Proofpoint Email Security Modeling Rule

Modeling Rule

Proofpoint Email Security

Details

IDproofpoint_email_security_ModelingRule
From Version8.3.0
Tagsproofpoint

Rules (XIF)

[MODEL: dataset = proofpoint_email_security_raw]
// Modeling rule for Proofpoint email security "Message" events
filter event_type = "message"
// Parsing fiedls
| alter
        header_from = arrayindex(msg -> normalizedHeader.from[], 0),
        cc = split(rtrim(ltrim(replex(replex(arrayindex(msg -> normalizedHeader.cc[], 0), ",\s*?\\t", ","), ",\s+", ","), "\""), "\""), ","),
        to = split(rtrim(ltrim(replex(replex(arrayindex(msg -> normalizedHeader.to[], 0), ",\s*?\\t", ","), ",\s+", ","), "\""), "\""), ","),
        returnPath = split(rtrim(ltrim(replex(replex(arrayindex(json_extract_array(msg, "$.normalizedHeader.return-path"), 0), ",\s*?\\t", ","), ",\s+", ","), "\""), "\""), ","),
        msgParts_array = msgParts -> [],
        actions = `filter` -> actions[],
        source_ip = connection -> ip
| alter
        header_from = if(header_from contains "<", arrayindex(regextract(header_from, "<([^>]+)>"), 0), trim(header_from, "\"")),
        cc = arrayfilter(arraymap(cc, if("@element" contains "<", arrayindex(regextract("@element", "<([^>]+)>"),0), "@element")), "@element" contains "@"),
        to = arrayfilter(arraymap(to, if("@element" contains "<", arrayindex(regextract("@element", "<([^>]+)>"),0), "@element")), "@element" contains "@")
// Modeling fields
| alter
        xdm.event.type = event_type,
        xdm.event.id = guid,
        xdm.network.session_id = connection -> sid,
        xdm.source.location.country = if(connection -> country !~= "[a-zA-Z]+", null, connection -> country),
        xdm.source.ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip, null),
        xdm.source.ipv6 = if(source_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", source_ip, null),
        xdm.source.host.hostname = connection -> host,
        xdm.network.application_protocol = connection -> protocol,
        xdm.network.tls.cipher = connection -> tls.inbound.cipher,
        xdm.network.tls.protocol_version = connection -> tls.inbound.version,
        xdm.email.recipients = to,
        xdm.email.sender = if(header_from != null and header_from != "", header_from, envelope -> from),
        xdm.email.cc = cc,
        xdm.email.message_id = rtrim(ltrim(arrayindex(json_extract_array(msg, "$.normalizedHeader.message-id"), 0), "\""), "\""),
        xdm.email.subject = rtrim(ltrim(arrayindex(msg -> normalizedHeader.subject[], 0), "\""), "\""),
        xdm.email.return_path = arraystring(returnPath, ", "),
        xdm.email.attachment.extension = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> detectedExt), "@element" != "" and "@element" != null), ", "),
        xdm.email.mime = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> detectedMime), "@element" != "" and "@element" != null), ", "),
        xdm.email.attachment.filename = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> detectedName), "@element" != "" and "@element" != null), ", "),
        xdm.email.attachment.md5 = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> md5), "@element" != "" and "@element" != null), ", "),
        xdm.email.attachment.sha256 = arraystring(arrayfilter(arraymap(msgParts_array, "@element" -> sha256), "@element" != "" and "@element" != null), ", "),
        xdm.observer.action = arraystring(arraymap(actions, if("@element" -> isFinal = "true", "@element" -> action, null)), ", "),
        xdm.alert.original_threat_name = arraystring(`filter` -> modules.av.virusNames[], ", ");

// Modeling rule for Proofpoint email security "Mail" events
filter event_type = "maillog"
| alter
        xdm.event.type = event_type,
        xdm.event.description = data,
        xdm.event.id = id,
        xdm.source.agent.identifier = pps -> agent,
        xdm.email.sender = sm -> from,
        xdm.source.process.name = sm -> daemon,
        xdm.email.message_id = rtrim(ltrim(sm -> msgid, "<"), ">"),
        xdm.network.application_protocol = sm -> proto,
        xdm.observer.action = rtrim(arrayindex(regextract(sm -> stat, "(^[^:\(]+)"), 0), "\s"),
        xdm.email.recipients = arraymap(arraymap(arraymap(arraymap(sm -> to[], ltrim("@element", "\"")), rtrim("@element", "\"")), ltrim("@element", "<")), rtrim("@element", ">")),
        xdm.network.tls.cipher = if(lowercase(tls -> cipher) = "none", null, tls -> cipher),
        xdm.source.sent_bytes = to_integer(sm -> sizeBytes),
        xdm.network.tls.protocol_version = if(lowercase(tls -> version) = "none", null, tls -> version);

// Modeling rule for Proofpoint email security "Audit" events
filter event_type = "audit"
| alter source_ip = audit -> user.ipAddress, target_ip = metadata -> origin.data.agent
| alter 
        xdm.target.resource.type = audit -> resourceType,
        xdm.source.user.identifier = audit -> user.id,
        xdm.source.user.username = audit -> user.email,
        xdm.source.ipv4 = if(source_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", source_ip, null),
        xdm.source.ipv6 = if(source_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", source_ip, null),
        xdm.target.ipv4 = if(target_ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", target_ip, null),
        xdm.target.ipv6 = if(target_ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", target_ip, null),
        xdm.event.operation_sub_type = audit -> action,
        xdm.alert.severity = audit -> level,
        xdm.alert.subcategory = parsed_fields -> eventSubCategory,
        xdm.observer.unique_identifier = metadata -> customerId,
        xdm.event.type = event_type,
        xdm.event.id = guid,
        xdm.event.description = to_string(parsed_fields),
        xdm.alert.description = parsed_fields -> eventDetails,
        xdm.observer.type = metadata -> origin.type,
        xdm.observer.content_version = metadata -> origin.schemaVersion,
        xdm.observer.version = metadata -> origin.data.version,
        xdm.observer.name = metadata -> origin.data.cid;

Schema

proofpoint_email_security_raw

Field Type Array?
audit string
connection string
data string
envelope string
event_type string
filter string
guid string
id string
metadata string
msg string
msgParts string
parsed_fields string
pps string
sm string
tls string
Raw JSON
{
  "proofpoint_email_security_raw": {
      "guid": {
          "type": "string",
          "is_array": false
      },
      "msg": {
          "type": "string",
          "is_array": false
      },
      "msgParts": {
          "type": "string",
          "is_array": false
      },
      "filter": {
          "type": "string",
          "is_array": false
      },
      "connection": {
          "type": "string",
          "is_array": false
      },
      "data": {
          "type": "string",
          "is_array": false
      },
      "id": {
          "type": "string",
          "is_array": false
      },
      "pps": {
          "type": "string",
          "is_array": false
      },
      "sm": {
          "type": "string",
          "is_array": false
      },
      "tls": {
          "type": "string",
          "is_array": false
      },
      "event_type": {
          "type": "string",
          "is_array": false
      },
      "audit": {
          "type": "string",
          "is_array": false
      },
      "metadata": {
        "type": "string",
        "is_array": false
    },
    "parsed_fields": {
        "type": "string",
        "is_array": false
    },
      "envelope": {
          "type": "string",
          "is_array": false
      }
  }
}