- Email Security Workflows Email Exposure Eval

Packs/SocFrameworkProofPointTap/CorrelationRules/SOC Proofpoint TAP - Threat Detected.yml

@@ -10,42 +10,42 @@ alert_fields:
 
   # ── File indicators ────────────────────────────────────────────────────────
   action_file_sha256: proofpointsha256          # attachment SHA256 (WildFire grouping)
-  action_file_md5:    proofpointmd5             # attachment MD5
-  action_file_name:   proofpointfilename        # attachment filename
+  action_file_md5: proofpointmd5                # attachment MD5
+  action_file_name: proofpointfilename          # attachment filename
 
   # ── Network indicators ─────────────────────────────────────────────────────
-  action_remote_ip:  senderIP                  # sender IP (grouping + analytics)
-  dns_query_name:    dns_name                  # threat domain (DNS grouping)
-  fw_url_domain:     domain                    # URL domain
+  action_remote_ip: senderIP                   # sender IP (grouping + analytics)
+  dns_query_name: dns_name                     # threat domain (DNS grouping)
+  fw_url_domain: domain                        # URL domain
 
   # ── Email-specific fields ──────────────────────────────────────────────────
-  emailmessageid:           messageID
-  emailsenderip:            senderIP
-  emailsource:              sender
-  fw_email_recipient:       recipient
-  fw_email_sender:          sender
-  fw_email_subject:         subject
+  emailmessageid: messageID
+  emailsenderip: senderIP
+  emailsource: sender
+  fw_email_recipient: recipient
+  fw_email_sender: sender
+  fw_email_subject: subject
 
   # ── Proofpoint TAP extended fields ────────────────────────────────────────
-  proofpointtapcampaignid:    campaignId
+  proofpointtapcampaignid: campaignId
   proofpointtapclassification: classification_all
-  proofpointtapclickip:       clickIP
-  proofpointtapclicktime:     clickTime
-  proofpointtapguid:          GUID
-  proofpointtapheadersfrom:   headerFrom
+  proofpointtapclickip: clickIP
+  proofpointtapclicktime: clickTime
+  proofpointtapguid: GUID
+  proofpointtapheadersfrom: headerFrom
   proofpointtapheadersreplyto: headerReplyTo
-  proofpointtapid:            id
+  proofpointtapid: id
   proofpointtapimposterscore: impostorScore
-  proofpointtapmalwarescore:  malwareScore
-  proofpointtapmessageid:     messageID
-  proofpointtapmessageparts:  messageParts
-  proofpointtapmessagesize:   messageSize
+  proofpointtapmalwarescore: malwareScore
+  proofpointtapmessageid: messageID
+  proofpointtapmessageparts: messageParts
+  proofpointtapmessagesize: messageSize
   proofpointtapphishingscore: phishScore
   proofpointtapreplytoaddress: replyToAddress
-  proofpointtapsenderip:      senderIP
-  proofpointtapsmtpsender:    sender
-  proofpointtapspamscore:     spamScore
-  proofpointtapsubject:       subject
+  proofpointtapsenderip: senderIP
+  proofpointtapsmtpsender: sender
+  proofpointtapspamscore: spamScore
+  proofpointtapsubject: subject
   proofpointtapsuspiciousurl: threat_urls
   proofpointtapthreatid: threat_ids
   proofpointtapthreatinfomap: threatsInfoMap_str
@@ -54,12 +54,10 @@ alert_fields:
   proofpointtapthreaturl: threat_urls
   proofpointtaptype: type
 alert_name: $alert_name
-alert_type: null
-crontab: null
+alert_type:
+crontab:
 dataset: alerts
-description: Unified Proofpoint TAP alert rule covering messages delivered and clicks
-  permitted. Fires on active or malicious threat status only. Suppression is per GUID
-  to preserve full blast-radius visibility for lateral risk detection.
+description: Unified Proofpoint TAP alert rule covering messages delivered and clicks permitted. Fires on active or malicious threat status only. Suppression is per GUID to preserve full blast-radius visibility for lateral risk detection.
 drilldown_query_timeframe: ALERT
 execution_mode: REAL_TIME
 global_rule_id: SOC Proofpoint TAP - Threat Detected
@@ -69,19 +67,19 @@ lookup_mapping: []
 mapping_strategy: CUSTOM
 mitre_defs:
   TA0001 - Initial Access:
-    - T1566 - Phishing
+  - T1566 - Phishing
   TA0009 - Collection:
-    - T1114 - Email Collection
+  - T1114 - Email Collection
 name: SOC Proofpoint TAP - Threat Detected
 rule_id: 0
-search_window: null
+search_window:
 severity: User Defined
-simple_schedule: null
+simple_schedule:
 suppression_duration: 24 hours
 suppression_enabled: true
 suppression_fields:
-  - GUID
-timezone: null
+- GUID
+timezone:
 user_defined_category: alert_category
 user_defined_severity: alert_severity
 xql_query: |

Packs/SocFrameworkProofPointTap/pack_metadata.json

@@ -1,25 +1,25 @@
 {
-  "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM",
-  "id": "soc-proofpoint-tap",
-  "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.",
-  "support": "community",
-  "currentVersion": "1.1.2",
-  "author": "Palo Alto Networks",
-  "url": "https://github.com/Palo-Cortex/soc-optimization-unified",
-  "email": "",
-  "categories": [
-    "Forensics & Malware Analysis"
-  ],
-  "tags": [
-    "SOC",
-    "SOC_Framework",
-    "Utility",
-    "Palo Alto Networks Products",
-    "Phishing"
-  ],
-  "useCases": [],
-  "keywords": [],
-  "marketplaces": [
-    "marketplacev2"
-  ]
+    "name": "SOC Proofpoint TAP Integration Enhancement for Cortex XSIAM",
+    "id": "soc-proofpoint-tap",
+    "description": "This content adds the proper content to make the soc-phishing-investigation-response work with proofpoint.",
+    "support": "community",
+    "currentVersion": "1.1.2",
+    "author": "Palo Alto Networks",
+    "url": "https://github.com/Palo-Cortex/soc-optimization-unified",
+    "email": "",
+    "categories": [
+        "Forensics & Malware Analysis"
+    ],
+    "tags": [
+        "SOC",
+        "SOC_Framework",
+        "Utility",
+        "Palo Alto Networks Products",
+        "Phishing"
+    ],
+    "useCases": [],
+    "keywords": [],
+    "marketplaces": [
+        "marketplacev2"
+    ]
 }