Proofpoint Threat Response Modeling Rule

Modeling Rule

Proofpoint Threat Response

Details

IDproofpoint_threat_response_ModelingRule
From Version6.10.0
Tagsproofpoint

Rules (XIF)

[MODEL: dataset = proofpoint_threat_response_raw]
// Parsing fields
alter
        emails = arrayindex(json_extract_array(event, "$.emails"), 0),
        attacker_ip_1 = json_extract_scalar(hosts, "$.attacker.0"),
        attacker_ip_2 = json_extract_scalar(hosts, "$.attacker.1"),
        attacker_ip_3 = json_extract_scalar(hosts, "$.attacker.2"),
        incident_field_values = incident_field_values -> [],
        temp_url = arraymap(hosts -> url[],replex("@element", "\\"", "")),
        temp_url2 = arraymap(arrayindex(event -> emails[], 0) -> urls[], replex("@element", "\\"", "")),
        temp_original_threat_name = event -> threatname
| alter
        src_ipv4 = arraycreate(attacker_ip_1, attacker_ip_2, attacker_ip_3),
        url = arraystring(temp_url , ", "),
        url2 = arraystring(temp_url2 , ", ")
// Mapping fields
| alter
        xdm.event.id = to_string(id),
        xdm.network.http.url = coalesce(url2,url),
        xdm.alert.original_threat_name = temp_original_threat_name,
        xdm.alert.category = json_extract_scalar(event, "$.category"),
        xdm.alert.severity = json_extract_scalar(event, "$.severity"),
        xdm.email.sender = json_extract_scalar(emails, "$.sender.email"),
        xdm.email.message_id = json_extract_scalar(emails, "$.messageId"),
        xdm.email.subject = json_extract_scalar(emails, "$.subject"),
        xdm.email.recipients = arraycreate(coalesce(json_extract_scalar(emails, "$.recipient.email"), "")),
        xdm.alert.name = json_extract_scalar(arrayindex(incident_field_values, 1), "$.value"),
        xdm.alert.description = json_extract_scalar(event, "$.description"),
        xdm.email.attachment.path = json_extract_scalar(event, "$.fileName"),
        xdm.alert.original_alert_id = to_string(json_extract_scalar(event, "$.id")),
        xdm.source.ipv4 =
            to_string(
                if(arrayindex(src_ipv4, 0) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 0),
                    if(arrayindex(src_ipv4, 1) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 1),
                        if(arrayindex(src_ipv4, 2) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 2), null
                        )
                    )
                )
            );

Schema

proofpoint_threat_response_raw

Field Type Array?
event string
hosts string
id int
incident_field_values string
updated_at datetime
Raw JSON
{
    "proofpoint_threat_response_raw": {
        "id": {
            "type": "int",
            "is_array": false
        },
        "event": {
            "type": "string",
            "is_array": false
        },
        "hosts": {
            "type": "string",
            "is_array": false
        },
        "incident_field_values": {
            "type": "string",
            "is_array": false
        },
        "updated_at": {
            "type": "datetime",
            "is_array": false
        }
    }
}