + type: regular + task: + id: "6" + name: Set Click Count + description: Count entries in UC.Email.Events.clicks_permitted array. SetAndHandleEmpty only overwrites if non-empty, preserving the seeded value of 1 if the API returned no results. + script: SetAndHandleEmpty + iscommand: false + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Email.TAP.ClickCount + simple: Email.Exposure.click_count value: complex: - root: PaloAltoNetworksXQL.GenericQuery.results - filters: - - - operator: isEqualString - left: - value: - simple: PaloAltoNetworksXQL.GenericQuery.results.type - iscontext: true - right: - value: - simple: clicks permitted - ignorecase: true + root: UC.Email.Events.clicks_permitted transformers: - - operator: count + - operator: count + append: + simple: "false" + nexttasks: + '#none#': + - "7" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 50,\n \"y\": 580\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '4': - id: '4' - taskid: 4c1250b8-0d96-44ff-9b77-1c67d610e4cc + + "7": + id: "7" + taskid: "7" type: regular task: - id: 61f238d3-8a0b-4a17-a817-10bc276838fd - version: -1 + id: "7" name: Set Delivered Count - description: Count of delivered message events from XQL results. Drives ExposureLevel routing. - scriptName: SetAndHandleEmpty - type: regular + description: Count entries in UC.Email.Events.messages_delivered array. + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '7' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Email.TAP.DeliveredCount + simple: Email.Exposure.delivered_count value: complex: - root: PaloAltoNetworksXQL.GenericQuery.results - filters: - - - operator: isEqualString - left: - value: - simple: PaloAltoNetworksXQL.GenericQuery.results.type - iscontext: true - right: - value: - simple: messages delivered - ignorecase: true + root: UC.Email.Events.messages_delivered transformers: - - operator: count + - operator: count + append: + simple: "false" + nexttasks: + '#none#': + - "8" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 310,\n \"y\": 580\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '5': - id: '5' - taskid: 488c025a-c55c-46f3-be74-89f39b392e45 + + "8": + id: "8" + taskid: "8" type: regular task: - id: e8b9c76b-27d5-46c6-9197-371fe750a7fd - version: -1 - name: Set Message ID - description: Message ID extracted from XQL results. Required by soc-retract-email and soc-quarantine-email UCs in Containment. - scriptName: SetAndHandleEmpty - type: regular + id: "8" + name: Set Mailbox Count + description: Derives total mailbox count from delivered messages array length. + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '7' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Artifacts.Email.MessageID + simple: Email.Exposure.mailbox_count value: complex: - root: PaloAltoNetworksXQL.GenericQuery.results - accessor: messageID + root: UC.Email.Events.messages_delivered transformers: - - operator: uniq + - operator: count + append: + simple: "false" + nexttasks: + '#none#': + - "9" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 690,\n \"y\": 580\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '6': - id: '6' - taskid: 2b3591ef-bb39-4747-b2c7-ae9411c32c62 + + "9": + id: "9" + taskid: "9" type: regular task: - id: e1d36c08-9dc1-4554-9faa-2956612a6993 - version: -1 - name: Set Mailbox Count - description: Unique recipient count from XQL results. Drives RecipientScope mapping (single / multi / tenant_wide). - scriptName: SetAndHandleEmpty - type: regular + id: "9" + name: Set Message ID + description: Store the Proofpoint GUID for downstream correlation. + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '7' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Email.TAP.MailboxCount + simple: Email.Exposure.message_id value: complex: - root: PaloAltoNetworksXQL.GenericQuery.results - accessor: recipient - transformers: - - operator: uniq - - operator: count + root: UC.Email.Events + accessor: message_id + append: + simple: "false" + nexttasks: + '#none#': + - "10" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 950,\n \"y\": 580\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '7': - id: '7' - taskid: 224d809f-f140-41dd-88ff-d66a5c246920 + + "10": + id: "10" + taskid: "10" type: title task: - id: 4cb9d726-a964-42d4-8dbd-2500fa71caab - version: -1 + id: "10" name: Set Classification type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '8' + - "11" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 770\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '8': - id: '8' - taskid: dbbbd3a9-dd70-49ba-baf3-017995bbbaad + + "11": + id: "11" + taskid: "11" type: regular task: - id: 30d6b99e-724e-4d97-a9c3-36e468265e1e - version: -1 + id: "11" name: Set Email Classification - description: 'Proofpoint TAP classification (phish / malware / spam / impostor). Source: issue.proofpointtapclassification. - Consumed by Verdict Resolution to set Analysis.Email.category.' - scriptName: SetAndHandleEmpty - type: regular + description: Pulls classification label directly from the alert field (phish/malware/spam). No secondary lookup needed. + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '9' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Email.TAP.Classification + simple: Email.Classification value: complex: - root: issue - accessor: proofpointtapclassification - transformers: - - operator: FirstArrayElement - - operator: toLowerCase + root: alert + accessor: classification + append: + simple: "false" + nexttasks: + '#none#': + - "12" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 940\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '9': - id: '9' - taskid: 5925558c-1291-4c48-aec7-6ef4be405279 + + "12": + id: "12" + taskid: "12" type: title task: - id: 545df3aa-5b35-4177-8d90-d0e47d544dca - version: -1 + id: "12" name: Determine Exposure Level type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '10' + - "13" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1120\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '10': - id: '10' - taskid: 4731b7ca-680f-4005-a8f2-d13426d3dcaf + + "13": + id: "13" + taskid: "13" type: condition task: - id: c0374e1b-9dfc-495c-8a71-9bce9193d3e0 - version: -1 + id: "13" name: Exposure Level? + description: CLICKED takes priority over DELIVERED. Default with no clicks or deliveries is blocked. type: condition - description: 'clicked: URL was clicked by recipient. - - delivered: message landed in inbox, no click recorded. - - default: message was blocked before delivery (at SEG).' iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" + conditions: + - label: CLICKED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.click_count} + iscontext: true + right: + value: + simple: "0" + - label: DELIVERED + condition: + - - operator: isNotEmpty + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + - operator: greaterThan + left: + value: + simple: ${Email.Exposure.delivered_count} + iscontext: true + right: + value: + simple: "0" nexttasks: + CLICKED: + - "14" + DELIVERED: + - "15" '#default#': - - '13' - clicked: - - '11' - delivered: - - '12' - conditions: - - label: clicked - condition: - - - operator: greaterThan - left: - value: - simple: SOCFramework.Email.TAP.ClickCount - iscontext: true - right: - value: - simple: '0' - - label: delivered - condition: - - - operator: greaterThan - left: - value: - simple: SOCFramework.Email.TAP.DeliveredCount - iscontext: true - right: - value: - simple: '0' - - operator: isEqualNumber - left: - value: - simple: SOCFramework.Email.TAP.ClickCount - iscontext: true - right: - value: - simple: '0' + - "16" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1290\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '11': - id: '11' - taskid: 00e40da2-cf5a-4867-824b-37f94a49f770 + + "14": + id: "14" + taskid: "14" type: regular task: - id: 0af85e14-f402-409d-88e0-4a3ff9d6d71c - version: -1 - name: Set Exposure Level — clicked - description: URL was clicked. Highest risk — soc-get-email-events confirmed click events. - scriptName: SetAndHandleEmpty - type: regular + id: "14" + name: Set Exposure Level - clicked + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '14' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: Analysis.Email.ExposureLevel + simple: Email.Exposure.level value: simple: clicked + append: + simple: "false" + nexttasks: + '#none#': + - "17" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 1480\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '12': - id: '12' - taskid: 4e085ee0-86cf-4822-8337-c151b3461344 + + "15": + id: "15" + taskid: "15" type: regular task: - id: ffd553e2-f08e-4835-add9-06d17b674aa5 - version: -1 - name: Set Exposure Level — delivered - description: Message delivered to inbox, no click recorded. Retraction recommended before user interaction. - scriptName: SetAndHandleEmpty - type: regular + id: "15" + name: Set Exposure Level - delivered + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '14' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: Analysis.Email.ExposureLevel + simple: Email.Exposure.level value: - simple: delivered_no_click + simple: delivered + append: + simple: "false" + nexttasks: + '#none#': + - "17" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1480\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '13': - id: '13' - taskid: 3e3a8328-1e1c-4ef0-b292-b591affa676b + + "16": + id: "16" + taskid: "16" type: regular task: - id: d80f1cc2-a7a4-43b6-b749-9fe22352e0de - version: -1 - name: Set Exposure Level — blocked - description: Message blocked at SEG — no delivery, no click. Quarantine action applicable. - scriptName: SetAndHandleEmpty - type: regular + id: "16" + name: Set Exposure Level - blocked + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '14' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: Analysis.Email.ExposureLevel + simple: Email.Exposure.level value: simple: blocked + append: + simple: "false" + nexttasks: + '#none#': + - "17" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 800,\n \"y\": 1480\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '14': - id: '14' - taskid: fde23b6a-3b3e-4c7d-ac6b-512c9ad86389 + + "17": + id: "17" + taskid: "17" type: title task: - id: d578db25-edc5-4c05-a400-e5412b0e9c38 - version: -1 + id: "17" name: Determine Recipient Scope type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '15' + - "18" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1665\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '15': - id: '15' - taskid: 329128ef-ac93-4d0c-a948-6923394be707 + + "18": + id: "18" + taskid: "18" type: regular task: - id: 054938d0-099a-4b77-a358-862af39287ba - version: -1 + id: "18" name: Set Recipient Scope - description: 'Maps MailboxCount to scope tier. - - single (0-1): isolated targeting. - - multi (2-10): targeted campaign. - - tenant_wide (11+): broad delivery — escalate consideration.' - scriptName: SetAndHandleEmpty - type: regular + description: Classifies blast radius as targeted (1-5 mailboxes) or broad (more than 5). Feeds Analysis verdict severity and blast radius fields. + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '16' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: Analysis.Email.RecipientScope + simple: Email.Exposure.recipient_scope value: complex: - root: SOCFramework.Email.TAP.MailboxCount + root: Email.Exposure.mailbox_count transformers: - - operator: MapRangeValues - args: - map_from: - value: - simple: 0-1,2-10,10-999999999 - map_to: - value: - simple: single_user,multi_user,tenant_wide - sep: {} + - operator: if-then-else + args: + condition: + value: + simple: lte,5 + thenValue: + value: + simple: targeted + elseValue: + value: + simple: broad + append: + simple: "false" + nexttasks: + '#none#': + - "19" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 1835\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '16': - id: '16' - taskid: 535e021b-778d-461a-84c5-c4287d73ca11 + + "19": + id: "19" + taskid: "19" type: title task: - id: d5e33e10-5dab-4ba9-b93e-a4245c4c8b23 - version: -1 + id: "19" name: High Value User Check type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" nexttasks: '#none#': - - '17' + - "20" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2015\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '17': - id: '17' - taskid: 439b817a-0c96-48ce-880e-56e1f9bd157c + + "20": + id: "20" + taskid: "20" type: condition task: - id: 5ffe2f36-6be5-47c8-bc90-dcbc44034327 - version: -1 + id: "20" name: Is Recipient a High Value User? + description: Checks whether the alert username appears in the SOCFWHighValueUsers list. If matched, sets Email.Exposure.high_value_user=true to escalate priority in the parent Analysis playbook. type: condition - description: 'Checks recipient against the SOCFramework VIP Users list. - - Customer-managed list — PS populates with VIP/exec mailboxes during onboarding. - - Positive match sets HighValueUserInvolved=True, which routes Verdict Resolution to escalate_IR recommendation.' iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false + brand: "" + conditions: + - label: "YES" + condition: + - - operator: inList + left: + value: + simple: ${alert.username} + iscontext: true + right: + value: + simple: ${lists.SOCFWHighValueUsers} + iscontext: true nexttasks: + "YES": + - "21" '#default#': - - '19' - 'yes': - - '18' - conditions: - - label: 'yes' - condition: - - - operator: inList - left: - value: - simple: SOCFramework.Artifacts.Email.To - iscontext: true - right: - value: - simple: lists.SOCFramework VIP Users - iscontext: true + - "22" separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2185\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '18': - id: '18' - taskid: ccd9f6c9-d66d-4b32-824b-d078c4b3045e + + "21": + id: "21" + taskid: "21" type: regular task: - id: 642b8f45-61d0-4822-a4a8-40d04a80bf35 - version: -1 + id: "21" name: Set High Value User Involved - description: Recipient is in the VIP list. Consumed by Verdict Resolution to route response_recommended to escalate_IR. - scriptName: SetAndHandleEmpty - type: regular + script: SetAndHandleEmpty iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '19' + brand: "" scriptarguments: - append: - simple: 'false' key: - simple: SOCFramework.Email.HighValueUserInvolved + simple: Email.Exposure.high_value_user value: - simple: 'True' + simple: "true" + append: + simple: "false" + nexttasks: + '#none#': + - "22" separatecontext: false - continueonerror: true - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 200,\n \"y\": 2375\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '19': - id: '19' - taskid: d9a5bf6d-0e7b-478e-a461-b7e420e8ac98 + + "22": + id: "22" + taskid: "22" type: title task: - id: 122596ca-7335-406f-b8d5-d275a6f712ac - version: -1 + id: "22" name: Done type: title iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: {} - separatecontext: false - continueonerrortype: '' - view: "{\n \"position\": {\n \"x\": 500,\n \"y\": 2560\n }\n}" - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '20': - id: '20' - taskid: cc11dd22-ee33-ff44-1122-334455667788 - type: condition - task: - id: cc11dd22-ee33-ff44-1122-334455667788 - version: -1 - name: Is Click Event? - description: If the alert is already a "clicks permitted" event, seed ClickCount = 1 as a floor before the XQL count - runs. Prevents null/zero from blocking the search_and_purge recommendation when the user already clicked. - type: condition - iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#default#': - - '3' - 'yes': - - '21' - conditions: - - label: 'yes' - condition: - - - operator: containsGeneral - left: - value: - simple: alert.proofpointtaptype - iscontext: true - right: - value: - simple: click - ignorecase: true - separatecontext: false - continueonerrortype: '' - view: '{"position": {"x": 480, "y": 560}}' - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false - '21': - id: '21' - taskid: dd22ee33-ff44-5566-2233-445566778899 - type: regular - task: - id: dd22ee33-ff44-5566-2233-445566778899 - version: -1 - name: Seed Click Count — Alert Is Click Event - description: Set ClickCount floor = 1. XQL count may subsequently add to this. - scriptName: SetAndHandleEmpty - type: regular - iscommand: false - brand: '' - playbooktaskmissingcomponent: null - istaskmissingcomponenterrordismissed: false - nexttasks: - '#none#': - - '3' - scriptarguments: - key: - simple: SOCFramework.Email.TAP.ClickCount - value: - simple: '1' - append: - simple: 'false' - force: - simple: 'true' + brand: "" separatecontext: false - continueonerrortype: '' - view: '{"position": {"x": 760, "y": 730}}' - note: false - timertriggers: [] - ignoreworker: false - skipunavailable: false - quietmode: 0 - isoversize: false - isautoswitchedtoquietmode: false -inputs: -- key: ThreatURL - value: - simple: ${SOCFramework.Artifacts.Email.ThreatURL} - required: false - description: 'Proofpoint threat URL — primary XQL filter. Source: SOCFramework.Artifacts.Email.ThreatURL (set by Foundation - Normalize Artifacts).' - playbookInputQuery: null -- key: ThreatID - value: - simple: ${SOCFramework.Email.TAP.ThreatID} - required: false - description: 'Proofpoint threat ID — secondary XQL filter. Source: SOCFramework.Email.TAP.ThreatID (set by Forensics Evaluation).' - playbookInputQuery: null -inputSections: -- inputs: - - ThreatURL - - ThreatID - name: XQL Query Filters - description: At least one must be non-empty for the query to return results. ThreatURL is always available from Foundation; - ThreatID available after Forensics Eval runs. -outputs: -- contextPath: SOCFramework.Email.TAP.ClickCount - description: Number of URL click events in the 7-day window - type: number -- contextPath: SOCFramework.Email.TAP.DeliveredCount - description: Number of message delivery events in the 7-day window - type: number -- contextPath: SOCFramework.Email.TAP.MailboxCount - description: Count of unique recipient mailboxes - type: number -- contextPath: SOCFramework.Email.TAP.Classification - description: 'Proofpoint threat classification: phish / malware / spam / impostor' - type: string -- contextPath: SOCFramework.Artifacts.Email.MessageID - description: Email message ID — required by soc-retract-email and soc-quarantine-email - type: string -- contextPath: SOCFramework.Email.HighValueUserInvolved - description: True if recipient is in SOCFramework VIP Users list - type: boolean -- contextPath: Analysis.Email.ExposureLevel - description: clicked / delivered / blocked - type: string -- contextPath: Analysis.Email.RecipientScope - description: single_user / multi_user / tenant_wide - type: string -outputSections: -- outputs: - - SOCFramework.Email.TAP.ClickCount - - SOCFramework.Email.TAP.DeliveredCount - - SOCFramework.Email.TAP.MailboxCount - - SOCFramework.Email.TAP.Classification - - SOCFramework.Artifacts.Email.MessageID - - SOCFramework.Email.HighValueUserInvolved - name: TAP Event Data - description: Raw counts and metadata from XQL query — consumed by Verdict Resolution and Containment -- outputs: - - Analysis.Email.ExposureLevel - - Analysis.Email.RecipientScope - name: Exposure Contract - description: Passed to SOC Analysis Evaluation_V3 and Containment phase -view: "{\n \"linkLabelsPosition\": {},\n \"paper\": {\n \"dimensions\": {\n \"height\": 2610,\n \"width\":\ - \ 1200,\n \"x\": 50,\n \"y\": 50\n }\n }\n}" -contentitemexportablefields: - contentitemfields: - definitionid: '' - fromServerVersion: 6.10.0 - isoverridable: false - itemVersion: 3.0.0 - packID: soc-framework-nist-ir - packName: SOC Framework NIST IR - prevname: '' - supportedModules: [] - toServerVersion: '' -dirtyInputs: false diff --git a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json index 3777173a..d13004e1 100644 --- a/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json +++ b/Packs/soc-optimization-unified/Lists/SOCFrameworkActions_V3/SOCFrameworkActions_V3_data.json @@ -1,4 +1,6 @@ { + "id": "SOCFrameworkActions_V3", + "name": "SOCFrameworkActions_V3", "soc-isolate-endpoint": { "responses": { "Cortex Core - IR": { @@ -148,8 +150,6 @@ }, "shadow_mode": true }, - "id": "SOCFrameworkActions_V3", - "name": "SOCFrameworkActions_V3", "soc-enrich-user": { "responses": { "Active Directory Query v2": { @@ -374,10 +374,9 @@ "url": "SOCFramework.Artifacts.Email.ThreatURL" }, "output_map": { - "UC.Email.Events.click_count": "PaloAltoNetworksXQL.GenericQuery.results[type=clicks permitted].count", - "UC.Email.Events.delivered_count": "PaloAltoNetworksXQL.GenericQuery.results[type=messages delivered].count", - "UC.Email.Events.message_id": "PaloAltoNetworksXQL.GenericQuery.results.messageID", - "UC.Email.Events.mailbox_count": "PaloAltoNetworksXQL.GenericQuery.results.recipient.uniq.count" + "UC.Email.Events.messages_delivered": "Proofpoint.MessagesDelivered", + "UC.Email.Events.delivered_count": "Proofpoint.MessagesDelivered.messagesDelivered", + "UC.Email.Events.message_id": "Proofpoint.MessagesDelivered.GUID" } }, "Proofpoint TAP v2 (clicks)": { @@ -388,10 +387,9 @@ "url": "SOCFramework.Artifacts.Email.ThreatURL" }, "output_map": { - "UC.Email.Events.click_count": "PaloAltoNetworksXQL.GenericQuery.results[type=clicks permitted].count", - "UC.Email.Events.delivered_count": "PaloAltoNetworksXQL.GenericQuery.results[type=messages delivered].count", - "UC.Email.Events.message_id": "PaloAltoNetworksXQL.GenericQuery.results.messageID", - "UC.Email.Events.mailbox_count": "PaloAltoNetworksXQL.GenericQuery.results.recipient.uniq.count" + "UC.Email.Events.clicks_permitted": "Proofpoint.ClicksPermitted", + "UC.Email.Events.click_count": "Proofpoint.ClicksPermitted.clicksPermitted", + "UC.Email.Events.message_id": "Proofpoint.ClicksPermitted.GUID" } } }, @@ -488,7 +486,7 @@ "command": "mimecast-create-blocked-sender-policy", "inline_args": { "sender": "SOCFramework.Artifacts.Email.From", - "description": "Blocked by SOC Framework \u2014 threat sender" + "description": "Blocked by SOC Framework — threat sender" }, "output_map": { "UC.Email.BlockSender.status": "Mimecast.BlockedSender.status", diff --git a/pack_catalog.json b/pack_catalog.json index bb801708..f53bcabc 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -3,6 +3,7 @@ { "id": "SocFrameworkCrowdstrikeFalcon", "display_name": "SOC CrowdStrike Falcon Integration Enhancement for Cortex XSIAM", + "category": "End Point", "version": "1.0.44", "path": "Packs/SocFrameworkCrowdstrikeFalcon", "visible": true, @@ -11,6 +12,7 @@ { "id": "SocFrameworkMicrosoftDefender", "display_name": "SOC Microsoft Defender Integration Enhancement for Cortex XSIAM", + "category": "End Point", "version": "1.0.28", "path": "Packs/SocFrameworkMicrosoftDefender", "visible": true, @@ -19,6 +21,7 @@ { "id": "SocFrameworkOptimization", "display_name": "SOC Framework (DEPRECATED)", + "category": "Use Case", "version": "2.1.48", "path": "Packs/SocFrameworkOptimization", "visible": false, @@ -27,6 +30,7 @@ { "id": "SocFrameworkProofPointTap", "display_name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM", + "category": "Email Security", "version": "1.1.2", "path": "Packs/SocFrameworkProofPointTap", "visible": true, @@ -35,6 +39,7 @@ { "id": "SocFrameworkTrendMicroVisionOne", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", + "category": "End Point", "version": "1.0.29", "path": "Packs/SocFrameworkTrendMicroVisionOne", "visible": true, @@ -43,6 +48,7 @@ { "id": "soc-common-playbooks", "display_name": "SOC Common Playbooks", + "category": "Utility", "version": "2.7.52", "path": "Packs/soc-common-playbooks", "visible": false, @@ -51,6 +57,7 @@ { "id": "soc-common-playbooks-unified", "display_name": "SOC Common Playbooks Unified", + "category": "Use Case", "version": "2.7.54", "path": "Packs/soc-common-playbooks-unified", "visible": false, @@ -59,6 +66,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", + "category": "Utility", "version": "1.0.13", "path": "Packs/soc-framework-manager", "visible": false, @@ -67,7 +75,8 @@ { "id": "soc-framework-nist-ir", "display_name": "SOC Framework NIST IR (800-61)", - "version": "1.0.7", + "category": "Utility", + "version": "1.1.0", "path": "Packs/soc-framework-nist-ir", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-nist-ir/xsoar_config.json" @@ -75,6 +84,7 @@ { "id": "soc-microsoft-graph-security", "display_name": "SOC Microsoft Graph Security Content Pack Enhancement for Cortex XSIAM", + "category": "End Point", "version": "1.0.11", "path": "Packs/soc-microsoft-graph-security", "visible": false, @@ -83,7 +93,8 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.3.17", + "category": "Use Case", + "version": "3.4.0", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json"