diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 04913c79d93..5e326abe11b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -116,6 +116,7 @@ /packages/problemchild @elastic/ml-ui /packages/prometheus @elastic/obs-cloudnative-monitoring /packages/proofpoint @elastic/security-external-integrations +/packages/proofpoint_tap @elastic/security-external-integrations /packages/pulse_connect_secure @elastic/security-external-integrations /packages/qnap_nas @elastic/security-external-integrations /packages/rabbitmq @elastic/integrations diff --git a/packages/proofpoint_tap/_dev/build/build.yml b/packages/proofpoint_tap/_dev/build/build.yml new file mode 100644 index 00000000000..d61527283ec --- /dev/null +++ b/packages/proofpoint_tap/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/packages/proofpoint_tap/_dev/build/docs/README.md b/packages/proofpoint_tap/_dev/build/docs/README.md new file mode 100644 index 00000000000..064f3badafd --- /dev/null +++ b/packages/proofpoint_tap/_dev/build/docs/README.md @@ -0,0 +1,52 @@ +# Proofpoint TAP + +The Proofpoint TAP integration collects and parses data from the Proofpoint TAP REST APIs. + +## Compatibility + +This module has been tested against `SIEM API v2`. + +## Configurations + +The service principal and secret are used to authenticate to the SIEM API. To generate TAP Service Credentials please follow the following steps. +1. Log in to the [_TAP dashboard_](https://threatinsight.proofpoint.com). +2. Navigate to **Settings > Connected Applications**. +3. Click **Create New Credential**. +4. Name the new credential set and click **Generate**. +5. Copy the **Service Principal** and **Secret** and save them for later use. +For the more information on generating TAP credentials please follow the steps mentioned in the link [_Generate TAP Service Credentials_](https://ptr-docs.proofpoint.com/ptr-guides/integrations-files/ptr-tap/#generate-tap-service-credentials). + + +## Logs + +### Clicks Blocked + +This is the `clicks_blocked` dataset. + +{{event "clicks_blocked"}} + +{{fields "clicks_blocked"}} + +### Clicks Permitted + +This is the `clicks_permitted` dataset. + +{{event "clicks_permitted"}} + +{{fields "clicks_permitted"}} + +### Message Blocked + +This is the `message_blocked` dataset. + +{{event "message_blocked"}} + +{{fields "message_blocked"}} + +### Message Delivered + +This is the `message_delivered` dataset. + +{{event "message_delivered"}} + +{{fields "message_delivered"}} diff --git a/packages/proofpoint_tap/_dev/deploy/docker/docker-compose.yml b/packages/proofpoint_tap/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..a9aaa00209d --- /dev/null +++ b/packages/proofpoint_tap/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,15 @@ +version: '2.3' +services: + proofpoint_tap: + image: docker.elastic.co/observability/stream:v0.7.0 + hostname: proofpoint_tap + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/proofpoint_tap/_dev/deploy/docker/files/config.yml b/packages/proofpoint_tap/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..88aa0034c08 --- /dev/null +++ b/packages/proofpoint_tap/_dev/deploy/docker/files/config.yml @@ -0,0 +1,25 @@ +rules: + - path: /v2/siem/messages/blocked + methods: ["GET"] + responses: + - status_code: 200 + body: | + {"queryEndTime":"2022-03-30T13:00:00Z","messagesBlocked":[{"GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","QID":"x2XXxXXX111111","ccAddresses":["abc@example.com"],"clusterId":"pharmtech_hosted","completelyRewritten":"true","fromAddress":"abc@example.com","headerCC":"\"Example Abc\" ","headerFrom":"\"A. Bc\" ","headerReplyTo":null,"headerTo":"\"Aa Bb\" ; \"Hey Hello\" ","impostorScore":0,"malwareScore":100,"messageID":"12345678912345.12345.mail@example.com","messageParts":[{"contentType":"text/plain","disposition":"inline","filename":"text.txt","md5":"b10a8db164e0754105b7a99be72e3fe5","oContentType":"text/plain","sandboxStatus":"unsupported","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"},{"contentType":"application/pdf","disposition":"attached","filename":"text.pdf","md5":"b10a8db164e0754105b7a99be72e3fe5","oContentType":"application/pdf","sandboxStatus":"threat","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"}],"messageTime":"2021-11-25T09:10:00.050Z","modulesRun":["pdr","sandbox","spam","urldefense"],"phishScore":46,"policyRoutes":["default_inbound","executives"],"quarantineFolder":"Attachment Defense","quarantineRule":"module.sandbox.threat","recipient":["example.abc@example.com","hey.hello@example.com"],"replyToAddress":null,"sender":"x99x7x5580193x6x51x597xx2x0210@example.com","senderIP":"175.16.199.1","spamScore":4,"subject":"Please find a totally safe invoice attached.","threatsInfoMap":[{"campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","classification":"MALWARE","threat":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","threatId":"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx","threatStatus":"active","threatTime":"2021-11-25T09:10:00.050Z","threatType":"ATTACHMENT","threatUrl":"https://www.example.com/?name=john"},{"campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","classification":"MALWARE","threat":"example.com","threatId":"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx","threatTime":"2021-07-20T05:00:00.050Z","threatType":"URL","threatUrl":"https://www.example.com/?name=john"}],"toAddresses":["example.abc@example.com","hey.hello@example.com"],"xmailer":"Spambot v2.5"}]} + - path: /v2/siem/messages/delivered + methods: ["GET"] + responses: + - status_code: 200 + body: | + {"queryEndTime":"2022-03-29T20:00:00Z","messagesDelivered":[{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatStatus":"active","classification":"spam","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2021-11-25T13:02:58.640Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"},{"threatID":"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2021-07-19T10:28:15.100Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"2hsvbU-i8abc123-12345-xxxxx12","QID":null,"GUID":"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx","sender":"","recipient":["fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com"],"senderIP":"89.160.20.112","messageID":""}]} + - path: /v2/siem/clicks/permitted + methods: ["GET"] + responses: + - status_code: 200 + body: | + {"queryEndTime":"2022-03-30T13:00:00Z","clicksPermitted":[{"url":"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX","classification":"phish","clickTime":"2022-03-21T20:39:37.000Z","threatTime":"2022-03-30T10:05:57.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"abc@example.com","senderIP":"81.2.69.143","GUID":"cTxxxxxxzx7xxxxxxxxxx8x4xwxx","threatID":"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}]} + - path: /v2/siem/clicks/blocked + methods: ["GET"] + responses: + - status_code: 200 + body: | + {"queryEndTime":"2022-03-30T13:00:00Z","clicksBlocked":[{"url":"https://www.example.com/abcdabcd123?query=0","classification":"malware","clickTime":"2022-03-30T10:11:12.000Z","threatTime":"2022-03-21T14:40:31.000Z","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"9c52aa64228824247c48df69b066e5a7@example.com","senderIP":"81.2.69.143","GUID":"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx","threatID":"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}]} diff --git a/packages/proofpoint_tap/changelog.yml b/packages/proofpoint_tap/changelog.yml new file mode 100644 index 00000000000..fb37f7f3f1b --- /dev/null +++ b/packages/proofpoint_tap/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: 0.1.0 + changes: + - description: Initial draft of the package. + type: enhancement + link: https://github.com/elastic/integrations/pull/3201 diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log new file mode 100644 index 00000000000..7a63004ccfb --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log @@ -0,0 +1,5 @@ +{"url":"https://www.example.com/?name=john","classification":"phish","clickTime":"2022-03-21T07:52:11.000Z","threatTime":"2022-03-18T14:54:20.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"8760d0fc-1234-1234-1234-2exxfxxxxx1xd","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"123abc@example.com","senderIP":"81.2.69.143","GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","threatID":"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx","threatURL":"https://www.example.com/?name=john","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} +{"url":"http://www.example.com/public/download-shares/wwwxxxyyyzzz12345","classification":"phish","clickTime":"2022-03-30T07:22:52.000Z","threatTime":"2022-03-07T01:21:41.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"b80af74a-1234-1234-1234-43xdxxbxxxxx6","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"bd5da771530b11830e6dfd25838b0240@example.com","senderIP":"81.2.69.143","GUID":"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH","threatID":"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/fdxxxxxxxxa080xxxxxxxxc6bcxxxxxxxxxxxx5aefb37xxxxb5ebxx1234","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} +{"url":"https://www.example.com/url?q=httpabc12345","classification":"spam","clickTime":"2022-03-30T07:10:19.000Z","threatTime":"2022-03-29T09:27:21.000Z","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"85219a90-1234-1234-1234-axx5xx4xxxfxxxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"b81458bb9f757994e79a9287b8447622@example.com","senderIP":"81.2.69.143","GUID":"JXXXXaXehXHXzX-XxXhXyXXXXX7","threatID":"eaxxxxxxxxxxxx6376xxxxxxxxxxx1cba65xxx9x7xxxxxxxxxxfbbxx4x0","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/eaxxxxxa6597fd3xxxxxxxxx92e4xxxxxxxxxx27c98052fxxxxxxxxxx1234","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} +{"url":"https://www.example.org/abcdabcd123?query=0","classification":"malware","clickTime":"2022-03-30T10:11:12.000Z","threatTime":"2022-03-21T14:40:31.000Z","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"a5c9f8bb-1234-1234-1234-dxx9xcxxxx8xxxc","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"9c52aa64228824247c48df69b066e5a7@example.com","senderIP":"81.2.69.143","GUID":"XXcXXxXDXVXXXXXXXXXXXX4XXXXX","threatID":"502bxxxxxxxxxxx70513b6cxxxxxxxxxxxxebc7fc699xxxxxxxxxxxxxxxxd5f","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} +{"url":"https://www.example.org","classification":"spam","clickTime":"2022-03-30T10:01:01.000Z","threatTime":"2022-03-14T05:59:12.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"d35cc5fc-1234-1234-1234-2xxx0xaxbxcxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"xyz@example.com","senderIP":"81.2.69.143","GUID":"uHXXXJXTXlXDXmXgXTX3XOXLNXVXNX3XXXHX","threatID":"47580xdx0x2x5x2xfx8x3x3x7x7xxxxcx6x7x4x4x1xexcx5cx9x3xfxfxxx1","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/4xxxxd02xxxxxxxxxxxxcacf9da3xxxxxxxxxxx9a947xxxxxxxxxx1","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log-expected.json b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log-expected.json new file mode 100644 index 00000000000..acfb0bb8710 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log-expected.json @@ -0,0 +1,461 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-21T07:52:11.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "123abc@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "8760d0fc-1234-1234-1234-2exxfxxxxx1xd", + "kind": "event", + "original": "{\"url\":\"https://www.example.com/?name=john\",\"classification\":\"phish\",\"clickTime\":\"2022-03-21T07:52:11.000Z\",\"threatTime\":\"2022-03-18T14:54:20.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"8760d0fc-1234-1234-1234-2exxfxxxxx1xd\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"123abc@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"threatID\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx\",\"threatURL\":\"https://www.example.com/?name=john\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx", + "status": "active", + "time": "2022-03-18T14:54:20.000Z", + "url": "https://www.example.com/?name=john" + } + }, + "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com", + "full": "https://www.example.com/?name=john", + "path": "/", + "query": "name=john", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.1150.39" + } + }, + { + "@timestamp": "2022-03-30T07:22:52.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "bd5da771530b11830e6dfd25838b0240@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "b80af74a-1234-1234-1234-43xdxxbxxxxx6", + "kind": "event", + "original": "{\"url\":\"http://www.example.com/public/download-shares/wwwxxxyyyzzz12345\",\"classification\":\"phish\",\"clickTime\":\"2022-03-30T07:22:52.000Z\",\"threatTime\":\"2022-03-07T01:21:41.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"b80af74a-1234-1234-1234-43xdxxbxxxxx6\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"bd5da771530b11830e6dfd25838b0240@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH\",\"threatID\":\"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/fdxxxxxxxxa080xxxxxxxxc6bcxxxxxxxxxxxx5aefb37xxxxb5ebxx1234\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c", + "status": "active", + "time": "2022-03-07T01:21:41.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/fdxxxxxxxxa080xxxxxxxxc6bcxxxxxxxxxxxx5aefb37xxxxb5ebxx1234" + } + }, + "guid": "bXkXXUrXAXVXWXGXxXrXAXXX-XXXH" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com", + "full": "http://www.example.com/public/download-shares/wwwxxxyyyzzz12345", + "path": "/public/download-shares/wwwxxxyyyzzz12345", + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "100.0.4896.60" + } + }, + { + "@timestamp": "2022-03-30T07:10:19.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "b81458bb9f757994e79a9287b8447622@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "85219a90-1234-1234-1234-axx5xx4xxxfxxxx", + "kind": "event", + "original": "{\"url\":\"https://www.example.com/url?q=httpabc12345\",\"classification\":\"spam\",\"clickTime\":\"2022-03-30T07:10:19.000Z\",\"threatTime\":\"2022-03-29T09:27:21.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"85219a90-1234-1234-1234-axx5xx4xxxfxxxx\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"b81458bb9f757994e79a9287b8447622@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"JXXXXaXehXHXzX-XxXhXyXXXXX7\",\"threatID\":\"eaxxxxxxxxxxxx6376xxxxxxxxxxx1cba65xxx9x7xxxxxxxxxxfbbxx4x0\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/eaxxxxxa6597fd3xxxxxxxxx92e4xxxxxxxxxx27c98052fxxxxxxxxxx1234\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "spam", + "threat": { + "id": "eaxxxxxxxxxxxx6376xxxxxxxxxxx1cba65xxx9x7xxxxxxxxxxfbbxx4x0", + "status": "active", + "time": "2022-03-29T09:27:21.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/eaxxxxxa6597fd3xxxxxxxxx92e4xxxxxxxxxx27c98052fxxxxxxxxxx1234" + } + }, + "guid": "JXXXXaXehXHXzX-XxXhXyXXXXX7" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.com", + "full": "https://www.example.com/url?q=httpabc12345", + "path": "/url", + "query": "q=httpabc12345", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "72.0.3626.109" + } + }, + { + "@timestamp": "2022-03-30T10:11:12.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "9c52aa64228824247c48df69b066e5a7@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "a5c9f8bb-1234-1234-1234-dxx9xcxxxx8xxxc", + "kind": "event", + "original": "{\"url\":\"https://www.example.org/abcdabcd123?query=0\",\"classification\":\"malware\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"a5c9f8bb-1234-1234-1234-dxx9xcxxxx8xxxc\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"XXcXXxXDXVXXXXXXXXXXXX4XXXXX\",\"threatID\":\"502bxxxxxxxxxxx70513b6cxxxxxxxxxxxxebc7fc699xxxxxxxxxxxxxxxxd5f\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "malware", + "threat": { + "id": "502bxxxxxxxxxxx70513b6cxxxxxxxxxxxxebc7fc699xxxxxxxxxxxxxxxxd5f", + "status": "active", + "time": "2022-03-21T14:40:31.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f" + } + }, + "guid": "XXcXXxXDXVXXXXXXXXXXXX4XXXXX" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.org", + "full": "https://www.example.org/abcdabcd123?query=0", + "path": "/abcdabcd123", + "query": "query=0", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Google", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 14.6", + "name": "iOS", + "version": "14.6" + }, + "version": "199.0.427504638" + } + }, + { + "@timestamp": "2022-03-30T10:01:01.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "xyz@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "d35cc5fc-1234-1234-1234-2xxx0xaxbxcxx", + "kind": "event", + "original": "{\"url\":\"https://www.example.org\",\"classification\":\"spam\",\"clickTime\":\"2022-03-30T10:01:01.000Z\",\"threatTime\":\"2022-03-14T05:59:12.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"d35cc5fc-1234-1234-1234-2xxx0xaxbxcxx\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"xyz@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"uHXXXJXTXlXDXmXgXTX3XOXLNXVXNX3XXXHX\",\"threatID\":\"47580xdx0x2x5x2xfx8x3x3x7x7xxxxcx6x7x4x4x1xexcx5cx9x3xfxfxxx1\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/4xxxxd02xxxxxxxxxxxxcacf9da3xxxxxxxxxxx9a947xxxxxxxxxx1\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "spam", + "threat": { + "id": "47580xdx0x2x5x2xfx8x3x3x7x7xxxxcx6x7x4x4x1xexcx5cx9x3xfxfxxx1", + "status": "active", + "time": "2022-03-14T05:59:12.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/4xxxxd02xxxxxxxxxxxxcacf9da3xxxxxxxxxxx9a947xxxxxxxxxx1" + } + }, + "guid": "uHXXXJXTXlXDXmXgXTX3XOXLNXVXNX3XXXHX" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "www.example.org", + "full": "https://www.example.org", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.4844.82" + } + } + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-common-config.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/system/test-default-config.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ec9377ca329 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: proofpoint_tap +vars: + url: http://{{Hostname}}:{{Port}} + principal: xxxx + secret: xxxx +data_stream: + vars: + preserve_original_event: true diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..c6e6cfa7ec9 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{url}}/v2/siem/clicks/blocked +auth.basic.user: {{principal}} +auth.basic.password: {{secret}} +request.transforms: + - set: + target: url.params.format + value: json + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' +response.pagination: + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_received_time: + value: '[[.last_response.body.queryEndTime]]' +response.split: + target: body.clicksBlocked +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..4647d994c37 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,168 @@ +--- +description: Pipeline for parsing Proofpoint TAP blocked clicks logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.GUID + - json.clickTime + - json.threatTime + target_field: _id + ignore_missing: true + - append: + field: event.category + value: email + ignore_failure: true + - append: + field: event.type + value: denied + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.sender + target_field: email.from.address + ignore_missing: true + - rename: + field: json.messageID + target_field: email.message_id + ignore_missing: true + - rename: + field: json.recipient + target_field: email.to.address + ignore_missing: true + - date: + field: json.clickTime + target_field: '@timestamp' + ignore_failure: true + formats: + - ISO8601 + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - append: + field: related.ip + value: '{{{json.senderIP}}}' + if: ctx.json?.senderIP != null && ctx.json?.senderIP != '' + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{json.clickIP}}}' + if: ctx.json?.clickIP != null && ctx.json?.clickIP != '' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.clickIP + target_field: destination.ip + type: ip + ignore_failure: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - convert: + field: json.senderIP + target_field: source.ip + type: ip + ignore_failure: true + - date: + field: json.threatTime + target_field: proofpoint_tap.clicks_blocked.threat.time + ignore_failure: true + formats: + - ISO8601 + - uri_parts: + field: json.url + keep_original: false + ignore_failure: true + - urldecode: + field: json.url + target_field: url.full + ignore_missing: true + - user_agent: + field: json.userAgent + target_field: user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.campaignId + target_field: proofpoint_tap.clicks_blocked.campaign_id + ignore_missing: true + - rename: + field: json.classification + target_field: proofpoint_tap.clicks_blocked.classification + ignore_missing: true + - rename: + field: json.GUID + target_field: proofpoint_tap.guid + ignore_missing: true + - rename: + field: json.threatID + target_field: proofpoint_tap.clicks_blocked.threat.id + ignore_missing: true + - rename: + field: json.threatStatus + target_field: proofpoint_tap.clicks_blocked.threat.status + ignore_missing: true + - rename: + field: json.threatURL + target_field: proofpoint_tap.clicks_blocked.threat.url + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml new file mode 100644 index 00000000000..73e076a93b1 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/base-fields.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/base-fields.yml new file mode 100644 index 00000000000..cdbe703dbe7 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: proofpoint_tap +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: proofpoint_tap.clicks_blocked diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml new file mode 100644 index 00000000000..dc9359fa343 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/ecs.yml @@ -0,0 +1,82 @@ +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name +- external: ecs + name: destination.ip +- external: ecs + name: ecs.version +- external: ecs + name: email.from.address +- external: ecs + name: email.message_id +- external: ecs + name: email.to.address +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.ip +- external: ecs + name: source.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.full +- external: ecs + name: url.original +- external: ecs + name: url.password +- external: ecs + name: url.path +- external: ecs + name: url.port +- external: ecs + name: url.query +- external: ecs + name: url.scheme +- external: ecs + name: url.username +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/fields/fields.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/fields.yml new file mode 100644 index 00000000000..7e52d6873de --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/fields/fields.yml @@ -0,0 +1,33 @@ +- name: proofpoint_tap + type: group + fields: + - name: clicks_blocked + type: group + fields: + - name: campaign_id + type: keyword + description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. + - name: classification + type: keyword + description: The threat category of the malicious URL. + - name: sender_ip + type: ip + description: The IP address of the sender. + - name: threat + type: group + fields: + - name: id + type: keyword + description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. + - name: status + type: keyword + description: The current state of the threat. + - name: time + type: date + description: Proofpoint identified the URL as a threat at this time. + - name: url + type: keyword + description: A link to the entry on the TAP Dashboard for the particular threat. + - name: guid + type: keyword + description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml b/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml new file mode 100644 index 00000000000..3a343b9f5e7 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/manifest.yml @@ -0,0 +1,50 @@ +title: Clicks Blocked +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Proofpoint_TAP Clicks Blocked logs + description: Collect Proofpoint TAP Clicks Blocked logs via API. + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). + default: 24h + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - proofpoint_tap-clicks_blocked + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json b/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json new file mode 100644 index 00000000000..881c2f01a86 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_blocked/sample_event.json @@ -0,0 +1,119 @@ +{ + "@timestamp": "2022-03-30T10:11:12.000Z", + "agent": { + "ephemeral_id": "cd4a05a0-d8d5-4b88-b709-b525da6dd43e", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.clicks_blocked", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "9c52aa64228824247c48df69b066e5a7@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:38:11.168Z", + "dataset": "proofpoint_tap.clicks_blocked", + "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", + "ingested": "2022-05-09T09:38:14Z", + "kind": "event", + "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", + "type": [ + "denied" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "malware", + "threat": { + "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", + "status": "active", + "time": "2022-03-21T14:40:31.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f" + } + }, + "guid": "ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-clicks_blocked" + ], + "url": { + "domain": "www.example.com", + "full": "https://www.example.com/abcdabcd123?query=0", + "path": "/abcdabcd123", + "query": "query=0", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Google", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 14.6", + "name": "iOS", + "version": "14.6" + }, + "version": "199.0.427504638" + } +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log new file mode 100644 index 00000000000..c74362e0cb1 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log @@ -0,0 +1,4 @@ +{"campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","classification":"MALWARE","clickIP":"89.160.20.112","clickTime":"2016-06-24T19:17:44.000Z","GUID":"x11xxxx1-12f9-111x-x12x-1x1x123XXX6xx","id":"a2abc123-1234-1234-1234-babcded1234","messageID":"12345678912345.12345.mail@example.com","recipient":"example.abc@example.com","sender":"abc@example.com","senderIP":"81.2.69.143","threatID":"61f7622xx1x6x7x1x4xxxxxxxxxxx4xdbaxxxxxxxxxxx5xex3xbxxxxxdxfx5xxxxx0","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/a2abc123-1234-1234-1234-babcded1234/threat/u/6xxx1xxxfx7x62x2x1x6x7x1x4x4xdxxxbxa5xex5x0xxxxx","threatStatus":"active","url":"http://example.com/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"} +{"url":"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX","classification":"phish","clickTime":"2022-03-21T20:39:37.000Z","threatTime":"2022-03-30T10:05:57.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"de7eef56-1234-1234-1234-54xxxxx123","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"abc@example.com","senderIP":"81.2.69.143","GUID":"cXXTXpX7jXXXXHXxXBXXkXXXwXXX","threatID":"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} +{"url":"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn","classification":"spam","clickTime":"2022-03-30T10:51:53.000Z","threatTime":"2022-02-26T00:36:25.000Z","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"90dd54bc-1234-1234-1234-cxxxxxxxxx4","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com","senderIP":"81.2.69.143","GUID":"QUWXXxXXJHlYXRXXXXVXUXXk","threatID":"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9","threatStatus":"cleared","messageID":"12345678912345.12345.mail@example.com"} +{"url":"https://xyz123456789.support.com#xyz@example.com","classification":"phish","clickTime":"2022-03-30T00:56:14.000Z","threatTime":"2022-03-30T00:53:43.000Z","userAgent":"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"4b4ae949-1234-1234-1234-6axxxxx9xxxxx3","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com","senderIP":"81.2.69.143","GUID":"VXXhXiXyXBXlXdXXfXXXXXWXLXXX","threatID":"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"} diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log-expected.json b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log-expected.json new file mode 100644 index 00000000000..0c481913836 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-clicks-permitted.log-expected.json @@ -0,0 +1,369 @@ +{ + "expected": [ + { + "@timestamp": "2016-06-24T19:17:44.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "example.abc@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "a2abc123-1234-1234-1234-babcded1234", + "kind": "event", + "original": "{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2016-06-24T19:17:44.000Z\",\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123XXX6xx\",\"id\":\"a2abc123-1234-1234-1234-babcded1234\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"example.abc@example.com\",\"sender\":\"abc@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"61f7622xx1x6x7x1x4xxxxxxxxxxx4xdbaxxxxxxxxxxx5xex3xbxxxxxdxfx5xxxxx0\",\"threatTime\":\"2016-06-24T19:17:46.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/#/a2abc123-1234-1234-1234-babcded1234/threat/u/6xxx1xxxfx7x62x2x1x6x7x1x4x4xdxxxbxa5xex5x0xxxxx\",\"threatStatus\":\"active\",\"url\":\"http://example.com/\",\"userAgent\":\"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0\"}", + "type": [ + "allowed" + ] + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "MALWARE", + "threat": { + "id": "61f7622xx1x6x7x1x4xxxxxxxxxxx4xdbaxxxxxxxxxxx5xex3xbxxxxxdxfx5xxxxx0", + "status": "active", + "time": "2016-06-24T19:17:46.000Z", + "url": "https://threatinsight.proofpoint.com/#/a2abc123-1234-1234-1234-babcded1234/threat/u/6xxx1xxxfx7x62x2x1x6x7x1x4x4xdxxxbxa5xex5x0xxxxx" + } + }, + "guid": "x11xxxx1-12f9-111x-x12x-1x1x123XXX6xx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "full": "http://example.com/", + "path": "/", + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Firefox", + "original": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", + "os": { + "full": "Windows $1", + "name": "Windows", + "version": "$1" + }, + "version": "27.0." + } + }, + { + "@timestamp": "2022-03-21T20:39:37.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "abc@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "de7eef56-1234-1234-1234-54xxxxx123", + "kind": "event", + "original": "{\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"classification\":\"phish\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"de7eef56-1234-1234-1234-54xxxxx123\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"abc@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"cXXTXpX7jXXXXHXxXBXXkXXXwXXX\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "allowed" + ] + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", + "status": "active", + "time": "2022-03-30T10:05:57.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx" + } + }, + "guid": "cXXTXpX7jXXXXHXxXBXXkXXXwXXX" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "full": "https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "path": "/collab/", + "query": "id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.1150.46" + } + }, + { + "@timestamp": "2022-03-30T10:51:53.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "90dd54bc-1234-1234-1234-cxxxxxxxxx4", + "kind": "event", + "original": "{\"url\":\"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn\",\"classification\":\"spam\",\"clickTime\":\"2022-03-30T10:51:53.000Z\",\"threatTime\":\"2022-02-26T00:36:25.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"90dd54bc-1234-1234-1234-cxxxxxxxxx4\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"QUWXXxXXJHlYXRXXXXVXUXXk\",\"threatID\":\"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9\",\"threatStatus\":\"cleared\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "allowed" + ] + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "spam", + "threat": { + "id": "xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9", + "status": "cleared", + "time": "2022-02-26T00:36:25.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9" + } + }, + "guid": "QUWXXxXXJHlYXRXXXXVXUXXk" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "example.com", + "full": "http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn", + "path": "/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn", + "scheme": "http" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36", + "os": { + "full": "Windows 7", + "name": "Windows", + "version": "7" + }, + "version": "72.0.3626.109" + } + }, + { + "@timestamp": "2022-03-30T00:56:14.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com" + } + }, + "event": { + "category": [ + "email" + ], + "id": "4b4ae949-1234-1234-1234-6axxxxx9xxxxx3", + "kind": "event", + "original": "{\"url\":\"https://xyz123456789.support.com#xyz@example.com\",\"classification\":\"phish\",\"clickTime\":\"2022-03-30T00:56:14.000Z\",\"threatTime\":\"2022-03-30T00:53:43.000Z\",\"userAgent\":\"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"id\":\"4b4ae949-1234-1234-1234-6axxxxx9xxxxx3\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"VXXhXiXyXBXlXdXXfXXXXXWXLXXX\",\"threatID\":\"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}", + "type": [ + "allowed" + ] + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5", + "status": "active", + "time": "2022-03-30T00:53:43.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5" + } + }, + "guid": "VXXhXiXyXBXlXdXXfXXXXXWXLXXX" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "xyz123456789.support.com", + "fragment": "xyz@example.com", + "full": "https://xyz123456789.support.com#xyz@example.com", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Samsung SM-N976U" + }, + "name": "Chrome Mobile", + "original": "Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36", + "os": { + "full": "Android 12", + "name": "Android", + "version": "12" + }, + "version": "99.0.4844.88" + } + } + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-common-config.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/system/test-default-config.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ec9377ca329 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: proofpoint_tap +vars: + url: http://{{Hostname}}:{{Port}} + principal: xxxx + secret: xxxx +data_stream: + vars: + preserve_original_event: true diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..c846a15843d --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{url}}/v2/siem/clicks/permitted +auth.basic.user: {{principal}} +auth.basic.password: {{secret}} +request.transforms: + - set: + target: url.params.format + value: json + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' +response.pagination: + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_received_time: + value: '[[.last_response.body.queryEndTime]]' +response.split: + target: body.clicksPermitted +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..378558c4f95 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,168 @@ +--- +description: Pipeline for parsing Proofpoint TAP permitted clicks logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.GUID + - json.clickTime + - json.threatTime + target_field: _id + ignore_missing: true + - append: + field: event.category + value: email + ignore_failure: true + - append: + field: event.type + value: allowed + ignore_failure: true + - set: + field: event.kind + value: event + - rename: + field: json.sender + target_field: email.from.address + ignore_missing: true + - rename: + field: json.messageID + target_field: email.message_id + ignore_missing: true + - rename: + field: json.recipient + target_field: email.to.address + ignore_missing: true + - date: + field: json.clickTime + target_field: '@timestamp' + ignore_failure: true + formats: + - ISO8601 + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - append: + field: related.ip + value: '{{{json.senderIP}}}' + if: ctx.json?.senderIP != null && ctx.json?.senderIP != '' + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{json.clickIP}}}' + if: ctx.json?.clickIP != null && ctx.json?.clickIP != '' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.clickIP + target_field: destination.ip + type: ip + ignore_failure: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - convert: + field: json.senderIP + target_field: source.ip + type: ip + ignore_failure: true + - date: + field: json.threatTime + target_field: proofpoint_tap.clicks_permitted.threat.time + ignore_failure: true + formats: + - ISO8601 + - uri_parts: + field: json.url + keep_original: false + ignore_failure: true + - urldecode: + field: json.url + target_field: url.full + ignore_missing: true + - user_agent: + field: json.userAgent + target_field: user_agent + ignore_missing: true + ignore_failure: true + - rename: + field: json.campaignId + target_field: proofpoint_tap.clicks_permitted.campaign_id + ignore_missing: true + - rename: + field: json.classification + target_field: proofpoint_tap.clicks_permitted.classification + ignore_missing: true + - rename: + field: json.GUID + target_field: proofpoint_tap.guid + ignore_missing: true + - rename: + field: json.threatID + target_field: proofpoint_tap.clicks_permitted.threat.id + ignore_missing: true + - rename: + field: json.threatStatus + target_field: proofpoint_tap.clicks_permitted.threat.status + ignore_missing: true + - rename: + field: json.threatURL + target_field: proofpoint_tap.clicks_permitted.threat.url + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: +- set: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml new file mode 100644 index 00000000000..73e076a93b1 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/base-fields.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/base-fields.yml new file mode 100644 index 00000000000..a4e73507292 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: proofpoint_tap +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: proofpoint_tap.clicks_permitted diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml new file mode 100644 index 00000000000..dc9359fa343 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/ecs.yml @@ -0,0 +1,82 @@ +- external: ecs + name: destination.as.number +- external: ecs + name: destination.as.organization.name +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.country_name +- external: ecs + name: destination.geo.location +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name +- external: ecs + name: destination.ip +- external: ecs + name: ecs.version +- external: ecs + name: email.from.address +- external: ecs + name: email.message_id +- external: ecs + name: email.to.address +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.ip +- external: ecs + name: source.ip +- external: ecs + name: tags +- external: ecs + name: url.domain +- external: ecs + name: url.extension +- external: ecs + name: url.fragment +- external: ecs + name: url.full +- external: ecs + name: url.original +- external: ecs + name: url.password +- external: ecs + name: url.path +- external: ecs + name: url.port +- external: ecs + name: url.query +- external: ecs + name: url.scheme +- external: ecs + name: url.username +- external: ecs + name: user_agent.device.name +- external: ecs + name: user_agent.name +- external: ecs + name: user_agent.original +- external: ecs + name: user_agent.os.full +- external: ecs + name: user_agent.os.name +- external: ecs + name: user_agent.os.version +- external: ecs + name: user_agent.version diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/fields/fields.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/fields.yml new file mode 100644 index 00000000000..87b27059dbf --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/fields/fields.yml @@ -0,0 +1,33 @@ +- name: proofpoint_tap + type: group + fields: + - name: clicks_permitted + type: group + fields: + - name: campaign_id + type: keyword + description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. + - name: classification + type: keyword + description: The threat category of the malicious URL. + - name: sender_ip + type: ip + description: The IP address of the sender. + - name: threat + type: group + fields: + - name: id + type: keyword + description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. + - name: status + type: keyword + description: The current state of the threat. + - name: time + type: date + description: Proofpoint identified the URL as a threat at this time. + - name: url + type: keyword + description: A link to the entry on the TAP Dashboard for the particular threat. + - name: guid + type: keyword + description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml b/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml new file mode 100644 index 00000000000..1327aecdc56 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/manifest.yml @@ -0,0 +1,50 @@ +title: Clicks Permitted +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Proofpoint_TAP Clicks Permitted logs + description: Collect Proofpoint TAP Clicks Permitted logs via API. + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). + default: 24h + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - proofpoint_tap-clicks_permitted + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json b/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json new file mode 100644 index 00000000000..16e7c809f8f --- /dev/null +++ b/packages/proofpoint_tap/data_stream/clicks_permitted/sample_event.json @@ -0,0 +1,119 @@ +{ + "@timestamp": "2022-03-21T20:39:37.000Z", + "agent": { + "ephemeral_id": "85f7f8f1-c9f4-4d3f-bd2f-c6f4e6c31526", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.clicks_permitted", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "abc@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:39:34.061Z", + "dataset": "proofpoint_tap.clicks_permitted", + "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", + "ingested": "2022-05-09T09:39:37Z", + "kind": "event", + "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", + "type": [ + "allowed" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", + "status": "active", + "time": "2022-03-30T10:05:57.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx" + } + }, + "guid": "cTxxxxxxzx7xxxxxxxxxx8x4xwxx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-clicks_permitted" + ], + "url": { + "domain": "example.com", + "full": "https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "path": "/collab/", + "query": "id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.1150.46" + } +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-common-config.yml b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log new file mode 100644 index 00000000000..e161a1005a8 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log @@ -0,0 +1,6 @@ +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"dhgonvjabcdefghijkabcdefghijkabcdefghijkabcdefghijkhlonvjdsabcdefgh","threatStatus":"active","classification":"malware","threatUrl":"https://threatinsight.proofpoint.com/adhgon-vjdsd-efghjikhlon-abcdefghij/threat/email/792e8d28448xxxxxxxxxxxxxxxxx8448c792xxxxx1af132onvjdsvsbnvjd","threatTime":"2022-01-01T02:03:40.050Z","threat":"example.com/xyz/","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:45:55.050Z","impostorScore":0.0,"malwareScore":100,"cluster":"pharmtech_hosted","subject":"Re: Delayed Mail (still being retried)","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","dkimv","spf","spam","dmarc","pdr"],"messageSize":3102,"headerFrom":"","headerReplyTo":null,"fromAddress":["info@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mailer-daemon@example.com"],"xmailer":"Microsoft Outlook 16.0","messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":false,"id":"401ccabc-1234-123-1234-babc74fce1a4","QID":"3XXXXgaXXX-1","GUID":"qxxlnx-xxxxxNxXGxQxWxPxxxxx0","sender":"info@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"1.128.3.4","messageID":"<3f208x0sga-1@m0116781.example.com>"} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"8defghjikhlonvjdsvsbdhgonvjdsdefghjikhlonvjdsvsbnvjdsvsbvjdsvsb8","threatStatus":"active","classification":"malware","threatUrl":"https://threatinsight.proofpoint.com/adhgo-nvjdsdef-ghjikhlonv-abcdefghij/threat/email/848c79xxxxxxxxxxxxxxxxbdadkh79xxxxxxxxxxxxxx1aa6a88fdbdadkh217b1af8","threatTime":"2022-01-01T10:10:02.020Z","threat":"example.com/xyz/","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T01:25:59.059Z","impostorScore":0.0,"malwareScore":100,"cluster":"pharmtech_hosted","subject":"Re: Undelivered Mail Returned to Sender","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","spf","spam","dmarc","pdr"],"messageSize":2278,"headerFrom":"","headerReplyTo":null,"fromAddress":["contact@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mailer-daemon@example.com"],"xmailer":"Microsoft Outlook 16.0","messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":false,"id":"443bacb2-1234-1234-1234-8abcaaa28260","QID":"3XXfXX2X1XXX","GUID":"LQxxx9xNxcxxx_xjxexLrxxnxQx9xdxx3xx","sender":"contact@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"1.128.3.4","messageID":"<20220329151120.AAAB383797@example.com>"} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"6abcdefghijkabcdefghijkabcdefghijk7503ddcabcdefghijkabcdefghijk","threatStatus":"active","classification":"malware","threatUrl":"https://threatinsight.proofpoint.com/adhg-onvjdsdefgh-jikhlonvjdsv-abcdefghij/threat/email/6d748c7921afxxxxxxxxxxxxxxxxxhc7921af13xxxxxxxxxxxxxxxxxxxxxd267a","threatTime":"2022-01-01T11:06:50.580Z","threat":"example.com/xyz/","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T04:51:56.269Z","impostorScore":0.0,"malwareScore":100,"cluster":"pharmtech_hosted","subject":"Re: Undelivered Mail Returned to Sender [BACKSCATTER DETECTED]","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","dkimv","spf","spam","dmarc","pdr"],"messageSize":2755,"headerFrom":"","headerReplyTo":null,"fromAddress":["noreply@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mailer-daemon@example.com"],"xmailer":"Microsoft Outlook 16.0","messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":false,"id":"0c8eabc5-1234-1234-1234-cabcb7b41c86","QID":"XXsXXX-XXX1XX","GUID":"6xxxx6xmxxxfxcxTxAxExxDxxxxx2","sender":"noreply@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"175.16.199.1","messageID":"<3f21wvrsws-1@example.com>"} +{"spamScore":100,"phishScore":100,"threatsInfoMap":[{"threatID":"cfdhgondhgonvjdsdefghjikhlonvjdsvsbnvjd56546ghjikhlonvjdsvsbnvjd","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/adhgon-vjdsdef-ghjikhlonv-abcdefghij/threat/email/7921af132d1aa6a88fdbdadkhlonvj1a8xxxxxxxxxxxxxxxxxxxxxdkhlonvj1","threatTime":"2022-01-01T05:02:48.832Z","threat":"https://example.com/","campaignID":null,"threatType":"url"},{"threatID":"124563bcdefghijkabcdefghi201256abcdefghijk201256aswe20abc","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/abcdefgh-1234-1234-1234-1234-abcdefgh/threat/email/85738a8x9x7x1x04x5329xaadc9x425925abdf84089wcwe3x022xx4x19x123","threatTime":"2022-01-01T00:00:00.000Z","threat":"example.com","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:25:20.010Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":"Statement From (Trinity Groundwater)","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound","allow_relay"],"modulesRun":["av","zerohour","dkimv","spf","spam","dmarc"],"messageSize":111091,"headerFrom":"Laura Schumacher ","headerReplyTo":null,"fromAddress":["abc@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mail@example.com","abc@example.com"],"xmailer":null,"messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"},{"disposition":"attached","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"image001.png","sandboxStatus":null,"oContentType":"image/png","contentType":"image/png"}],"completelyRewritten":false,"id":"8f12300-f387-1234-xxxx-a4abcd12347","QID":"0XX0XXXXaX3XXX-X1","GUID":"_pxxxxOxQxxXxx4wxjxtx2xxxTxxxYxxx","sender":"abc@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"175.16.199.1","messageID":"<77F0EA74-7D6F-453A-AB7F-31B192481AE8@example.com>"} +{"spamScore":100,"phishScore":100,"threatsInfoMap":[{"threatID":"9dhgabcdefghijkhgonvjdsdefghjikhlonvjdsvsbnvjdvjdsdefghjikhlonv","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/adhgon-vjdsdefghj-ikhlonvj-abcdefghij/threat/email/97921af132d1aa6a88fdbdadkhlonvjbc9fxxxxxxxxxxxxxxxxxxxxxbdadkhlonvjd","threatTime":"2022-01-01T03:02:25.092Z","threat":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":"(1) VOICE MAIL MESSSAGE","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","dkimv","spf","spam","dmarc","pdr"],"messageSize":5776,"headerFrom":"VOICE MAIL","headerReplyTo":null,"fromAddress":["man.web@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mailer-daemon@example.com"],"xmailer":null,"messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":false,"id":"ee212323-1234-1234-1234-0f0abcd123456","QID":"3XXXf1XaXX-X1XX","GUID":"gxxxxxgxx3xcx-MxZxixxoxxxxxAxxx2","sender":"man.web@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"175.16.199.1","messageID":"<20220327194933.12463F24B8AC1B73@example.com>"} +{"spamScore":100,"phishScore":100,"threatsInfoMap":[{"threatID":"abcdefghijkabcdefghijkabcdefghijkefghjikhlonvjdsvsbnvjd","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/adhgonvj-dsdefgh-jikhlon-abcdefghij/threat/email/7921af132xxxxxxxxxxxxxxxxxxviuerhvuie35abcdefghabcdefghijk","threatTime":"2022-01-01T00:00:00.000Z","threat":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T05:00:02.010Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":"(1) VOICE MAIL MESSSAGE","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","dkimv","spf","spam","dmarc","pdr"],"messageSize":5776,"headerFrom":"VOICE MAIL","headerReplyTo":null,"fromAddress":["man.web@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["mailer-daemon@example.com"],"xmailer":null,"messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":false,"id":"ee212323-1234-1234-1234-0f0abcd123456","QID":"3XXfXabXcXXXX1","GUID":"gxxxxgx3xcx-xMx7xPxxZxxxxoxAx2xxxxx","sender":"man.web@example.com","recipient":["mailer-daemon@example.com"],"senderIP":"","messageID":"<20220327194933.12463F24B8AC1B73@example.com>"} diff --git a/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log-expected.json b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log-expected.json new file mode 100644 index 00000000000..a6586c5ea99 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/pipeline/test-message-blocked.log-expected.json @@ -0,0 +1,802 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-01-01T00:45:55.050Z", + "from": { + "address": [ + "info@example.com" + ] + }, + "message_id": "3f208x0sga-1@m0116781.example.com", + "sender": { + "address": "info@example.com" + }, + "subject": "Re: Delayed Mail (still being retried)", + "to": { + "address": [ + "mailer-daemon@example.com" + ] + }, + "x_mailer": "Microsoft Outlook 16.0" + }, + "event": { + "category": [ + "email" + ], + "id": "401ccabc-1234-123-1234-babc74fce1a4", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"dhgonvjabcdefghijkabcdefghijkabcdefghijkabcdefghijkhlonvjdsabcdefgh\",\"threatStatus\":\"active\",\"classification\":\"malware\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhgon-vjdsd-efghjikhlon-abcdefghij/threat/email/792e8d28448xxxxxxxxxxxxxxxxx8448c792xxxxx1af132onvjdsvsbnvjd\",\"threatTime\":\"2022-01-01T02:03:40.050Z\",\"threat\":\"example.com/xyz/\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:45:55.050Z\",\"impostorScore\":0.0,\"malwareScore\":100,\"cluster\":\"pharmtech_hosted\",\"subject\":\"Re: Delayed Mail (still being retried)\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"dkimv\",\"spf\",\"spam\",\"dmarc\",\"pdr\"],\"messageSize\":3102,\"headerFrom\":\"\u003cinfo@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"info@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mailer-daemon@example.com\"],\"xmailer\":\"Microsoft Outlook 16.0\",\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":false,\"id\":\"401ccabc-1234-123-1234-babc74fce1a4\",\"QID\":\"3XXXXgaXXX-1\",\"GUID\":\"qxxlnx-xxxxxNxXGxQxWxPxxxxx0\",\"sender\":\"info@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"1.128.3.4\",\"messageID\":\"\u003c3f208x0sga-1@m0116781.example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "qxxlnx-xxxxxNxXGxQxWxPxxxxx0", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "info@example.com" + }, + "impostor_score": 0.0, + "malware_score": 100, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 3102, + "modules_run": [ + "av", + "zerohour", + "dkimv", + "spf", + "spam", + "dmarc", + "pdr" + ], + "phish_score": 0, + "policy_routes": [ + "default_inbound" + ], + "qid": "3XXXXgaXXX-1", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "malware", + "threat": { + "artifact": "example.com/xyz/", + "id": "dhgonvjabcdefghijkabcdefghijkabcdefghijkabcdefghijkhlonvjdsabcdefgh", + "status": "active", + "time": "2022-01-01T02:03:40.050Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhgon-vjdsd-efghjikhlon-abcdefghij/threat/email/792e8d28448xxxxxxxxxxxxxxxxx8448c792xxxxx1af132onvjdsvsbnvjd" + } + } + ], + "to_addresses": [ + "mailer-daemon@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-01-01T01:25:59.059Z", + "from": { + "address": [ + "contact@example.com" + ] + }, + "message_id": "20220329151120.AAAB383797@example.com", + "sender": { + "address": "contact@example.com" + }, + "subject": "Re: Undelivered Mail Returned to Sender", + "to": { + "address": [ + "mailer-daemon@example.com" + ] + }, + "x_mailer": "Microsoft Outlook 16.0" + }, + "event": { + "category": [ + "email" + ], + "id": "443bacb2-1234-1234-1234-8abcaaa28260", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"8defghjikhlonvjdsvsbdhgonvjdsdefghjikhlonvjdsvsbnvjdsvsbvjdsvsb8\",\"threatStatus\":\"active\",\"classification\":\"malware\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhgo-nvjdsdef-ghjikhlonv-abcdefghij/threat/email/848c79xxxxxxxxxxxxxxxxbdadkh79xxxxxxxxxxxxxx1aa6a88fdbdadkh217b1af8\",\"threatTime\":\"2022-01-01T10:10:02.020Z\",\"threat\":\"example.com/xyz/\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T01:25:59.059Z\",\"impostorScore\":0.0,\"malwareScore\":100,\"cluster\":\"pharmtech_hosted\",\"subject\":\"Re: Undelivered Mail Returned to Sender\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"spf\",\"spam\",\"dmarc\",\"pdr\"],\"messageSize\":2278,\"headerFrom\":\"\u003ccontact@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"contact@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mailer-daemon@example.com\"],\"xmailer\":\"Microsoft Outlook 16.0\",\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":false,\"id\":\"443bacb2-1234-1234-1234-8abcaaa28260\",\"QID\":\"3XXfXX2X1XXX\",\"GUID\":\"LQxxx9xNxcxxx_xjxexLrxxnxQx9xdxx3xx\",\"sender\":\"contact@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"1.128.3.4\",\"messageID\":\"\u003c20220329151120.AAAB383797@example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "LQxxx9xNxcxxx_xjxexLrxxnxQx9xdxx3xx", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "contact@example.com" + }, + "impostor_score": 0.0, + "malware_score": 100, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 2278, + "modules_run": [ + "av", + "zerohour", + "spf", + "spam", + "dmarc", + "pdr" + ], + "phish_score": 0, + "policy_routes": [ + "default_inbound" + ], + "qid": "3XXfXX2X1XXX", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "malware", + "threat": { + "artifact": "example.com/xyz/", + "id": "8defghjikhlonvjdsvsbdhgonvjdsdefghjikhlonvjdsvsbnvjdsvsbvjdsvsb8", + "status": "active", + "time": "2022-01-01T10:10:02.020Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhgo-nvjdsdef-ghjikhlonv-abcdefghij/threat/email/848c79xxxxxxxxxxxxxxxxbdadkh79xxxxxxxxxxxxxx1aa6a88fdbdadkh217b1af8" + } + } + ], + "to_addresses": [ + "mailer-daemon@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-01-01T04:51:56.269Z", + "from": { + "address": [ + "noreply@example.com" + ] + }, + "message_id": "3f21wvrsws-1@example.com", + "sender": { + "address": "noreply@example.com" + }, + "subject": "Re: Undelivered Mail Returned to Sender [BACKSCATTER DETECTED]", + "to": { + "address": [ + "mailer-daemon@example.com" + ] + }, + "x_mailer": "Microsoft Outlook 16.0" + }, + "event": { + "category": [ + "email" + ], + "id": "0c8eabc5-1234-1234-1234-cabcb7b41c86", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"6abcdefghijkabcdefghijkabcdefghijk7503ddcabcdefghijkabcdefghijk\",\"threatStatus\":\"active\",\"classification\":\"malware\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhg-onvjdsdefgh-jikhlonvjdsv-abcdefghij/threat/email/6d748c7921afxxxxxxxxxxxxxxxxxhc7921af13xxxxxxxxxxxxxxxxxxxxxd267a\",\"threatTime\":\"2022-01-01T11:06:50.580Z\",\"threat\":\"example.com/xyz/\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T04:51:56.269Z\",\"impostorScore\":0.0,\"malwareScore\":100,\"cluster\":\"pharmtech_hosted\",\"subject\":\"Re: Undelivered Mail Returned to Sender [BACKSCATTER DETECTED]\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"dkimv\",\"spf\",\"spam\",\"dmarc\",\"pdr\"],\"messageSize\":2755,\"headerFrom\":\"\u003cnoreply@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"noreply@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mailer-daemon@example.com\"],\"xmailer\":\"Microsoft Outlook 16.0\",\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":false,\"id\":\"0c8eabc5-1234-1234-1234-cabcb7b41c86\",\"QID\":\"XXsXXX-XXX1XX\",\"GUID\":\"6xxxx6xmxxxfxcxTxAxExxDxxxxx2\",\"sender\":\"noreply@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003c3f21wvrsws-1@example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "6xxxx6xmxxxfxcxTxAxExxDxxxxx2", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "noreply@example.com" + }, + "impostor_score": 0.0, + "malware_score": 100, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 2755, + "modules_run": [ + "av", + "zerohour", + "dkimv", + "spf", + "spam", + "dmarc", + "pdr" + ], + "phish_score": 0, + "policy_routes": [ + "default_inbound" + ], + "qid": "XXsXXX-XXX1XX", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "malware", + "threat": { + "artifact": "example.com/xyz/", + "id": "6abcdefghijkabcdefghijkabcdefghijk7503ddcabcdefghijkabcdefghijk", + "status": "active", + "time": "2022-01-01T11:06:50.580Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhg-onvjdsdefgh-jikhlonvjdsv-abcdefghij/threat/email/6d748c7921afxxxxxxxxxxxxxxxxxhc7921af13xxxxxxxxxxxxxxxxxxxxxd267a" + } + } + ], + "to_addresses": [ + "mailer-daemon@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "image/png", + "name": "image001.png" + } + } + ], + "delivery_timestamp": "2022-01-01T00:25:20.010Z", + "from": { + "address": [ + "abc@example.com" + ] + }, + "message_id": "77F0EA74-7D6F-453A-AB7F-31B192481AE8@example.com", + "sender": { + "address": "abc@example.com" + }, + "subject": "Statement From (Trinity Groundwater)", + "to": { + "address": [ + "mail@example.com", + "abc@example.com", + "mailer-daemon@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "8f12300-f387-1234-xxxx-a4abcd12347", + "kind": "event", + "original": "{\"spamScore\":100,\"phishScore\":100,\"threatsInfoMap\":[{\"threatID\":\"cfdhgondhgonvjdsdefghjikhlonvjdsvsbnvjd56546ghjikhlonvjdsvsbnvjd\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhgon-vjdsdef-ghjikhlonv-abcdefghij/threat/email/7921af132d1aa6a88fdbdadkhlonvj1a8xxxxxxxxxxxxxxxxxxxxxdkhlonvj1\",\"threatTime\":\"2022-01-01T05:02:48.832Z\",\"threat\":\"https://example.com/\",\"campaignID\":null,\"threatType\":\"url\"},{\"threatID\":\"124563bcdefghijkabcdefghi201256abcdefghijk201256aswe20abc\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/abcdefgh-1234-1234-1234-1234-abcdefgh/threat/email/85738a8x9x7x1x04x5329xaadc9x425925abdf84089wcwe3x022xx4x19x123\",\"threatTime\":\"2022-01-01T00:00:00.000Z\",\"threat\":\"example.com\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:25:20.010Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":\"Statement From (Trinity Groundwater)\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\",\"allow_relay\"],\"modulesRun\":[\"av\",\"zerohour\",\"dkimv\",\"spf\",\"spam\",\"dmarc\"],\"messageSize\":111091,\"headerFrom\":\"Laura Schumacher \u003cabc@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"abc@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mail@example.com\",\"abc@example.com\"],\"xmailer\":null,\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"},{\"disposition\":\"attached\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"image001.png\",\"sandboxStatus\":null,\"oContentType\":\"image/png\",\"contentType\":\"image/png\"}],\"completelyRewritten\":false,\"id\":\"8f12300-f387-1234-xxxx-a4abcd12347\",\"QID\":\"0XX0XXXXaX3XXX-X1\",\"GUID\":\"_pxxxxOxQxxXxx4wxjxtx2xxxTxxxYxxx\",\"sender\":\"abc@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003c77F0EA74-7D6F-453A-AB7F-31B192481AE8@example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "_pxxxxOxQxxXxx4wxjxtx2xxxTxxxYxxx", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "Laura Schumacher abc@example.com" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + }, + { + "disposition": "inline", + "o_content_type": "text/plain" + }, + { + "disposition": "inline", + "o_content_type": "text/plain" + }, + { + "disposition": "inline", + "o_content_type": "text/html" + }, + { + "disposition": "attached", + "o_content_type": "image/png" + } + ], + "message_size": 111091, + "modules_run": [ + "av", + "zerohour", + "dkimv", + "spf", + "spam", + "dmarc" + ], + "phish_score": 100, + "policy_routes": [ + "default_inbound", + "allow_relay" + ], + "qid": "0XX0XXXXaX3XXX-X1", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 100, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://example.com/", + "id": "cfdhgondhgonvjdsdefghjikhlonvjdsvsbnvjd56546ghjikhlonvjdsvsbnvjd", + "status": "active", + "time": "2022-01-01T05:02:48.832Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhgon-vjdsdef-ghjikhlonv-abcdefghij/threat/email/7921af132d1aa6a88fdbdadkhlonvj1a8xxxxxxxxxxxxxxxxxxxxxdkhlonvj1" + } + }, + { + "classification": "phish", + "threat": { + "artifact": "example.com", + "id": "124563bcdefghijkabcdefghi201256abcdefghijk201256aswe20abc", + "status": "active", + "time": "2022-01-01T00:00:00.000Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/abcdefgh-1234-1234-1234-1234-abcdefgh/threat/email/85738a8x9x7x1x04x5329xaadc9x425925abdf84089wcwe3x022xx4x19x123" + } + } + ], + "to_addresses": [ + "mail@example.com", + "abc@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "from": { + "address": [ + "man.web@example.com" + ] + }, + "message_id": "20220327194933.12463F24B8AC1B73@example.com", + "sender": { + "address": "man.web@example.com" + }, + "subject": "(1) VOICE MAIL MESSSAGE", + "to": { + "address": [ + "mailer-daemon@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "ee212323-1234-1234-1234-0f0abcd123456", + "kind": "event", + "original": "{\"spamScore\":100,\"phishScore\":100,\"threatsInfoMap\":[{\"threatID\":\"9dhgabcdefghijkhgonvjdsdefghjikhlonvjdsvsbnvjdvjdsdefghjikhlonv\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhgon-vjdsdefghj-ikhlonvj-abcdefghij/threat/email/97921af132d1aa6a88fdbdadkhlonvjbc9fxxxxxxxxxxxxxxxxxxxxxbdadkhlonvjd\",\"threatTime\":\"2022-01-01T03:02:25.092Z\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":\"(1) VOICE MAIL MESSSAGE\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"dkimv\",\"spf\",\"spam\",\"dmarc\",\"pdr\"],\"messageSize\":5776,\"headerFrom\":\"VOICE MAIL\u003cman.web@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"man.web@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mailer-daemon@example.com\"],\"xmailer\":null,\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":false,\"id\":\"ee212323-1234-1234-1234-0f0abcd123456\",\"QID\":\"3XXXf1XaXX-X1XX\",\"GUID\":\"gxxxxxgxx3xcx-MxZxixxoxxxxxAxxx2\",\"sender\":\"man.web@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003c20220327194933.12463F24B8AC1B73@example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "gxxxxxgxx3xcx-MxZxixxoxxxxxAxxx2", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "VOICE MAILman.web@example.com" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 5776, + "modules_run": [ + "av", + "zerohour", + "dkimv", + "spf", + "spam", + "dmarc", + "pdr" + ], + "phish_score": 100, + "policy_routes": [ + "default_inbound" + ], + "qid": "3XXXf1XaXX-X1XX", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 100, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "id": "9dhgabcdefghijkhgonvjdsdefghjikhlonvjdsvsbnvjdvjdsdefghjikhlonv", + "status": "active", + "time": "2022-01-01T03:02:25.092Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhgon-vjdsdefghj-ikhlonvj-abcdefghij/threat/email/97921af132d1aa6a88fdbdadkhlonvjbc9fxxxxxxxxxxxxxxxxxxxxxbdadkhlonvjd" + } + } + ], + "to_addresses": [ + "mailer-daemon@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-01-01T05:00:02.010Z", + "from": { + "address": [ + "man.web@example.com" + ] + }, + "message_id": "20220327194933.12463F24B8AC1B73@example.com", + "sender": { + "address": "man.web@example.com" + }, + "subject": "(1) VOICE MAIL MESSSAGE", + "to": { + "address": [ + "mailer-daemon@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "ee212323-1234-1234-1234-0f0abcd123456", + "kind": "event", + "original": "{\"spamScore\":100,\"phishScore\":100,\"threatsInfoMap\":[{\"threatID\":\"abcdefghijkabcdefghijkabcdefghijkefghjikhlonvjdsvsbnvjd\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/adhgonvj-dsdefgh-jikhlon-abcdefghij/threat/email/7921af132xxxxxxxxxxxxxxxxxxviuerhvuie35abcdefghabcdefghijk\",\"threatTime\":\"2022-01-01T00:00:00.000Z\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T05:00:02.010Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":\"(1) VOICE MAIL MESSSAGE\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"dkimv\",\"spf\",\"spam\",\"dmarc\",\"pdr\"],\"messageSize\":5776,\"headerFrom\":\"VOICE MAIL\u003cman.web@example.com\u003e\",\"headerReplyTo\":null,\"fromAddress\":[\"man.web@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"mailer-daemon@example.com\"],\"xmailer\":null,\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":false,\"id\":\"ee212323-1234-1234-1234-0f0abcd123456\",\"QID\":\"3XXfXabXcXXXX1\",\"GUID\":\"gxxxxgx3xcx-xMx7xPxxZxxxxoxAx2xxxxx\",\"sender\":\"man.web@example.com\",\"recipient\":[\"mailer-daemon@example.com\"],\"senderIP\":\"\",\"messageID\":\"\u003c20220327194933.12463F24B8AC1B73@example.com\u003e\"}", + "type": [ + "denied" + ] + }, + "proofpoint_tap": { + "guid": "gxxxxgx3xcx-xMx7xPxxZxxxxoxAx2xxxxx", + "message_blocked": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "false", + "header": { + "from": "VOICE MAILman.web@example.com" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 5776, + "modules_run": [ + "av", + "zerohour", + "dkimv", + "spf", + "spam", + "dmarc", + "pdr" + ], + "phish_score": 100, + "policy_routes": [ + "default_inbound" + ], + "qid": "3XXfXabXcXXXX1", + "recipient": [ + "mailer-daemon@example.com" + ], + "spam_score": 100, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "id": "abcdefghijkabcdefghijkabcdefghijkefghjikhlonvjdsvsbnvjd", + "status": "active", + "time": "2022-01-01T00:00:00.000Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/adhgonvj-dsdefgh-jikhlon-abcdefghij/threat/email/7921af132xxxxxxxxxxxxxxxxxxviuerhvuie35abcdefghabcdefghijk" + } + } + ], + "to_addresses": [ + "mailer-daemon@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/system/test-default-config.yml b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ec9377ca329 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: proofpoint_tap +vars: + url: http://{{Hostname}}:{{Port}} + principal: xxxx + secret: xxxx +data_stream: + vars: + preserve_original_event: true diff --git a/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..2c5d71539ce --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{url}}/v2/siem/messages/blocked +auth.basic.user: {{principal}} +auth.basic.password: {{secret}} +request.transforms: + - set: + target: url.params.format + value: json + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' +response.pagination: + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_received_time: + value: '[[.last_response.body.queryEndTime]]' +response.split: + target: body.messagesBlocked +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..73da7207a7f --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,443 @@ +--- +description: Pipeline for parsing Proofpoint TAP blocked message logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.GUID + - json.messageTime + target_field: _id + ignore_missing: true + - append: + field: event.category + value: email + ignore_failure: true + - append: + field: event.type + value: denied + ignore_failure: true + - set: + field: event.kind + value: event + - convert: + field: json.senderIP + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null && ctx.source?.ip != '' + allow_duplicates: false + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: ctx.source?.ip != null && ctx.source?.ip != '' + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: ctx.source?.ip != null && ctx.source?.ip != '' + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - foreach: + field: json.messageParts + processor: + append: + field: related.hash + value: '{{{_ingest._value.md5}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List + - foreach: + field: json.messageParts + processor: + append: + field: related.hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List + - rename: + field: json.ccAddresses + target_field: email.cc.address + ignore_missing: true + - date: + field: json.messageTime + target_field: email.delivery_timestamp + formats: + - ISO8601 + ignore_failure: true + - rename: + field: json.fromAddress + target_field: email.from.address + ignore_missing: true + - rename: + field: json.messageID + target_field: email.message_id + ignore_missing: true + - gsub: + field: email.message_id + pattern: '<|>' + replacement: '' + ignore_missing: true + - rename: + field: json.replyToAddress + target_field: email.reply_to.address + ignore_missing: true + - rename: + field: json.sender + target_field: email.sender.address + ignore_missing: true + - rename: + field: json.subject + target_field: email.subject + ignore_missing: true + - set: + field: email.to.address + copy_from: json.toAddresses + ignore_failure: true + - foreach: + field: json.recipient + processor: + append: + field: email.to.address + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.recipient != null && ctx.json?.recipient instanceof List + - rename: + field: json.xmailer + target_field: email.x_mailer + ignore_missing: true + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - set: + field: email.attachments + copy_from: json.messageParts + ignore_failure: true + - foreach: + field: email.attachments + processor: + remove: + field: + - _ingest._value.disposition + - _ingest._value.oContentType + - _ingest._value.sandboxStatus + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.contentType + target_field: _ingest._value.file.mime_type + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.md5 + target_field: _ingest._value.file.hash.md5 + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.sha256 + target_field: _ingest._value.file.hash.sha256 + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.filename + target_field: _ingest._value.file.name + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - script: + description: Adding hash in related.hash from artifact field. + lang: painless + ignore_failure: true + source: | + if (ctx.json?.threatsInfoMap instanceof List) { + for (artifact in ctx.json?.threatsInfoMap) { + def flag = true; + def str = artifact.threat.toLowerCase(); + if (str?.length() == 64) { + for (int i = 0; i < str.length(); i++) { + def ch = str.charAt(i); + if ((ch < (char)'0' || ch > (char)'9') && (ch < (char)'a' || ch > (char)'f')) { + flag = false; + break; + } + } + if (flag && !ctx["related"]["hash"].contains(str)) { + ctx["related"]["hash"].add(str); + } + } + } + } + - rename: + field: json.toAddresses + target_field: proofpoint_tap.message_blocked.to_addresses + ignore_missing: true + - rename: + field: json.recipient + target_field: proofpoint_tap.message_blocked.recipient + ignore_missing: true + - rename: + field: json.cluster + target_field: proofpoint_tap.message_blocked.cluster + ignore_missing: true + - convert: + field: json.completelyRewritten + target_field: proofpoint_tap.message_blocked.completely_rewritten + type: string + ignore_failure: true + - rename: + field: json.GUID + target_field: proofpoint_tap.guid + ignore_missing: true + - rename: + field: json.headerCC + target_field: proofpoint_tap.message_blocked.header.cc + ignore_missing: true + - rename: + field: json.headerFrom + target_field: proofpoint_tap.message_blocked.header.from + ignore_missing: true + - gsub: + field: proofpoint_tap.message_blocked.header.from + pattern: '<|>' + replacement: '' + ignore_missing: true + - rename: + field: json.headerReplyTo + target_field: proofpoint_tap.message_blocked.header.replyto + ignore_missing: true + - rename: + field: json.headerTo + target_field: proofpoint_tap.message_blocked.header.to + ignore_missing: true + - convert: + field: json.impostorScore + target_field: proofpoint_tap.message_blocked.impostor_score + type: double + ignore_failure: true + - convert: + field: json.malwareScore + target_field: proofpoint_tap.message_blocked.malware_score + type: long + ignore_failure: true + - rename: + field: json.messageParts + target_field: proofpoint_tap.message_blocked.message_parts + ignore_missing: true + - foreach: + field: proofpoint_tap.message_blocked.message_parts + processor: + remove: + field: + - _ingest._value.contentType + - _ingest._value.filename + - _ingest._value.md5 + - _ingest._value.sha256 + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List + - foreach: + field: proofpoint_tap.message_blocked.message_parts + processor: + rename: + field: _ingest._value.oContentType + target_field: _ingest._value.o_content_type + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List + - foreach: + field: proofpoint_tap.message_blocked.message_parts + processor: + rename: + field: _ingest._value.sandboxStatus + target_field: _ingest._value.sandbox_status + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List + - convert: + field: json.messageSize + target_field: proofpoint_tap.message_blocked.message_size + type: long + ignore_failure: true + - rename: + field: json.modulesRun + target_field: proofpoint_tap.message_blocked.modules_run + ignore_missing: true + - convert: + field: json.phishScore + target_field: proofpoint_tap.message_blocked.phish_score + type: long + ignore_failure: true + - rename: + field: json.policyRoutes + target_field: proofpoint_tap.message_blocked.policy_routes + ignore_missing: true + - rename: + field: json.QID + target_field: proofpoint_tap.message_blocked.qid + ignore_missing: true + - rename: + field: json.quarantineFolder + target_field: proofpoint_tap.message_blocked.quarantine.folder + ignore_missing: true + - rename: + field: json.quarantineRule + target_field: proofpoint_tap.message_blocked.quarantine.rule + ignore_missing: true + - convert: + field: json.spamScore + target_field: proofpoint_tap.message_blocked.spam_score + type: long + ignore_failure: true + - rename: + field: json.threatsInfoMap + target_field: proofpoint_tap.message_blocked.threat_info_map + ignore_missing: true + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.campaignId + target_field: _ingest._value.campaign_id + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threat + target_field: _ingest._value.threat.artifact + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threatID + target_field: _ingest._value.threat.id + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threatStatus + target_field: _ingest._value.threat.status + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + date: + field: _ingest._value.threatTime + target_field: _ingest._value.threat.time + ignore_failure: true + formats: + - ISO8601 + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + remove: + field: _ingest._value.threatTime + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threatType + target_field: _ingest._value.threat.type + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_blocked.threat_info_map + processor: + rename: + field: _ingest._value.threatUrl + target_field: _ingest._value.threat.url + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: + - json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml new file mode 100644 index 00000000000..73e076a93b1 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/base-fields.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/base-fields.yml new file mode 100644 index 00000000000..989ed7305df --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: proofpoint_tap +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: proofpoint_tap.message_blocked diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml new file mode 100644 index 00000000000..8643573d876 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/ecs.yml @@ -0,0 +1,68 @@ +- external: ecs + name: ecs.version +- external: ecs + name: email.attachments +- external: ecs + name: email.attachments.file.hash.md5 +- external: ecs + name: email.attachments.file.hash.sha256 +- external: ecs + name: email.attachments.file.name +- external: ecs + name: email.cc.address +- external: ecs + name: email.content_type +- external: ecs + name: email.delivery_timestamp +- external: ecs + name: email.from.address +- external: ecs + name: email.message_id +- external: ecs + name: email.reply_to.address +- external: ecs + name: email.sender.address +- external: ecs + name: email.subject +- external: ecs + name: email.to.address +- external: ecs + name: email.x_mailer +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.hash +- external: ecs + name: related.ip +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: tags diff --git a/packages/proofpoint_tap/data_stream/message_blocked/fields/fields.yml b/packages/proofpoint_tap/data_stream/message_blocked/fields/fields.yml new file mode 100644 index 00000000000..7067b9eb505 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/fields/fields.yml @@ -0,0 +1,110 @@ +- name: proofpoint_tap + type: group + fields: + - name: guid + type: keyword + description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. + - name: message_blocked + type: group + fields: + - name: cluster + type: keyword + description: The name of the PPS cluster which processed the message. + - name: completely_rewritten + type: keyword + description: The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. + - name: header + type: group + fields: + - name: cc + type: keyword + - name: from + type: keyword + description: 'The full content of the From: header, including any friendly name.' + - name: replyto + type: keyword + description: 'If present, the full content of the Reply-To: header, including any friendly names.' + - name: to + type: keyword + - name: impostor_score + type: double + description: The impostor score of the message. Higher scores indicate higher certainty. + - name: malware_score + type: long + description: The malware score of the message. Higher scores indicate higher certainty. + - name: message_parts + type: group + fields: + - name: disposition + type: keyword + description: If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. + - name: o_content_type + type: keyword + description: The declared Content-Type of the messagePart. + - name: sandbox_status + type: keyword + description: The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. + - name: message_size + type: long + description: The size in bytes of the message, including headers and attachments. + - name: modules_run + type: keyword + description: The list of PPS modules which processed the message. + - name: phish_score + type: long + description: The phish score of the message. Higher scores indicate higher certainty. + - name: policy_routes + type: keyword + description: The policy routes that the message matched during processing by PPS. + - name: qid + type: keyword + description: The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. + - name: quarantine + type: group + fields: + - name: folder + type: keyword + description: The name of the folder which contains the quarantined message. This appears only for messagesBlocked. + - name: rule + type: keyword + description: The name of the rule which quarantined the message. This appears only for messagesBlocked events. + - name: recipient + type: keyword + description: An array containing the email addresses of the SMTP (envelope) recipients. + - name: spam_score + type: long + description: The spam score of the message. Higher scores indicate higher certainty. + - name: threat_info_map + type: group + description: An array of structures which contain details about detected threats within the message. There may be more than one threat per message. + fields: + - name: campaign_id + type: keyword + description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. + - name: classification + type: keyword + description: The category of threat found in the message. + - name: threat + type: group + fields: + - name: artifact + type: keyword + description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. + - name: id + type: keyword + description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. + - name: status + type: keyword + description: The current state of the threat. + - name: time + type: date + description: Proofpoint assigned the threatStatus at this time. + - name: type + type: keyword + description: Whether the threat was an attachment, URL, or message type. + - name: url + type: keyword + description: A link to the entry about the threat on the TAP Dashboard. + - name: to_addresses + type: keyword + description: 'A list of email addresses contained within the To: header, excluding friendly names.' diff --git a/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml b/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml new file mode 100644 index 00000000000..99403109dc2 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/manifest.yml @@ -0,0 +1,50 @@ +title: Message Blocked +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Proofpoint_TAP Message Blocked logs + description: Collect Proofpoint TAP Message Blocked logs via API. + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). + default: 24h + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - proofpoint_tap-message_blocked + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json new file mode 100644 index 00000000000..377c23317dd --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_blocked/sample_event.json @@ -0,0 +1,190 @@ +{ + "@timestamp": "2022-05-09T09:41:02.164Z", + "agent": { + "ephemeral_id": "dfa889d8-af83-426a-b8dc-483740f73385", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.message_blocked", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "application/pdf", + "name": "text.pdf" + } + } + ], + "cc": { + "address": [ + "abc@example.com" + ] + }, + "delivery_timestamp": "2021-11-25T09:10:00.050Z", + "from": { + "address": "abc@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "sender": { + "address": "x99x7x5580193x6x51x597xx2x0210@example.com" + }, + "subject": "Please find a totally safe invoice attached.", + "to": { + "address": [ + "example.abc@example.com", + "hey.hello@example.com" + ] + }, + "x_mailer": "Spambot v2.5" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:41:02.164Z", + "dataset": "proofpoint_tap.message_blocked", + "ingested": "2022-05-09T09:41:05Z", + "kind": "event", + "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", + "type": [ + "denied" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx", + "message_blocked": { + "completely_rewritten": "true", + "header": { + "cc": "\"Example Abc\" \u003cabc@example.com\u003e", + "from": "\"A. Bc\" abc@example.com", + "to": "\"Aa Bb\" \u003caa.bb@example.com\u003e; \"Hey Hello\" \u003chey.hello@example.com\u003e" + }, + "impostor_score": 0, + "malware_score": 100, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/plain", + "sandbox_status": "unsupported" + }, + { + "disposition": "attached", + "o_content_type": "application/pdf", + "sandbox_status": "threat" + } + ], + "modules_run": [ + "pdr", + "sandbox", + "spam", + "urldefense" + ], + "phish_score": 46, + "policy_routes": [ + "default_inbound", + "executives" + ], + "qid": "x2XXxXXX111111", + "quarantine": { + "folder": "Attachment Defense", + "rule": "module.sandbox.threat" + }, + "recipient": [ + "example.abc@example.com", + "hey.hello@example.com" + ], + "spam_score": 4, + "threat_info_map": [ + { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "MALWARE", + "threat": { + "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "status": "active", + "time": "2021-11-25T09:10:00.050Z", + "type": "ATTACHMENT", + "url": "https://www.example.com/?name=john" + }, + "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" + }, + { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "MALWARE", + "threat": { + "artifact": "example.com", + "time": "2021-07-20T05:00:00.050Z", + "type": "URL", + "url": "https://www.example.com/?name=john" + }, + "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" + } + ], + "to_addresses": [ + "example.abc@example.com", + "hey.hello@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-message_blocked" + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-common-config.yml b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log new file mode 100644 index 00000000000..e579c6b8ac9 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log @@ -0,0 +1,8 @@ +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatStatus":"active","classification":"spam","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2022-01-01T20:52:50.789Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"},{"threatID":"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2022-03-29T18:48:33.000Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-05T10:05:56.020Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"2hxxxU-xxxxx123-xxxxx-xxxxx1234","QID":null,"GUID":"Nhxxsxvxixcxx2x5xxxx6xWxBxOxxxxxxj","sender":"","recipient":["fhsvbUi8axxxxxxUi8abc256326@example.com"],"senderIP":"175.16.199.1","messageID":""} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/aaaxyzdef-52561-b1abcdefghe/threat/email/810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a","threatTime":"2022-05-01T19:00:00.653Z","threat":"https://xyz-123.example.com/abcdefg123456","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"c1xxxxxc-9xxx123456-xxxxx-xxxxx1234","QID":null,"GUID":"XxxyxzxxzxXxoxxxxxvxxxxx","sender":"","recipient":["6hsvbUi8abc256ovbkhsvbUid1338a@example.com"],"senderIP":"1.128.3.4","messageID":""} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84","threatStatus":"active","classification":"spam","threatUrl":"https://threatinsight.proofpoint.com/aaaxyzbf-56861-b1abcdefghe/threat/email/c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84","threatTime":"2022-11-25T13:05:05.592Z","threat":"example.com","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"c113c2cc-9cccxxxxx123-1234-123-xxxxx123","QID":null,"GUID":"svsxxbxkxhxxxxxxxxsvxbxxxxUixxxx","sender":"","recipient":["af6ccEXovbkhsvbUi8abc2562@example.com"],"senderIP":"175.16.199.1","messageID":""} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/aaaxyzcvf-546661-b1abcdefghe/threat/email/af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314","threatTime":"2022-10-11T00:23:02.519Z","threat":"https://abc.example.com/my-site","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0.0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"cxxxcxxcc-xxxxx123-xxxxx-xxxxx1234","QID":null,"GUID":"13c2ccxxxxx12344842xxxx123","sender":"","recipient":["c6ccEvkicEXovhsvbUid2c8@example.com"],"senderIP":"175.16.199.1","messageID":""} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"xxxxxx425eaxxxxxxee41d9e81xxxxxxf24a96e48f6e6xxxxxxxxxxxx123456f","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123478/threat/email/9fxxxxxxxxxee41d94deabcd1234e9ff24axxxxxxxxxxc5b843f","threatTime":"2022-04-01T18:44:01.050Z","threat":"https://example.com/view/xpxxxx6uxxxxx9y","campaignID":null,"threatType":"url"}],"messageTime":"2022-03-15T15:00:20.000Z","impostorScore":0,"malwareScore":0,"cluster":"example_hosted","subject":"Speakers Announced | Ecosystem Days Summit","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","spf","dkimv","spam","pdr","urldefense"],"messageSize":68402,"headerFrom":"Trang, Alex & Transpose Platform Team ","headerReplyTo":"Trang, Alex & Transpose Platform Team ","fromAddress":["client.services@example.com"],"ccAddresses":[],"replyToAddress":["client.services@example.com"],"toAddresses":["abc.xyz@example.com"],"xmailer":"Mailchimp Mailer - **CIxxxxxxxxx1234**","messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"}],"completelyRewritten":true,"id":"5xxxxxx6x7-xxxxx123-xxxxx-xxxxx1234","QID":"2XX29XX029XXXX38XXX6","GUID":"RxkxxxxxlxzxkxnxxxxDxrxwxxxxx6","sender":"xyz-abc.us1_152023242.13741304-5fabcd4567@example.com","recipient":["abc.xyz@example.com"],"senderIP":"175.16.199.1","messageID":"<200c524xyz1234xyz12343.5fc4b29057.20210428135110.a1234993344.dxyz1234@example.com>"} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"6exxxxxxxxxxx123456xxxxxxxxxxx12345643cedfbbe1xxxxxxxxxxx123456b","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefdxxxxxxxxxxxxxxxxb3f43ceaafxxxxxxxxxxe5c91axxxbb","threatTime":"2022-04-01T23:14:30.450Z","threat":"https://example.com/view/8yxxxxvjxxxx5","campaignID":null,"threatType":"url"}],"messageTime":"2021-09-28T16:28:59.490Z","impostorScore":0,"malwareScore":0,"cluster":"example_hosted","subject":"RSVP today to Join Transpose Platform’s Ecosystem Days Summit","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["default_inbound"],"modulesRun":["av","zerohour","spf","dkimv","spam","pdr","urldefense"],"messageSize":2657297,"headerFrom":"abc.xyz@example.com","headerReplyTo":null,"fromAddress":["abc.xyz@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["abc.xyz@example.com"],"xmailer":null,"messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"},{"disposition":"attached","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"image.png","sandboxStatus":null,"oContentType":"image/png","contentType":"image/png"}],"completelyRewritten":true,"id":"fbxxxxxx1-xxxxx123-xxxxx-xxxxx1234","QID":"2XX2XXOXFXXGX8X9X","GUID":"pxxxxvxxxxPxTxxxixxxxFxxxUxx2xxxxx","sender":"abc.xyz@example.com","recipient":["abc.xyz@example.com"],"senderIP":"175.16.199.1","messageID":""} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"xxxxxxxxxxx12345678914xxxxxxxxxxx123456e9ff24a9xxxxxxxxxxx123456","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/9f2dbcaa9xxxxxxxxxxe810d280xxxxxxxxxxxe48f6e69xxxxxxf","threatTime":"2022-04-01T12:48:03.852Z","threat":"https://example.com/view/xp45xxxxxxir9y","campaignID":null,"threatType":"url"}],"messageTime":"2022-08-17T18:00:22.060Z","impostorScore":0,"malwareScore":0,"cluster":"example_hosted","subject":"Speakers Announced | Ecosystem Days Summit","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["bypass_maxsize","default_inbound"],"modulesRun":["av","zerohour","spf","dkimv","spam","pdr","urldefense"],"messageSize":68353,"headerFrom":"Trang, Alex & Transpose Platform Team ","headerReplyTo":"Trang, Alex & Transpose Platform Team ","fromAddress":["client.services@example.com"],"ccAddresses":[],"replyToAddress":["client.services@example.com"],"toAddresses":["abc.xyz@example.com"],"xmailer":"Mailchimp Mailer - **CIDxxxxxxxxxx1234**","messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"}],"completelyRewritten":true,"id":"fxxxdxxa-xxxxx123-xxxxx-xxxxx1234","QID":"X2XXX0XXX2XX4","GUID":"wxxAxxxx8x8x5xxxxxJxPxxax7xxxxx","sender":"xyz-abc.us1_152023242.12345678-6xxxx123456789@example.com","recipient":["abc.xyz@example.com"],"senderIP":"175.16.199.1","messageID":"<200cxyz1234xyz1234bcb96f3.6xyz12345.202204125625899.736a993333.x12345678e@example.com>"} +{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"xxxxxxxxxxx123456xxxxxxxxxx1234xxxxxxxxxxx123456bbe1xxxxxx123456","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefd8cxxxxxxxxxeef270d0a1b3f43cexxxxxxxxx34abe5c91axxxcb","threatTime":"2022-04-01T20:56:13.000Z","threat":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","campaignID":null,"threatType":"url"}],"messageTime":"2022-03-24T13:24:57.000Z","impostorScore":0,"malwareScore":0,"cluster":"example_hosted","subject":"RSVP today to Join Transpose Platform’s Ecosystem Days Summit","quarantineFolder":null,"quarantineRule":null,"policyRoutes":["bypass_maxsize","default_inbound"],"modulesRun":["av","zerohour","spf","dkimv","spam","pdr","urldefense"],"messageSize":2642117,"headerFrom":"abc.xyz@example.com","headerReplyTo":null,"fromAddress":["abc.xyz@example.com"],"ccAddresses":[],"replyToAddress":[],"toAddresses":["abc.xyz@example.com"],"xmailer":null,"messageParts":[{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.html","sandboxStatus":null,"oContentType":"text/html","contentType":"text/html"},{"disposition":"inline","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"text.txt","sandboxStatus":null,"oContentType":"text/plain","contentType":"text/plain"},{"disposition":"attached","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","md5":"b10a8db164e0754105b7a99be72e3fe5","filename":"image.png","sandboxStatus":null,"oContentType":"image/png","contentType":"image/png"}],"completelyRewritten":true,"id":"cxxxxbxxxb-xxxxx123-xxxxx-xxxxx1234","QID":"2XXX2X5XX5XX7","GUID":"gpxxx5xx2xHxxxJx7xxxxmx5xcxxxxxZ","sender":"abc.xyz@example.com","recipient":["abc.xyz@example.com"],"senderIP":"175.16.199.1","messageID":""} diff --git a/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log-expected.json b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log-expected.json new file mode 100644 index 00000000000..15f13de4849 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/pipeline/test-message-delivered.log-expected.json @@ -0,0 +1,913 @@ +{ + "expected": [ + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "delivery_timestamp": "2022-01-05T10:05:56.020Z", + "to": { + "address": [ + "fhsvbUi8axxxxxxUi8abc256326@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "2hxxxU-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"classification\":\"spam\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatTime\":\"2022-01-01T20:52:50.789Z\",\"threat\":\"http://zbcd123456x0.example.com\",\"campaignID\":null,\"threatType\":\"url\"},{\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatTime\":\"2022-03-29T18:48:33.000Z\",\"threat\":\"http://zbcd123456x0.example.com\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-05T10:05:56.020Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":null,\"modulesRun\":null,\"messageSize\":0,\"headerFrom\":null,\"headerReplyTo\":null,\"fromAddress\":null,\"ccAddresses\":null,\"replyToAddress\":null,\"toAddresses\":null,\"xmailer\":null,\"messageParts\":null,\"completelyRewritten\":true,\"id\":\"2hxxxU-xxxxx123-xxxxx-xxxxx1234\",\"QID\":null,\"GUID\":\"Nhxxsxvxixcxx2x5xxxx6xWxBxOxxxxxxj\",\"sender\":\"\",\"recipient\":[\"fhsvbUi8axxxxxxUi8abc256326@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "Nhxxsxvxixcxx2x5xxxx6xWxBxOxxxxxxj", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0.0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "fhsvbUi8axxxxxxUi8abc256326@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "spam", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb", + "status": "active", + "time": "2022-01-01T20:52:50.789Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + }, + { + "classification": "phish", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566", + "status": "active", + "time": "2022-03-29T18:48:33.000Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + } + ] + } + }, + "related": { + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "to": { + "address": [ + "6hsvbUi8abc256ovbkhsvbUid1338a@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "c1xxxxxc-9xxx123456-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaaxyzdef-52561-b1abcdefghe/threat/email/810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a\",\"threatTime\":\"2022-05-01T19:00:00.653Z\",\"threat\":\"https://xyz-123.example.com/abcdefg123456\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":null,\"modulesRun\":null,\"messageSize\":0,\"headerFrom\":null,\"headerReplyTo\":null,\"fromAddress\":null,\"ccAddresses\":null,\"replyToAddress\":null,\"toAddresses\":null,\"xmailer\":null,\"messageParts\":null,\"completelyRewritten\":true,\"id\":\"c1xxxxxc-9xxx123456-xxxxx-xxxxx1234\",\"QID\":null,\"GUID\":\"XxxyxzxxzxXxoxxxxxvxxxxx\",\"sender\":\"\",\"recipient\":[\"6hsvbUi8abc256ovbkhsvbUid1338a@example.com\"],\"senderIP\":\"1.128.3.4\",\"messageID\":\"\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "XxxyxzxxzxXxoxxxxxvxxxxx", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0.0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "6hsvbUi8abc256ovbkhsvbUid1338a@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://xyz-123.example.com/abcdefg123456", + "id": "810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a", + "status": "active", + "time": "2022-05-01T19:00:00.653Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaaxyzdef-52561-b1abcdefghe/threat/email/810xxxxxxxxxxxxxxxxxxeabd0677xxxxxx1cfad80xxxxxx2fb3exxxxxx08d3a" + } + } + ] + } + }, + "related": { + "ip": [ + "1.128.3.4" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "to": { + "address": [ + "af6ccEXovbkhsvbUi8abc2562@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "c113c2cc-9cccxxxxx123-1234-123-xxxxx123", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84\",\"threatStatus\":\"active\",\"classification\":\"spam\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaaxyzbf-56861-b1abcdefghe/threat/email/c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84\",\"threatTime\":\"2022-11-25T13:05:05.592Z\",\"threat\":\"example.com\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":null,\"modulesRun\":null,\"messageSize\":0,\"headerFrom\":null,\"headerReplyTo\":null,\"fromAddress\":null,\"ccAddresses\":null,\"replyToAddress\":null,\"toAddresses\":null,\"xmailer\":null,\"messageParts\":null,\"completelyRewritten\":true,\"id\":\"c113c2cc-9cccxxxxx123-1234-123-xxxxx123\",\"QID\":null,\"GUID\":\"svsxxbxkxhxxxxxxxxsvxbxxxxUixxxx\",\"sender\":\"\",\"recipient\":[\"af6ccEXovbkhsvbUi8abc2562@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "svsxxbxkxhxxxxxxxxsvxbxxxxUixxxx", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0.0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "af6ccEXovbkhsvbUi8abc2562@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "spam", + "threat": { + "artifact": "example.com", + "id": "c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84", + "status": "active", + "time": "2022-11-25T13:05:05.592Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaaxyzbf-56861-b1abcdefghe/threat/email/c963xxxx4ad98xxxxxx928681f45cxxxxxxb3992bxxxxxxfd8272xxxxxc7fa84" + } + } + ] + } + }, + "related": { + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "to": { + "address": [ + "c6ccEvkicEXovhsvbUid2c8@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "cxxxcxxcc-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaaxyzcvf-546661-b1abcdefghe/threat/email/af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314\",\"threatTime\":\"2022-10-11T00:23:02.519Z\",\"threat\":\"https://abc.example.com/my-site\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"impostorScore\":0.0,\"malwareScore\":0,\"cluster\":\"pharmtech_hosted\",\"subject\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":null,\"modulesRun\":null,\"messageSize\":0,\"headerFrom\":null,\"headerReplyTo\":null,\"fromAddress\":null,\"ccAddresses\":null,\"replyToAddress\":null,\"toAddresses\":null,\"xmailer\":null,\"messageParts\":null,\"completelyRewritten\":true,\"id\":\"cxxxcxxcc-xxxxx123-xxxxx-xxxxx1234\",\"QID\":null,\"GUID\":\"13c2ccxxxxx12344842xxxx123\",\"sender\":\"\",\"recipient\":[\"c6ccEvkicEXovhsvbUid2c8@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "13c2ccxxxxx12344842xxxx123", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0.0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "c6ccEvkicEXovhsvbUid2c8@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://abc.example.com/my-site", + "id": "af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314", + "status": "active", + "time": "2022-10-11T00:23:02.519Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaaxyzcvf-546661-b1abcdefghe/threat/email/af5xxxxxxbba4fd4xxxxxx3bce12cxxxxxxfdc1xxxxxxda2eba5af4xxxxxx314" + } + } + ] + } + }, + "related": { + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + } + ], + "delivery_timestamp": "2022-03-15T15:00:20.000Z", + "from": { + "address": [ + "client.services@example.com" + ] + }, + "message_id": "200c524xyz1234xyz12343.5fc4b29057.20210428135110.a1234993344.dxyz1234@example.com", + "reply_to": { + "address": [ + "client.services@example.com" + ] + }, + "sender": { + "address": "xyz-abc.us1_152023242.13741304-5fabcd4567@example.com" + }, + "subject": "Speakers Announced | Ecosystem Days Summit", + "to": { + "address": [ + "abc.xyz@example.com" + ] + }, + "x_mailer": "Mailchimp Mailer - **CIxxxxxxxxx1234**" + }, + "event": { + "category": [ + "email" + ], + "id": "5xxxxxx6x7-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"xxxxxx425eaxxxxxxee41d9e81xxxxxxf24a96e48f6e6xxxxxxxxxxxx123456f\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123478/threat/email/9fxxxxxxxxxee41d94deabcd1234e9ff24axxxxxxxxxxc5b843f\",\"threatTime\":\"2022-04-01T18:44:01.050Z\",\"threat\":\"https://example.com/view/xpxxxx6uxxxxx9y\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-03-15T15:00:20.000Z\",\"impostorScore\":0,\"malwareScore\":0,\"cluster\":\"example_hosted\",\"subject\":\"Speakers Announced | Ecosystem Days Summit\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"spf\",\"dkimv\",\"spam\",\"pdr\",\"urldefense\"],\"messageSize\":68402,\"headerFrom\":\"Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e\",\"headerReplyTo\":\"Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e\",\"fromAddress\":[\"client.services@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[\"client.services@example.com\"],\"toAddresses\":[\"abc.xyz@example.com\"],\"xmailer\":\"Mailchimp Mailer - **CIxxxxxxxxx1234**\",\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"}],\"completelyRewritten\":true,\"id\":\"5xxxxxx6x7-xxxxx123-xxxxx-xxxxx1234\",\"QID\":\"2XX29XX029XXXX38XXX6\",\"GUID\":\"RxkxxxxxlxzxkxnxxxxDxrxwxxxxx6\",\"sender\":\"xyz-abc.us1_152023242.13741304-5fabcd4567@example.com\",\"recipient\":[\"abc.xyz@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003c200c524xyz1234xyz12343.5fc4b29057.20210428135110.a1234993344.dxyz1234@example.com\u003e\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "RxkxxxxxlxzxkxnxxxxDxrxwxxxxx6", + "message_delivered": { + "cluster": "example_hosted", + "completely_rewritten": "true", + "header": { + "from": "Trang, Alex \u0026 Transpose Platform Team client.services@example.com", + "replyto": "Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + }, + { + "disposition": "inline", + "o_content_type": "text/plain" + } + ], + "message_size": 68402, + "modules_run": [ + "av", + "zerohour", + "spf", + "dkimv", + "spam", + "pdr", + "urldefense" + ], + "phish_score": 0, + "policy_routes": [ + "default_inbound" + ], + "qid": "2XX29XX029XXXX38XXX6", + "recipient": [ + "abc.xyz@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://example.com/view/xpxxxx6uxxxxx9y", + "id": "xxxxxx425eaxxxxxxee41d9e81xxxxxxf24a96e48f6e6xxxxxxxxxxxx123456f", + "status": "active", + "time": "2022-04-01T18:44:01.050Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123478/threat/email/9fxxxxxxxxxee41d94deabcd1234e9ff24axxxxxxxxxxc5b843f" + } + } + ], + "to_addresses": [ + "abc.xyz@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "image/png", + "name": "image.png" + } + } + ], + "delivery_timestamp": "2021-09-28T16:28:59.490Z", + "from": { + "address": [ + "abc.xyz@example.com" + ] + }, + "message_id": "CAXYZXYZxyz123_83rxxxXxXxXXk-+_TT_XxXxXxxQ@example.com", + "sender": { + "address": "abc.xyz@example.com" + }, + "subject": "RSVP today to Join Transpose Platform’s Ecosystem Days Summit", + "to": { + "address": [ + "abc.xyz@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "fbxxxxxx1-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"6exxxxxxxxxxx123456xxxxxxxxxxx12345643cedfbbe1xxxxxxxxxxx123456b\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefdxxxxxxxxxxxxxxxxb3f43ceaafxxxxxxxxxxe5c91axxxbb\",\"threatTime\":\"2022-04-01T23:14:30.450Z\",\"threat\":\"https://example.com/view/8yxxxxvjxxxx5\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2021-09-28T16:28:59.490Z\",\"impostorScore\":0,\"malwareScore\":0,\"cluster\":\"example_hosted\",\"subject\":\"RSVP today to Join Transpose Platform’s Ecosystem Days Summit\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"spf\",\"dkimv\",\"spam\",\"pdr\",\"urldefense\"],\"messageSize\":2657297,\"headerFrom\":\"abc.xyz@example.com\",\"headerReplyTo\":null,\"fromAddress\":[\"abc.xyz@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"abc.xyz@example.com\"],\"xmailer\":null,\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"},{\"disposition\":\"attached\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"image.png\",\"sandboxStatus\":null,\"oContentType\":\"image/png\",\"contentType\":\"image/png\"}],\"completelyRewritten\":true,\"id\":\"fbxxxxxx1-xxxxx123-xxxxx-xxxxx1234\",\"QID\":\"2XX2XXOXFXXGX8X9X\",\"GUID\":\"pxxxxvxxxxPxTxxxixxxxFxxxUxx2xxxxx\",\"sender\":\"abc.xyz@example.com\",\"recipient\":[\"abc.xyz@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003cCAXYZXYZxyz123_83rxxxXxXxXXk-+_TT_XxXxXxxQ@example.com\u003e\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "pxxxxvxxxxPxTxxxixxxxFxxxUxx2xxxxx", + "message_delivered": { + "cluster": "example_hosted", + "completely_rewritten": "true", + "header": { + "from": "abc.xyz@example.com" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/plain" + }, + { + "disposition": "inline", + "o_content_type": "text/html" + }, + { + "disposition": "attached", + "o_content_type": "image/png" + } + ], + "message_size": 2657297, + "modules_run": [ + "av", + "zerohour", + "spf", + "dkimv", + "spam", + "pdr", + "urldefense" + ], + "phish_score": 0, + "policy_routes": [ + "default_inbound" + ], + "qid": "2XX2XXOXFXXGX8X9X", + "recipient": [ + "abc.xyz@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://example.com/view/8yxxxxvjxxxx5", + "id": "6exxxxxxxxxxx123456xxxxxxxxxxx12345643cedfbbe1xxxxxxxxxxx123456b", + "status": "active", + "time": "2022-04-01T23:14:30.450Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefdxxxxxxxxxxxxxxxxb3f43ceaafxxxxxxxxxxe5c91axxxbb" + } + } + ], + "to_addresses": [ + "abc.xyz@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + } + ], + "delivery_timestamp": "2022-08-17T18:00:22.060Z", + "from": { + "address": [ + "client.services@example.com" + ] + }, + "message_id": "200cxyz1234xyz1234bcb96f3.6xyz12345.202204125625899.736a993333.x12345678e@example.com", + "reply_to": { + "address": [ + "client.services@example.com" + ] + }, + "sender": { + "address": "xyz-abc.us1_152023242.12345678-6xxxx123456789@example.com" + }, + "subject": "Speakers Announced | Ecosystem Days Summit", + "to": { + "address": [ + "abc.xyz@example.com" + ] + }, + "x_mailer": "Mailchimp Mailer - **CIDxxxxxxxxxx1234**" + }, + "event": { + "category": [ + "email" + ], + "id": "fxxxdxxa-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"xxxxxxxxxxx12345678914xxxxxxxxxxx123456e9ff24a9xxxxxxxxxxx123456\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/9f2dbcaa9xxxxxxxxxxe810d280xxxxxxxxxxxe48f6e69xxxxxxf\",\"threatTime\":\"2022-04-01T12:48:03.852Z\",\"threat\":\"https://example.com/view/xp45xxxxxxir9y\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-08-17T18:00:22.060Z\",\"impostorScore\":0,\"malwareScore\":0,\"cluster\":\"example_hosted\",\"subject\":\"Speakers Announced | Ecosystem Days Summit\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"bypass_maxsize\",\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"spf\",\"dkimv\",\"spam\",\"pdr\",\"urldefense\"],\"messageSize\":68353,\"headerFrom\":\"Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e\",\"headerReplyTo\":\"Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e\",\"fromAddress\":[\"client.services@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[\"client.services@example.com\"],\"toAddresses\":[\"abc.xyz@example.com\"],\"xmailer\":\"Mailchimp Mailer - **CIDxxxxxxxxxx1234**\",\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"}],\"completelyRewritten\":true,\"id\":\"fxxxdxxa-xxxxx123-xxxxx-xxxxx1234\",\"QID\":\"X2XXX0XXX2XX4\",\"GUID\":\"wxxAxxxx8x8x5xxxxxJxPxxax7xxxxx\",\"sender\":\"xyz-abc.us1_152023242.12345678-6xxxx123456789@example.com\",\"recipient\":[\"abc.xyz@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003c200cxyz1234xyz1234bcb96f3.6xyz12345.202204125625899.736a993333.x12345678e@example.com\u003e\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "wxxAxxxx8x8x5xxxxxJxPxxax7xxxxx", + "message_delivered": { + "cluster": "example_hosted", + "completely_rewritten": "true", + "header": { + "from": "Trang, Alex \u0026 Transpose Platform Team client.services@example.com", + "replyto": "Trang, Alex \u0026 Transpose Platform Team \u003cclient.services@example.com\u003e" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/plain" + }, + { + "disposition": "inline", + "o_content_type": "text/html" + } + ], + "message_size": 68353, + "modules_run": [ + "av", + "zerohour", + "spf", + "dkimv", + "spam", + "pdr", + "urldefense" + ], + "phish_score": 0, + "policy_routes": [ + "bypass_maxsize", + "default_inbound" + ], + "qid": "X2XXX0XXX2XX4", + "recipient": [ + "abc.xyz@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "https://example.com/view/xp45xxxxxxir9y", + "id": "xxxxxxxxxxx12345678914xxxxxxxxxxx123456e9ff24a9xxxxxxxxxxx123456", + "status": "active", + "time": "2022-04-01T12:48:03.852Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/9f2dbcaa9xxxxxxxxxxe810d280xxxxxxxxxxxe48f6e69xxxxxxf" + } + } + ], + "to_addresses": [ + "abc.xyz@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/html", + "name": "text.html" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "image/png", + "name": "image.png" + } + } + ], + "delivery_timestamp": "2022-03-24T13:24:57.000Z", + "from": { + "address": [ + "abc.xyz@example.com" + ] + }, + "message_id": "ABC-Y_xyz1-83rxxxXxXxXXk-N9==P_XxXxXxxQ@example.com", + "sender": { + "address": "abc.xyz@example.com" + }, + "subject": "RSVP today to Join Transpose Platform’s Ecosystem Days Summit", + "to": { + "address": [ + "abc.xyz@example.com" + ] + } + }, + "event": { + "category": [ + "email" + ], + "id": "cxxxxbxxxb-xxxxx123-xxxxx-xxxxx1234", + "kind": "event", + "original": "{\"spamScore\":0,\"phishScore\":0,\"threatsInfoMap\":[{\"threatID\":\"xxxxxxxxxxx123456xxxxxxxxxx1234xxxxxxxxxxx123456bbe1xxxxxx123456\",\"threatStatus\":\"active\",\"classification\":\"phish\",\"threatUrl\":\"https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefd8cxxxxxxxxxeef270d0a1b3f43cexxxxxxxxx34abe5c91axxxcb\",\"threatTime\":\"2022-04-01T20:56:13.000Z\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"campaignID\":null,\"threatType\":\"url\"}],\"messageTime\":\"2022-03-24T13:24:57.000Z\",\"impostorScore\":0,\"malwareScore\":0,\"cluster\":\"example_hosted\",\"subject\":\"RSVP today to Join Transpose Platform’s Ecosystem Days Summit\",\"quarantineFolder\":null,\"quarantineRule\":null,\"policyRoutes\":[\"bypass_maxsize\",\"default_inbound\"],\"modulesRun\":[\"av\",\"zerohour\",\"spf\",\"dkimv\",\"spam\",\"pdr\",\"urldefense\"],\"messageSize\":2642117,\"headerFrom\":\"abc.xyz@example.com\",\"headerReplyTo\":null,\"fromAddress\":[\"abc.xyz@example.com\"],\"ccAddresses\":[],\"replyToAddress\":[],\"toAddresses\":[\"abc.xyz@example.com\"],\"xmailer\":null,\"messageParts\":[{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.html\",\"sandboxStatus\":null,\"oContentType\":\"text/html\",\"contentType\":\"text/html\"},{\"disposition\":\"inline\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"text.txt\",\"sandboxStatus\":null,\"oContentType\":\"text/plain\",\"contentType\":\"text/plain\"},{\"disposition\":\"attached\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"filename\":\"image.png\",\"sandboxStatus\":null,\"oContentType\":\"image/png\",\"contentType\":\"image/png\"}],\"completelyRewritten\":true,\"id\":\"cxxxxbxxxb-xxxxx123-xxxxx-xxxxx1234\",\"QID\":\"2XXX2X5XX5XX7\",\"GUID\":\"gpxxx5xx2xHxxxJx7xxxxmx5xcxxxxxZ\",\"sender\":\"abc.xyz@example.com\",\"recipient\":[\"abc.xyz@example.com\"],\"senderIP\":\"175.16.199.1\",\"messageID\":\"\u003cABC-Y_xyz1-83rxxxXxXxXXk-N9==P_XxXxXxxQ@example.com\u003e\"}", + "type": [ + "info" + ] + }, + "proofpoint_tap": { + "guid": "gpxxx5xx2xHxxxJx7xxxxmx5xcxxxxxZ", + "message_delivered": { + "cluster": "example_hosted", + "completely_rewritten": "true", + "header": { + "from": "abc.xyz@example.com" + }, + "impostor_score": 0.0, + "malware_score": 0, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/html" + }, + { + "disposition": "inline", + "o_content_type": "text/plain" + }, + { + "disposition": "attached", + "o_content_type": "image/png" + } + ], + "message_size": 2642117, + "modules_run": [ + "av", + "zerohour", + "spf", + "dkimv", + "spam", + "pdr", + "urldefense" + ], + "phish_score": 0, + "policy_routes": [ + "bypass_maxsize", + "default_inbound" + ], + "qid": "2XXX2X5XX5XX7", + "recipient": [ + "abc.xyz@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "phish", + "threat": { + "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "id": "xxxxxxxxxxx123456xxxxxxxxxx1234xxxxxxxxxxx123456bbe1xxxxxx123456", + "status": "active", + "time": "2022-04-01T20:56:13.000Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/3183a23b-d9c3-1234-1234-2babcd123408/threat/email/6e2eefd8cxxxxxxxxxeef270d0a1b3f43cexxxxxxxxx34abe5c91axxxcb" + } + } + ], + "to_addresses": [ + "abc.xyz@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/system/test-default-config.yml b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..ec9377ca329 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/_dev/test/system/test-default-config.yml @@ -0,0 +1,9 @@ +input: httpjson +service: proofpoint_tap +vars: + url: http://{{Hostname}}:{{Port}} + principal: xxxx + secret: xxxx +data_stream: + vars: + preserve_original_event: true diff --git a/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs b/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..4222c42aa67 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/agent/stream/httpjson.yml.hbs @@ -0,0 +1,44 @@ +config_version: 2 +interval: {{interval}} +{{#if proxy_url }} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.method: GET +request.url: {{url}}/v2/siem/messages/delivered +auth.basic.user: {{principal}} +auth.basic.password: {{secret}} +request.transforms: + - set: + target: url.params.format + value: json + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate ((parseDate .cursor.last_received_time "RFC3339").Add (parseDuration "1h"))]][[else]][[formatDate (parseDate .cursor.last_received_time "RFC3339")]]/[[formatDate now]][[end]]' + default: '[[formatDate (now (parseDuration "-{{initial_interval}}"))]]/[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "1h"))]]' +response.pagination: + - set: + target: url.params.interval + value: '[[if (le (formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))) (formatDate (now)))]][[formatDate (parseDate .last_response.body.queryEndTime "RFC3339")]]/[[formatDate ((parseDate .last_response.body.queryEndTime "RFC3339").Add (parseDuration "1h"))]][[else]][[.last_response.terminate_pagination]][[end]]' + fail_on_template_error: true +cursor: + last_received_time: + value: '[[.last_response.body.queryEndTime]]' +response.split: + target: body.messagesDelivered +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..139b593dfc4 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,435 @@ +--- +description: Pipeline for parsing Proofpoint TAP delivered message logs. +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + ignore_failure: true + - fingerprint: + fields: + - json.GUID + - json.messageTime + target_field: _id + ignore_missing: true + - append: + field: event.category + value: email + ignore_failure: true + - append: + field: event.type + value: info + ignore_failure: true + - set: + field: event.kind + value: event + - convert: + field: json.senderIP + target_field: source.ip + type: ip + ignore_failure: true + - append: + field: related.ip + value: '{{{source.ip}}}' + if: ctx.source?.ip != null && ctx.source?.ip != '' + allow_duplicates: false + ignore_failure: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: ctx.source?.ip != null && ctx.source?.ip != '' + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: ctx.source?.ip != null && ctx.source?.ip != '' + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - foreach: + field: json.messageParts + processor: + append: + field: related.hash + value: '{{{_ingest._value.md5}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List + - foreach: + field: json.messageParts + processor: + append: + field: related.hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.messageParts != null && ctx.json?.messageParts instanceof List + - rename: + field: json.ccAddresses + target_field: email.cc.address + ignore_missing: true + - date: + field: json.messageTime + target_field: email.delivery_timestamp + ignore_failure: true + formats: + - ISO8601 + - rename: + field: json.fromAddress + target_field: email.from.address + ignore_missing: true + - rename: + field: json.messageID + target_field: email.message_id + ignore_missing: true + - gsub: + field: email.message_id + pattern: '<|>' + replacement: '' + ignore_missing: true + - rename: + field: json.replyToAddress + target_field: email.reply_to.address + ignore_missing: true + - rename: + field: json.sender + target_field: email.sender.address + ignore_missing: true + - rename: + field: json.subject + target_field: email.subject + ignore_missing: true + - set: + field: email.to.address + copy_from: json.toAddresses + ignore_failure: true + - foreach: + field: json.recipient + processor: + append: + field: email.to.address + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + ignore_failure: true + if: ctx.json?.recipient != null && ctx.json?.recipient instanceof List + - rename: + field: json.xmailer + target_field: email.x_mailer + ignore_missing: true + - rename: + field: json.id + target_field: event.id + ignore_missing: true + - set: + field: email.attachments + copy_from: json.messageParts + ignore_failure: true + - foreach: + field: email.attachments + processor: + remove: + field: + - _ingest._value.disposition + - _ingest._value.oContentType + - _ingest._value.sandboxStatus + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.contentType + target_field: _ingest._value.file.mime_type + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.md5 + target_field: _ingest._value.file.hash.md5 + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.sha256 + target_field: _ingest._value.file.hash.sha256 + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - foreach: + field: email.attachments + processor: + rename: + field: _ingest._value.filename + target_field: _ingest._value.file.name + ignore_missing: true + ignore_failure: true + if: ctx.email?.attachments != null && ctx.email?.attachments instanceof List + - script: + description: Adding hash in related.hash from artifact field. + lang: painless + ignore_failure: true + source: | + if (ctx.json?.threatsInfoMap instanceof List) { + for (artifact in ctx.json?.threatsInfoMap) { + def flag = true; + def str = artifact.threat.toLowerCase(); + if (str?.length() == 64) { + for (int i = 0; i < str.length(); i++) { + def ch = str.charAt(i); + if ((ch < (char)'0' || ch > (char)'9') && (ch < (char)'a' || ch > (char)'f')) { + flag = false; + break; + } + } + if (flag && !ctx["related"]["hash"].contains(str)) { + ctx["related"]["hash"].add(str); + } + } + } + } + - rename: + field: json.toAddresses + target_field: proofpoint_tap.message_delivered.to_addresses + ignore_missing: true + - rename: + field: json.recipient + target_field: proofpoint_tap.message_delivered.recipient + ignore_missing: true + - rename: + field: json.cluster + target_field: proofpoint_tap.message_delivered.cluster + ignore_missing: true + - convert: + field: json.completelyRewritten + target_field: proofpoint_tap.message_delivered.completely_rewritten + type: string + ignore_failure: true + - rename: + field: json.GUID + target_field: proofpoint_tap.guid + ignore_missing: true + - rename: + field: json.headerFrom + target_field: proofpoint_tap.message_delivered.header.from + ignore_missing: true + - gsub: + field: proofpoint_tap.message_delivered.header.from + pattern: '<|>' + replacement: '' + ignore_missing: true + - rename: + field: json.headerReplyTo + target_field: proofpoint_tap.message_delivered.header.replyto + ignore_missing: true + - convert: + field: json.impostorScore + target_field: proofpoint_tap.message_delivered.impostor_score + type: double + ignore_failure: true + - convert: + field: json.malwareScore + target_field: proofpoint_tap.message_delivered.malware_score + type: long + ignore_failure: true + - rename: + field: json.messageParts + target_field: proofpoint_tap.message_delivered.message_parts + ignore_missing: true + - foreach: + field: proofpoint_tap.message_delivered.message_parts + processor: + remove: + field: + - _ingest._value.contentType + - _ingest._value.filename + - _ingest._value.md5 + - _ingest._value.sha256 + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List + - foreach: + field: proofpoint_tap.message_delivered.message_parts + processor: + rename: + field: _ingest._value.oContentType + target_field: _ingest._value.o_content_type + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List + - foreach: + field: proofpoint_tap.message_delivered.message_parts + processor: + rename: + field: _ingest._value.sandboxStatus + target_field: _ingest._value.sandbox_status + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List + - convert: + field: json.messageSize + target_field: proofpoint_tap.message_delivered.message_size + type: long + ignore_failure: true + - rename: + field: json.modulesRun + target_field: proofpoint_tap.message_delivered.modules_run + ignore_missing: true + - convert: + field: json.phishScore + target_field: proofpoint_tap.message_delivered.phish_score + type: long + ignore_failure: true + - rename: + field: json.policyRoutes + target_field: proofpoint_tap.message_delivered.policy_routes + ignore_missing: true + - rename: + field: json.QID + target_field: proofpoint_tap.message_delivered.qid + ignore_missing: true + - rename: + field: json.quarantineFolder + target_field: proofpoint_tap.message_delivered.quarantine.folder + ignore_missing: true + - rename: + field: json.quarantineRule + target_field: proofpoint_tap.message_delivered.quarantine.rule + ignore_missing: true + - convert: + field: json.spamScore + target_field: proofpoint_tap.message_delivered.spam_score + type: long + ignore_failure: true + - rename: + field: json.threatsInfoMap + target_field: proofpoint_tap.message_delivered.threat_info_map + ignore_missing: true + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.campaignId + target_field: _ingest._value.campaign_id + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.threat + target_field: _ingest._value.threat.artifact + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.threatID + target_field: _ingest._value.threat.id + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.threatStatus + target_field: _ingest._value.threat.status + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + date: + field: _ingest._value.threatTime + target_field: _ingest._value.threat.time + ignore_failure: true + formats: + - ISO8601 + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + remove: + field: _ingest._value.threatTime + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.threatType + target_field: _ingest._value.threat.type + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - foreach: + field: proofpoint_tap.message_delivered.threat_info_map + processor: + rename: + field: _ingest._value.threatUrl + target_field: _ingest._value.threat.url + ignore_missing: true + ignore_failure: true + if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - remove: + field: + - json + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml new file mode 100644 index 00000000000..73e076a93b1 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container ID. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host IP addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/base-fields.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/base-fields.yml new file mode 100644 index 00000000000..cc51aafdf83 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: '@timestamp' + type: date + description: Event timestamp. +- name: event.module + type: constant_keyword + description: Event module. + value: proofpoint_tap +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: proofpoint_tap.message_delivered diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml new file mode 100644 index 00000000000..8643573d876 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/ecs.yml @@ -0,0 +1,68 @@ +- external: ecs + name: ecs.version +- external: ecs + name: email.attachments +- external: ecs + name: email.attachments.file.hash.md5 +- external: ecs + name: email.attachments.file.hash.sha256 +- external: ecs + name: email.attachments.file.name +- external: ecs + name: email.cc.address +- external: ecs + name: email.content_type +- external: ecs + name: email.delivery_timestamp +- external: ecs + name: email.from.address +- external: ecs + name: email.message_id +- external: ecs + name: email.reply_to.address +- external: ecs + name: email.sender.address +- external: ecs + name: email.subject +- external: ecs + name: email.to.address +- external: ecs + name: email.x_mailer +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.type +- external: ecs + name: related.hash +- external: ecs + name: related.ip +- external: ecs + name: source.as.number +- external: ecs + name: source.as.organization.name +- external: ecs + name: source.geo.city_name +- external: ecs + name: source.geo.continent_name +- external: ecs + name: source.geo.country_iso_code +- external: ecs + name: source.geo.country_name +- external: ecs + name: source.geo.location +- external: ecs + name: source.geo.region_iso_code +- external: ecs + name: source.geo.region_name +- external: ecs + name: source.ip +- external: ecs + name: tags diff --git a/packages/proofpoint_tap/data_stream/message_delivered/fields/fields.yml b/packages/proofpoint_tap/data_stream/message_delivered/fields/fields.yml new file mode 100644 index 00000000000..7b8ee5ae008 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/fields/fields.yml @@ -0,0 +1,106 @@ +- name: proofpoint_tap + type: group + fields: + - name: guid + type: keyword + description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. + - name: message_delivered + type: group + fields: + - name: cluster + type: keyword + description: The name of the PPS cluster which processed the message. + - name: completely_rewritten + type: keyword + description: The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. + - name: header + type: group + fields: + - name: from + type: keyword + description: 'The full content of the From: header, including any friendly name.' + - name: replyto + type: keyword + description: 'If present, the full content of the Reply-To: header, including any friendly names.' + - name: impostor_score + type: double + description: The impostor score of the message. Higher scores indicate higher certainty. + - name: malware_score + type: long + description: The malware score of the message. Higher scores indicate higher certainty. + - name: message_parts + type: group + fields: + - name: disposition + type: keyword + description: If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. + - name: o_content_type + type: keyword + description: The declared Content-Type of the messagePart. + - name: sandbox_status + type: keyword + description: The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. + - name: message_size + type: long + description: The size in bytes of the message, including headers and attachments. + - name: modules_run + type: keyword + description: The list of PPS modules which processed the message. + - name: phish_score + type: long + description: The phish score of the message. Higher scores indicate higher certainty. + - name: policy_routes + type: keyword + description: The policy routes that the message matched during processing by PPS. + - name: qid + type: keyword + description: The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. + - name: quarantine + type: group + fields: + - name: folder + type: keyword + description: The name of the folder which contains the quarantined message. This appears only for messagesBlocked. + - name: rule + type: keyword + description: The name of the rule which quarantined the message. This appears only for messagesBlocked events. + - name: recipient + type: keyword + description: An array containing the email addresses of the SMTP (envelope) recipients. + - name: spam_score + type: long + description: The spam score of the message. Higher scores indicate higher certainty. + - name: threat_info_map + type: group + description: An array of structures which contain details about detected threats within the message. There may be more than one threat per message. + fields: + - name: campaign_id + type: keyword + description: An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. + - name: classification + type: keyword + description: The category of threat found in the message. + - name: threat + type: group + fields: + - name: artifact + type: keyword + description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. + - name: id + type: keyword + description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. + - name: status + type: keyword + description: The current state of the threat. + - name: time + type: date + description: Proofpoint assigned the threatStatus at this time. + - name: type + type: keyword + description: Whether the threat was an attachment, URL, or message type. + - name: url + type: keyword + description: A link to the entry about the threat on the TAP Dashboard. + - name: to_addresses + type: keyword + description: 'A list of email addresses contained within the To: header, excluding friendly names.' diff --git a/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml b/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml new file mode 100644 index 00000000000..e82e189b753 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/manifest.yml @@ -0,0 +1,50 @@ +title: Message Delivered +type: logs +streams: + - input: httpjson + template_path: httpjson.yml.hbs + title: Proofpoint_TAP Message Delivered logs + description: Collect Proofpoint TAP Message Delivered logs via API. + vars: + - name: interval + type: text + title: Interval + description: Interval to fetch data from Proofpoint TAP API (The interval should be at least 1m). + multi: false + required: true + show_user: true + default: 1h + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). + default: 24h + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - proofpoint_tap-message_delivered + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json b/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json new file mode 100644 index 00000000000..60229edc5b8 --- /dev/null +++ b/packages/proofpoint_tap/data_stream/message_delivered/sample_event.json @@ -0,0 +1,120 @@ +{ + "@timestamp": "2022-05-09T09:42:31.705Z", + "agent": { + "ephemeral_id": "59bb449e-3552-4dfb-a4a4-a6928d75b8fa", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.message_delivered", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "to": { + "address": [ + "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" + ] + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:42:31.705Z", + "dataset": "proofpoint_tap.message_delivered", + "id": "2hsvbU-i8abc123-12345-xxxxx12", + "ingested": "2022-05-09T09:42:35Z", + "kind": "event", + "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "guid": "NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "spam", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb", + "status": "active", + "time": "2021-11-25T13:02:58.640Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + }, + { + "classification": "phish", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566", + "status": "active", + "time": "2021-07-19T10:28:15.100Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + } + ] + } + }, + "related": { + "ip": [ + "89.160.20.112" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-message_delivered" + ] +} \ No newline at end of file diff --git a/packages/proofpoint_tap/docs/README.md b/packages/proofpoint_tap/docs/README.md new file mode 100644 index 00000000000..4499fb5f31d --- /dev/null +++ b/packages/proofpoint_tap/docs/README.md @@ -0,0 +1,1020 @@ +# Proofpoint TAP + +The Proofpoint TAP integration collects and parses data from the Proofpoint TAP REST APIs. + +## Compatibility + +This module has been tested against `SIEM API v2`. + +## Configurations + +The service principal and secret are used to authenticate to the SIEM API. To generate TAP Service Credentials please follow the following steps. +1. Log in to the [_TAP dashboard_](https://threatinsight.proofpoint.com). +2. Navigate to **Settings > Connected Applications**. +3. Click **Create New Credential**. +4. Name the new credential set and click **Generate**. +5. Copy the **Service Principal** and **Secret** and save them for later use. +For the more information on generating TAP credentials please follow the steps mentioned in the link [_Generate TAP Service Credentials_](https://ptr-docs.proofpoint.com/ptr-guides/integrations-files/ptr-tap/#generate-tap-service-credentials). + + +## Logs + +### Clicks Blocked + +This is the `clicks_blocked` dataset. + +An example event for `clicks_blocked` looks as following: + +```json +{ + "@timestamp": "2022-03-30T10:11:12.000Z", + "agent": { + "ephemeral_id": "cd4a05a0-d8d5-4b88-b709-b525da6dd43e", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.clicks_blocked", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "9c52aa64228824247c48df69b066e5a7@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:38:11.168Z", + "dataset": "proofpoint_tap.clicks_blocked", + "id": "a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx", + "ingested": "2022-05-09T09:38:14Z", + "kind": "event", + "original": "{\"GUID\":\"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"malware\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-30T10:11:12.000Z\",\"id\":\"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"9c52aa64228824247c48df69b066e5a7@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-21T14:40:31.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f\",\"url\":\"https://www.example.com/abcdabcd123?query=0\",\"userAgent\":\"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1\"}", + "type": [ + "denied" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "clicks_blocked": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "malware", + "threat": { + "id": "502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f", + "status": "active", + "time": "2022-03-21T14:40:31.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f" + } + }, + "guid": "ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-clicks_blocked" + ], + "url": { + "domain": "www.example.com", + "full": "https://www.example.com/abcdabcd123?query=0", + "path": "/abcdabcd123", + "query": "query=0", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "iPhone" + }, + "name": "Google", + "original": "Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1", + "os": { + "full": "iOS 14.6", + "name": "iOS", + "version": "14.6" + }, + "version": "199.0.427504638" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container ID. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.to.address | The email address of recipient | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host IP addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| proofpoint_tap.clicks_blocked.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | +| proofpoint_tap.clicks_blocked.classification | The threat category of the malicious URL. | keyword | +| proofpoint_tap.clicks_blocked.sender_ip | The IP address of the sender. | ip | +| proofpoint_tap.clicks_blocked.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | +| proofpoint_tap.clicks_blocked.threat.status | The current state of the threat. | keyword | +| proofpoint_tap.clicks_blocked.threat.time | Proofpoint identified the URL as a threat at this time. | date | +| proofpoint_tap.clicks_blocked.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | +| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +### Clicks Permitted + +This is the `clicks_permitted` dataset. + +An example event for `clicks_permitted` looks as following: + +```json +{ + "@timestamp": "2022-03-21T20:39:37.000Z", + "agent": { + "ephemeral_id": "85f7f8f1-c9f4-4d3f-bd2f-c6f4e6c31526", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.clicks_permitted", + "namespace": "ep", + "type": "logs" + }, + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "from": { + "address": "abc123@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "to": { + "address": "abc@example.com" + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:39:34.061Z", + "dataset": "proofpoint_tap.clicks_permitted", + "id": "de7eef56-1234-1234-1234-5xxfx7xxxdxxxx", + "ingested": "2022-05-09T09:39:37Z", + "kind": "event", + "original": "{\"GUID\":\"cTxxxxxxzx7xxxxxxxxxx8x4xwxx\",\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"phish\",\"clickIP\":\"89.160.20.112\",\"clickTime\":\"2022-03-21T20:39:37.000Z\",\"id\":\"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx\",\"messageID\":\"12345678912345.12345.mail@example.com\",\"recipient\":\"abc@example.com\",\"sender\":\"abc123@example.com\",\"senderIP\":\"81.2.69.143\",\"threatID\":\"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"threatStatus\":\"active\",\"threatTime\":\"2022-03-30T10:05:57.000Z\",\"threatURL\":\"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx\",\"url\":\"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46\"}", + "type": [ + "allowed" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "clicks_permitted": { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "phish", + "threat": { + "id": "92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx", + "status": "active", + "time": "2022-03-30T10:05:57.000Z", + "url": "https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx" + } + }, + "guid": "cTxxxxxxzx7xxxxxxxxxx8x4xwxx" + }, + "related": { + "ip": [ + "81.2.69.143", + "89.160.20.112" + ] + }, + "source": { + "ip": "81.2.69.143" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-clicks_permitted" + ], + "url": { + "domain": "example.com", + "full": "https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "path": "/collab/", + "query": "id=x4x3x6xsx1xxxx8xEdxexnxxxaxX", + "scheme": "https" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Edge", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "99.0.1150.46" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container ID. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination (IPv4 or IPv6). | ip | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.to.address | The email address of recipient | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host IP addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| proofpoint_tap.clicks_permitted.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | +| proofpoint_tap.clicks_permitted.classification | The threat category of the malicious URL. | keyword | +| proofpoint_tap.clicks_permitted.sender_ip | The IP address of the sender. | ip | +| proofpoint_tap.clicks_permitted.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | +| proofpoint_tap.clicks_permitted.threat.status | The current state of the threat. | keyword | +| proofpoint_tap.clicks_permitted.threat.time | Proofpoint identified the URL as a threat at this time. | date | +| proofpoint_tap.clicks_permitted.threat.url | A link to the entry on the TAP Dashboard for the particular threat. | keyword | +| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.original.text | Multi-field of `url.original`. | match_only_text | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.username | Username of the request. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +### Message Blocked + +This is the `message_blocked` dataset. + +An example event for `message_blocked` looks as following: + +```json +{ + "@timestamp": "2022-05-09T09:41:02.164Z", + "agent": { + "ephemeral_id": "dfa889d8-af83-426a-b8dc-483740f73385", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.message_blocked", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "attachments": [ + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "text/plain", + "name": "text.txt" + } + }, + { + "file": { + "hash": { + "md5": "b10a8db164e0754105b7a99be72e3fe5", + "sha256": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + }, + "mime_type": "application/pdf", + "name": "text.pdf" + } + } + ], + "cc": { + "address": [ + "abc@example.com" + ] + }, + "delivery_timestamp": "2021-11-25T09:10:00.050Z", + "from": { + "address": "abc@example.com" + }, + "message_id": "12345678912345.12345.mail@example.com", + "sender": { + "address": "x99x7x5580193x6x51x597xx2x0210@example.com" + }, + "subject": "Please find a totally safe invoice attached.", + "to": { + "address": [ + "example.abc@example.com", + "hey.hello@example.com" + ] + }, + "x_mailer": "Spambot v2.5" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:41:02.164Z", + "dataset": "proofpoint_tap.message_blocked", + "ingested": "2022-05-09T09:41:05Z", + "kind": "event", + "original": "{\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"QID\":\"x2XXxXXX111111\",\"ccAddresses\":[\"abc@example.com\"],\"clusterId\":\"pharmtech_hosted\",\"completelyRewritten\":\"true\",\"fromAddress\":\"abc@example.com\",\"headerCC\":\"\\\"Example Abc\\\" \\u003cabc@example.com\\u003e\",\"headerFrom\":\"\\\"A. Bc\\\" \\u003cabc@example.com\\u003e\",\"headerReplyTo\":null,\"headerTo\":\"\\\"Aa Bb\\\" \\u003caa.bb@example.com\\u003e; \\\"Hey Hello\\\" \\u003chey.hello@example.com\\u003e\",\"impostorScore\":0,\"malwareScore\":100,\"messageID\":\"12345678912345.12345.mail@example.com\",\"messageParts\":[{\"contentType\":\"text/plain\",\"disposition\":\"inline\",\"filename\":\"text.txt\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"text/plain\",\"sandboxStatus\":\"unsupported\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"},{\"contentType\":\"application/pdf\",\"disposition\":\"attached\",\"filename\":\"text.pdf\",\"md5\":\"b10a8db164e0754105b7a99be72e3fe5\",\"oContentType\":\"application/pdf\",\"sandboxStatus\":\"threat\",\"sha256\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\"}],\"messageTime\":\"2021-11-25T09:10:00.050Z\",\"modulesRun\":[\"pdr\",\"sandbox\",\"spam\",\"urldefense\"],\"phishScore\":46,\"policyRoutes\":[\"default_inbound\",\"executives\"],\"quarantineFolder\":\"Attachment Defense\",\"quarantineRule\":\"module.sandbox.threat\",\"recipient\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"replyToAddress\":null,\"sender\":\"x99x7x5580193x6x51x597xx2x0210@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":4,\"subject\":\"Please find a totally safe invoice attached.\",\"threatsInfoMap\":[{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e\",\"threatId\":\"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T09:10:00.050Z\",\"threatType\":\"ATTACHMENT\",\"threatUrl\":\"https://www.example.com/?name=john\"},{\"campaignId\":\"46x01x8x-x899-404x-xxx9-111xx393d1x7\",\"classification\":\"MALWARE\",\"threat\":\"example.com\",\"threatId\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx\",\"threatTime\":\"2021-07-20T05:00:00.050Z\",\"threatType\":\"URL\",\"threatUrl\":\"https://www.example.com/?name=john\"}],\"toAddresses\":[\"example.abc@example.com\",\"hey.hello@example.com\"],\"xmailer\":\"Spambot v2.5\"}", + "type": [ + "denied" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx", + "message_blocked": { + "completely_rewritten": "true", + "header": { + "cc": "\"Example Abc\" \u003cabc@example.com\u003e", + "from": "\"A. Bc\" abc@example.com", + "to": "\"Aa Bb\" \u003caa.bb@example.com\u003e; \"Hey Hello\" \u003chey.hello@example.com\u003e" + }, + "impostor_score": 0, + "malware_score": 100, + "message_parts": [ + { + "disposition": "inline", + "o_content_type": "text/plain", + "sandbox_status": "unsupported" + }, + { + "disposition": "attached", + "o_content_type": "application/pdf", + "sandbox_status": "threat" + } + ], + "modules_run": [ + "pdr", + "sandbox", + "spam", + "urldefense" + ], + "phish_score": 46, + "policy_routes": [ + "default_inbound", + "executives" + ], + "qid": "x2XXxXXX111111", + "quarantine": { + "folder": "Attachment Defense", + "rule": "module.sandbox.threat" + }, + "recipient": [ + "example.abc@example.com", + "hey.hello@example.com" + ], + "spam_score": 4, + "threat_info_map": [ + { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "MALWARE", + "threat": { + "artifact": "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e", + "status": "active", + "time": "2021-11-25T09:10:00.050Z", + "type": "ATTACHMENT", + "url": "https://www.example.com/?name=john" + }, + "threatId": "2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx" + }, + { + "campaign_id": "46x01x8x-x899-404x-xxx9-111xx393d1x7", + "classification": "MALWARE", + "threat": { + "artifact": "example.com", + "time": "2021-07-20T05:00:00.050Z", + "type": "URL", + "url": "https://www.example.com/?name=john" + }, + "threatId": "3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx" + } + ], + "to_addresses": [ + "example.abc@example.com", + "hey.hello@example.com" + ] + } + }, + "related": { + "hash": [ + "b10a8db164e0754105b7a99be72e3fe5", + "a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e" + ], + "ip": [ + "175.16.199.1" + ] + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-message_blocked" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container ID. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | +| email.attachments.file.hash.md5 | MD5 hash. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.cc.address | The email address of CC recipient | keyword | +| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | +| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | +| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host IP addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | +| proofpoint_tap.message_blocked.cluster | The name of the PPS cluster which processed the message. | keyword | +| proofpoint_tap.message_blocked.completely_rewritten | The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. | keyword | +| proofpoint_tap.message_blocked.header.cc | | keyword | +| proofpoint_tap.message_blocked.header.from | The full content of the From: header, including any friendly name. | keyword | +| proofpoint_tap.message_blocked.header.replyto | If present, the full content of the Reply-To: header, including any friendly names. | keyword | +| proofpoint_tap.message_blocked.header.to | | keyword | +| proofpoint_tap.message_blocked.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | double | +| proofpoint_tap.message_blocked.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_blocked.message_parts.disposition | If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. | keyword | +| proofpoint_tap.message_blocked.message_parts.o_content_type | The declared Content-Type of the messagePart. | keyword | +| proofpoint_tap.message_blocked.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. | keyword | +| proofpoint_tap.message_blocked.message_size | The size in bytes of the message, including headers and attachments. | long | +| proofpoint_tap.message_blocked.modules_run | The list of PPS modules which processed the message. | keyword | +| proofpoint_tap.message_blocked.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_blocked.policy_routes | The policy routes that the message matched during processing by PPS. | keyword | +| proofpoint_tap.message_blocked.qid | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. | keyword | +| proofpoint_tap.message_blocked.quarantine.folder | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. | keyword | +| proofpoint_tap.message_blocked.quarantine.rule | The name of the rule which quarantined the message. This appears only for messagesBlocked events. | keyword | +| proofpoint_tap.message_blocked.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword | +| proofpoint_tap.message_blocked.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_blocked.threat_info_map.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.classification | The category of threat found in the message. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.threat.artifact | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.threat.status | The current state of the threat. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.threat.time | Proofpoint assigned the threatStatus at this time. | date | +| proofpoint_tap.message_blocked.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | +| proofpoint_tap.message_blocked.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | +| proofpoint_tap.message_blocked.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + + +### Message Delivered + +This is the `message_delivered` dataset. + +An example event for `message_delivered` looks as following: + +```json +{ + "@timestamp": "2022-05-09T09:42:31.705Z", + "agent": { + "ephemeral_id": "59bb449e-3552-4dfb-a4a4-a6928d75b8fa", + "hostname": "docker-fleet-agent", + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "proofpoint_tap.message_delivered", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "3dc09e3a-0004-444b-a301-8c632b17172b", + "snapshot": false, + "version": "7.17.0" + }, + "email": { + "delivery_timestamp": "2022-01-01T00:00:00.000Z", + "to": { + "address": [ + "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" + ] + } + }, + "event": { + "agent_id_status": "verified", + "category": [ + "email" + ], + "created": "2022-05-09T09:42:31.705Z", + "dataset": "proofpoint_tap.message_delivered", + "id": "2hsvbU-i8abc123-12345-xxxxx12", + "ingested": "2022-05-09T09:42:35Z", + "kind": "event", + "original": "{\"GUID\":\"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx\",\"QID\":null,\"ccAddresses\":null,\"cluster\":\"pharmtech_hosted\",\"completelyRewritten\":true,\"fromAddress\":null,\"headerFrom\":null,\"headerReplyTo\":null,\"id\":\"2hsvbU-i8abc123-12345-xxxxx12\",\"impostorScore\":0,\"malwareScore\":0,\"messageID\":\"\",\"messageParts\":null,\"messageSize\":0,\"messageTime\":\"2022-01-01T00:00:00.000Z\",\"modulesRun\":null,\"phishScore\":0,\"policyRoutes\":null,\"quarantineFolder\":null,\"quarantineRule\":null,\"recipient\":[\"fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com\"],\"replyToAddress\":null,\"sender\":\"\",\"senderIP\":\"89.160.20.112\",\"spamScore\":0,\"subject\":null,\"threatsInfoMap\":[{\"campaignID\":null,\"classification\":\"spam\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\",\"threatStatus\":\"active\",\"threatTime\":\"2021-11-25T13:02:58.640Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"},{\"campaignID\":null,\"classification\":\"phish\",\"threat\":\"http://zbcd123456x0.example.com\",\"threatID\":\"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566\",\"threatStatus\":\"active\",\"threatTime\":\"2021-07-19T10:28:15.100Z\",\"threatType\":\"url\",\"threatUrl\":\"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb\"}],\"toAddresses\":null,\"xmailer\":null}", + "type": [ + "info" + ] + }, + "input": { + "type": "httpjson" + }, + "proofpoint_tap": { + "guid": "NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx", + "message_delivered": { + "cluster": "pharmtech_hosted", + "completely_rewritten": "true", + "impostor_score": 0, + "malware_score": 0, + "message_size": 0, + "phish_score": 0, + "recipient": [ + "fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com" + ], + "spam_score": 0, + "threat_info_map": [ + { + "classification": "spam", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb", + "status": "active", + "time": "2021-11-25T13:02:58.640Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + }, + { + "classification": "phish", + "threat": { + "artifact": "http://zbcd123456x0.example.com", + "id": "aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566", + "status": "active", + "time": "2021-07-19T10:28:15.100Z", + "type": "url", + "url": "https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb" + } + } + ] + } + }, + "related": { + "ip": [ + "89.160.20.112" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "proofpoint_tap-message_delivered" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization ID used to identify different entities in a multi-tenant environment. Examples: AWS account ID, Google Cloud ORG ID, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container ID. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| email.attachments | A list of objects describing the attachment files sent along with an email message. | nested | +| email.attachments.file.hash.md5 | MD5 hash. | keyword | +| email.attachments.file.hash.sha256 | SHA256 hash. | keyword | +| email.attachments.file.name | Name of the attachment file including the file extension. | keyword | +| email.cc.address | The email address of CC recipient | keyword | +| email.content_type | Information about how the message is to be displayed. Typically a MIME type. | keyword | +| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date | +| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword | +| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard | +| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. | keyword | +| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. | keyword | +| email.subject | A brief summary of the topic of the message. | keyword | +| email.subject.text | Multi-field of `email.subject`. | match_only_text | +| email.to.address | The email address of recipient | keyword | +| email.x_mailer | The name of the application that was used to draft and send the original email message. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host ID. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host IP addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| proofpoint_tap.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword | +| proofpoint_tap.message_delivered.cluster | The name of the PPS cluster which processed the message. | keyword | +| proofpoint_tap.message_delivered.completely_rewritten | The rewrite status of the message. If value is 'true', all instances of URL threats within the message were successfully rewritten. If the value is 'false', at least one instance of the a threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats. | keyword | +| proofpoint_tap.message_delivered.header.from | The full content of the From: header, including any friendly name. | keyword | +| proofpoint_tap.message_delivered.header.replyto | If present, the full content of the Reply-To: header, including any friendly names. | keyword | +| proofpoint_tap.message_delivered.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | double | +| proofpoint_tap.message_delivered.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_delivered.message_parts.disposition | If the value is "inline," the messagePart is a message body. If the value is "attached," the messagePart is an attachment. | keyword | +| proofpoint_tap.message_delivered.message_parts.o_content_type | The declared Content-Type of the messagePart. | keyword | +| proofpoint_tap.message_delivered.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. If the value is "unsupported", the messagePart is not supported by Attachment Defense and was not scanned. If the value is "clean", the sandbox returned a clean verdict. If the value is "threat", the sandbox returned a malicious verdict. If the value is "prefilter", the messagePart contained no active content, and was therefore not sent to the sandboxing service. If the value is "uploaded," the message was uploaded by PPS to the sandboxing service, but did not yet have a verdict at the time the message was processed. If the value is "inprogress," the attachment had been uploaded and was awaiting scanning at the time the message was processed. If the verdict is "uploaddisabled," the attachment was eligible for scanning, but was not uploaded because of PPS policy. | keyword | +| proofpoint_tap.message_delivered.message_size | The size in bytes of the message, including headers and attachments. | long | +| proofpoint_tap.message_delivered.modules_run | The list of PPS modules which processed the message. | keyword | +| proofpoint_tap.message_delivered.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_delivered.policy_routes | The policy routes that the message matched during processing by PPS. | keyword | +| proofpoint_tap.message_delivered.qid | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. | keyword | +| proofpoint_tap.message_delivered.quarantine.folder | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. | keyword | +| proofpoint_tap.message_delivered.quarantine.rule | The name of the rule which quarantined the message. This appears only for messagesBlocked events. | keyword | +| proofpoint_tap.message_delivered.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword | +| proofpoint_tap.message_delivered.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long | +| proofpoint_tap.message_delivered.threat_info_map.campaign_id | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.classification | The category of threat found in the message. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.threat.artifact | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.threat.id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.threat.status | The current state of the threat. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.threat.time | Proofpoint assigned the threatStatus at this time. | date | +| proofpoint_tap.message_delivered.threat_info_map.threat.type | Whether the threat was an attachment, URL, or message type. | keyword | +| proofpoint_tap.message_delivered.threat_info_map.threat.url | A link to the entry about the threat on the TAP Dashboard. | keyword | +| proofpoint_tap.message_delivered.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | + diff --git a/packages/proofpoint_tap/img/proofpoint_tap-logo.svg b/packages/proofpoint_tap/img/proofpoint_tap-logo.svg new file mode 100644 index 00000000000..9a147bc4795 --- /dev/null +++ b/packages/proofpoint_tap/img/proofpoint_tap-logo.svg @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/proofpoint_tap/img/proofpoint_tap-screenshot.png b/packages/proofpoint_tap/img/proofpoint_tap-screenshot.png new file mode 100644 index 00000000000..d707ccb1c06 Binary files /dev/null and b/packages/proofpoint_tap/img/proofpoint_tap-screenshot.png differ diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..204d188fde2 --- /dev/null +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,741 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "aa104adb-fbc4-4019-9fda-9f1ca4886d64", + "w": 48, + "x": 0, + "y": 67 + }, + "panelIndex": "aa104adb-fbc4-4019-9fda-9f1ca4886d64", + "panelRefName": "panel_aa104adb-fbc4-4019-9fda-9f1ca4886d64", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4ff0e011-970a-4b60-9158-962f4e89fbbe": { + "columnOrder": [ + "dc762ac8-6645-45a7-ba44-b3fbd0309338" + ], + "columns": { + "dc762ac8-6645-45a7-ba44-b3fbd0309338": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Clicks", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", + "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", + "layerType": "data" + } + }, + "title": "Count of Clicks [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "39f0263c-ab86-416a-8048-83d13edbdbab", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "39f0263c-ab86-416a-8048-83d13edbdbab", + "title": "Count of Clicks [Logs Proofpoint TAP]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "09466534-a461-4fbb-850b-fba8df6b7c37": { + "columnOrder": [ + "caef084e-7dca-43d6-8538-a2806796463e", + "8c76f7ef-0d3f-4558-8835-17fa53443a49", + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" + ], + "columns": { + "8c76f7ef-0d3f-4558-8835-17fa53443a49": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "formula", + "params": { + "formula": "count()", + "isFormulaBroken": false + }, + "references": [ + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" + ], + "scale": "ratio" + }, + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of count()", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "caef084e-7dca-43d6-8538-a2806796463e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_blocked.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "caef084e-7dca-43d6-8538-a2806796463e" + ], + "layerId": "09466534-a461-4fbb-850b-fba8df6b7c37", + "layerType": "data", + "legendDisplay": "default", + "metric": "8c76f7ef-0d3f-4558-8835-17fa53443a49", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d6f150e5-a82f-453c-867a-3c0f40ba826b", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "d6f150e5-a82f-453c-867a-3c0f40ba826b", + "title": "Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "062ab937-584b-4266-b89a-e0965350fd15": { + "columnOrder": [ + "b4231a92-a121-4d7b-8975-7deb595868c2", + "e4a9c4a7-4e05-4669-8842-47a87900ad7c" + ], + "columns": { + "b4231a92-a121-4d7b-8975-7deb595868c2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.full" + }, + "e4a9c4a7-4e05-4669-8842-47a87900ad7c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b4231a92-a121-4d7b-8975-7deb595868c2", + "isTransposed": false + }, + { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "isTransposed": false + } + ], + "layerId": "062ab937-584b-4266-b89a-e0965350fd15", + "layerType": "data" + } + }, + "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b921de2f-edd5-4539-bb51-c94c5ddf4541", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "b921de2f-edd5-4539-bb51-c94c5ddf4541", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { + "columnOrder": [ + "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" + ], + "columns": { + "394062e2-3219-4ff0-b930-7dceb79cb5cd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "isTransposed": false + }, + { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "isTransposed": false + } + ], + "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "layerType": "data" + } + }, + "title": "Top 10 Recipient [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "4240bdb9-8306-43fe-8b7a-815e70e28fec", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "4240bdb9-8306-43fe-8b7a-815e70e28fec", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f7d425df-4f7d-4e18-993d-b8a10cdffe22": { + "columnOrder": [ + "967f19a8-3944-4a64-a05f-037bcf1f238c", + "ea922d0b-14cf-4625-b038-71d6a627f340" + ], + "columns": { + "967f19a8-3944-4a64-a05f-037bcf1f238c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ea922d0b-14cf-4625-b038-71d6a627f340", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_blocked.threat.status" + }, + "ea922d0b-14cf-4625-b038-71d6a627f340": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "967f19a8-3944-4a64-a05f-037bcf1f238c" + ], + "layerId": "f7d425df-4f7d-4e18-993d-b8a10cdffe22", + "layerType": "data", + "legendDisplay": "default", + "metric": "ea922d0b-14cf-4625-b038-71d6a627f340", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Clicks by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { + "columnOrder": [ + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "366f6367-65c3-4e65-8c28-f41b1ef719cf" + ], + "columns": { + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "366f6367-65c3-4e65-8c28-f41b1ef719cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "isTransposed": false + }, + { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "isTransposed": false + } + ], + "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "layerType": "data" + } + }, + "title": "Top 10 Click IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3afffe1a-ab24-4a60-bb83-1973840a6b89", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "3afffe1a-ab24-4a60-bb83-1973840a6b89", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"1d744b4f-b6df-4195-bfea-8e64340b7da1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"48984da5-6c09-4c75-86d5-b9c1791d120d\",\"includeInFitToBounds\":true,\"label\":\"Clicks\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"destination.geo.location\",\"id\":\"35e48033-3f9a-4228-98be-980fff6c70a1\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.14}", + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "title": "Clicks on URL by Region [Logs Proofpoint TAP]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 85.05113, + "maxLon": 270, + "minLat": -66.51326, + "minLon": -270 + }, + "mapCenter": { + "lat": 51.78838, + "lon": 18.18583, + "zoom": 1.14 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 22, + "i": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f", + "w": 48, + "x": 0, + "y": 45 + }, + "panelIndex": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f", + "type": "map", + "version": "7.17.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Proofpoint TAP] Blocked Clicks", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", + "name": "aa104adb-fbc4-4019-9fda-9f1ca4886d64:panel_aa104adb-fbc4-4019-9fda-9f1ca4886d64", + "type": "search" + }, + { + "id": "logs-*", + "name": "39f0263c-ab86-416a-8048-83d13edbdbab:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "39f0263c-ab86-416a-8048-83d13edbdbab:indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6f150e5-a82f-453c-867a-3c0f40ba826b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6f150e5-a82f-453c-867a-3c0f40ba826b:indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b921de2f-edd5-4539-bb51-c94c5ddf4541:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b921de2f-edd5-4539-bb51-c94c5ddf4541:indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4240bdb9-8306-43fe-8b7a-815e70e28fec:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4240bdb9-8306-43fe-8b7a-815e70e28fec:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "37d32a2d-1d55-4da8-a1f0-4d5ad81c0f89:indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3afffe1a-ab24-4a60-bb83-1973840a6b89:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3afffe1a-ab24-4a60-bb83-1973840a6b89:indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2e6e0f5d-6968-46c7-9ccf-d0324b2e467f:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..9409beb4eee --- /dev/null +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,721 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "7fe02808-920c-4356-a052-d449b2e57ed5", + "w": 48, + "x": 0, + "y": 66 + }, + "panelIndex": "7fe02808-920c-4356-a052-d449b2e57ed5", + "panelRefName": "panel_7fe02808-920c-4356-a052-d449b2e57ed5", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4ff0e011-970a-4b60-9158-962f4e89fbbe": { + "columnOrder": [ + "dc762ac8-6645-45a7-ba44-b3fbd0309338" + ], + "columns": { + "dc762ac8-6645-45a7-ba44-b3fbd0309338": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Clicks", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", + "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", + "layerType": "data" + } + }, + "title": "Count of Clicks [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2d93f439-bff8-4e48-b469-fca11e18ba81", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "2d93f439-bff8-4e48-b469-fca11e18ba81", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4": { + "columnOrder": [ + "f13e79eb-00ed-4e68-98b5-b5c927055fec", + "0466e119-38e8-4d0a-a48f-9b2e7a89d213" + ], + "columns": { + "0466e119-38e8-4d0a-a48f-9b2e7a89d213": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f13e79eb-00ed-4e68-98b5-b5c927055fec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_permitted.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f13e79eb-00ed-4e68-98b5-b5c927055fec" + ], + "layerId": "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", + "layerType": "data", + "legendDisplay": "default", + "metric": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Permitted Clicks by Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "05a16b7a-9e32-4398-b547-b44ba5dd1572", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "05a16b7a-9e32-4398-b547-b44ba5dd1572", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c4191f86-9c54-4a06-a3dd-842b3ef7c241": { + "columnOrder": [ + "a3e04efb-2f37-464b-a6f2-23c0e19d790d", + "40a5f8c4-9eb3-4dcf-8520-acdb820944df" + ], + "columns": { + "40a5f8c4-9eb3-4dcf-8520-acdb820944df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "a3e04efb-2f37-464b-a6f2-23c0e19d790d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_permitted.threat.status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "a3e04efb-2f37-464b-a6f2-23c0e19d790d" + ], + "layerId": "c4191f86-9c54-4a06-a3dd-842b3ef7c241", + "layerType": "data", + "legendDisplay": "default", + "metric": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Permitted Clicks by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "771e46d7-ce5c-4c0d-81b2-841e283abf2c", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "771e46d7-ce5c-4c0d-81b2-841e283abf2c", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "062ab937-584b-4266-b89a-e0965350fd15": { + "columnOrder": [ + "b4231a92-a121-4d7b-8975-7deb595868c2", + "e4a9c4a7-4e05-4669-8842-47a87900ad7c" + ], + "columns": { + "b4231a92-a121-4d7b-8975-7deb595868c2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.full" + }, + "e4a9c4a7-4e05-4669-8842-47a87900ad7c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b4231a92-a121-4d7b-8975-7deb595868c2", + "isTransposed": false + }, + { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "isTransposed": false + } + ], + "layerId": "062ab937-584b-4266-b89a-e0965350fd15", + "layerType": "data" + } + }, + "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { + "columnOrder": [ + "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" + ], + "columns": { + "394062e2-3219-4ff0-b930-7dceb79cb5cd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "isTransposed": false + }, + { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "isTransposed": false + } + ], + "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "layerType": "data" + } + }, + "title": "Top 10 Recipient [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "85ab74a3-eb94-47f2-9592-6654f540d9d5", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "85ab74a3-eb94-47f2-9592-6654f540d9d5", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { + "columnOrder": [ + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "366f6367-65c3-4e65-8c28-f41b1ef719cf" + ], + "columns": { + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "366f6367-65c3-4e65-8c28-f41b1ef719cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "isTransposed": false + }, + { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "isTransposed": false + } + ], + "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "layerType": "data" + } + }, + "title": "Top 10 Click IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "bae14c77-2488-49e8-87e1-f60be58b1ad9", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "bae14c77-2488-49e8-87e1-f60be58b1ad9", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"1d744b4f-b6df-4195-bfea-8e64340b7da1\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"48984da5-6c09-4c75-86d5-b9c1791d120d\",\"includeInFitToBounds\":true,\"label\":\"Clicks\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"destination.geo.location\",\"id\":\"35e48033-3f9a-4228-98be-980fff6c70a1\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":19.94277,\"lon\":0},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.14}", + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "title": "Clicks on URL by Region [Logs Proofpoint TAP]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": -180 + }, + "mapCenter": { + "lat": 19.94277, + "lon": 0, + "zoom": 1.14 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 21, + "i": "b4c89de9-9f07-4261-8fd5-554b89dbb714", + "w": 48, + "x": 0, + "y": 45 + }, + "panelIndex": "b4c89de9-9f07-4261-8fd5-554b89dbb714", + "type": "map", + "version": "7.17.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Proofpoint TAP] Permitted Clicks", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", + "name": "7fe02808-920c-4356-a052-d449b2e57ed5:panel_7fe02808-920c-4356-a052-d449b2e57ed5", + "type": "search" + }, + { + "id": "logs-*", + "name": "2d93f439-bff8-4e48-b469-fca11e18ba81:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2d93f439-bff8-4e48-b469-fca11e18ba81:indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a16b7a-9e32-4398-b547-b44ba5dd1572:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05a16b7a-9e32-4398-b547-b44ba5dd1572:indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "771e46d7-ce5c-4c0d-81b2-841e283abf2c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "771e46d7-ce5c-4c0d-81b2-841e283abf2c:indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08dc3a8e-380f-4998-b83f-2791b6b8a4a5:indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "85ab74a3-eb94-47f2-9592-6654f540d9d5:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "85ab74a3-eb94-47f2-9592-6654f540d9d5:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bae14c77-2488-49e8-87e1-f60be58b1ad9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "bae14c77-2488-49e8-87e1-f60be58b1ad9:indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b4c89de9-9f07-4261-8fd5-554b89dbb714:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..3ca1374264e --- /dev/null +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,1449 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "e5247373-1ae6-403b-89b5-93281d642883", + "w": 48, + "x": 0, + "y": 111 + }, + "panelIndex": "e5247373-1ae6-403b-89b5-93281d642883", + "panelRefName": "panel_e5247373-1ae6-403b-89b5-93281d642883", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "66e9770d-b676-49a0-b502-b3cf64aae59d": { + "columnOrder": [ + "7afa9eab-9e68-42c1-a5f8-7891197560e2" + ], + "columns": { + "7afa9eab-9e68-42c1-a5f8-7891197560e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Messages", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", + "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", + "layerType": "data" + } + }, + "title": "Count of Messages [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2cfc095d-92da-4512-bf45-21f3a7508129", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "2cfc095d-92da-4512-bf45-21f3a7508129", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e7630b81-f809-4d49-b269-1788bdbdf649": { + "columnOrder": [ + "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "ba6e6c21-db26-4ce1-9608-ebc8562ee460" + ], + "columns": { + "8a033b2f-c808-4ae0-b593-862e401fd4d0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "ba6e6c21-db26-4ce1-9608-ebc8562ee460": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "isTransposed": false + }, + { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "isTransposed": false + } + ], + "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", + "layerType": "data" + } + }, + "title": "Top 10 Sender IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "efdb9e8c-8541-401c-acc6-767c1a637db4", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "efdb9e8c-8541-401c-acc6-767c1a637db4", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "402e61cc-9dba-466f-9269-27b48dd2e4a1": { + "columnOrder": [ + "d1076744-9ca0-4908-a16f-ef349e2cd32a", + "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241" + ], + "columns": { + "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d1076744-9ca0-4908-a16f-ef349e2cd32a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Disposition", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.message_parts.disposition" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d1076744-9ca0-4908-a16f-ef349e2cd32a" + ], + "layerId": "402e61cc-9dba-466f-9269-27b48dd2e4a1", + "layerType": "data", + "legendDisplay": "default", + "metric": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Disposition [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "637266a0-908f-40ee-aa10-55569e7cbd29", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "637266a0-908f-40ee-aa10-55569e7cbd29", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a0987be1-b682-412e-8d46-a4ad00e985c1": { + "columnOrder": [ + "74697bb2-b72f-4b6e-b651-06f50ef31467", + "87ce1993-56c0-4458-9cb1-ae12af5a629a" + ], + "columns": { + "74697bb2-b72f-4b6e-b651-06f50ef31467": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rewritten URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "87ce1993-56c0-4458-9cb1-ae12af5a629a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.completely_rewritten" + }, + "87ce1993-56c0-4458-9cb1-ae12af5a629a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "74697bb2-b72f-4b6e-b651-06f50ef31467" + ], + "layerId": "a0987be1-b682-412e-8d46-a4ad00e985c1", + "layerType": "data", + "legendDisplay": "default", + "metric": "87ce1993-56c0-4458-9cb1-ae12af5a629a", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Rewritten URL [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3e565fd9-f29d-41b5-a084-7393d29028d9", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "3e565fd9-f29d-41b5-a084-7393d29028d9", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { + "columnOrder": [ + "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" + ], + "columns": { + "394062e2-3219-4ff0-b930-7dceb79cb5cd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "isTransposed": false + }, + { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "isTransposed": false + } + ], + "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "layerType": "data" + } + }, + "title": "Top 10 Recipient [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2371e369-c82c-4443-bbf5-9d2b119fb9e9", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "2371e369-c82c-4443-bbf5-9d2b119fb9e9", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e327fec5-d799-4b3f-acfc-32c1ecaac682": { + "columnOrder": [ + "f096fb9b-5208-4f47-b5a5-0ad3de754fda", + "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8" + ], + "columns": { + "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f096fb9b-5208-4f47-b5a5-0ad3de754fda": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f096fb9b-5208-4f47-b5a5-0ad3de754fda" + ], + "layerId": "e327fec5-d799-4b3f-acfc-32c1ecaac682", + "layerType": "data", + "legendDisplay": "default", + "metric": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a3d367ee-91bb-421d-b6fc-27daabd46a54", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "a3d367ee-91bb-421d-b6fc-27daabd46a54", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f2e404cb-ffef-4218-a7d7-20a1972f7fe5": { + "columnOrder": [ + "86527e47-1073-45bd-8f35-657f4d277b62", + "f40e0576-52c6-4c09-8b8e-446699fed30e" + ], + "columns": { + "86527e47-1073-45bd-8f35-657f4d277b62": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f40e0576-52c6-4c09-8b8e-446699fed30e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.status" + }, + "f40e0576-52c6-4c09-8b8e-446699fed30e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "86527e47-1073-45bd-8f35-657f4d277b62" + ], + "layerId": "f2e404cb-ffef-4218-a7d7-20a1972f7fe5", + "layerType": "data", + "legendDisplay": "default", + "metric": "f40e0576-52c6-4c09-8b8e-446699fed30e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3a258b28-29d4-4719-a65e-db1153b954fc", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "3a258b28-29d4-4719-a65e-db1153b954fc", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "01c9ddee-f668-4ee5-8bb6-98e74d2e1439": { + "columnOrder": [ + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d", + "47666138-8fdd-4735-9a26-d5586276afe9" + ], + "columns": { + "47666138-8fdd-4735-9a26-d5586276afe9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sandbox Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "47666138-8fdd-4735-9a26-d5586276afe9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.message_parts.sandbox_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d" + ], + "layerId": "01c9ddee-f668-4ee5-8bb6-98e74d2e1439", + "layerType": "data", + "legendDisplay": "default", + "metric": "47666138-8fdd-4735-9a26-d5586276afe9", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Sandbox Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "850608eb-ca33-452f-a129-c4719224c52f", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "850608eb-ca33-452f-a129-c4719224c52f", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691": { + "columnOrder": [ + "73dab922-14a4-4c5c-a297-9873a91dad59", + "b12333e5-b88d-4a3e-96bb-467efc2745b5" + ], + "columns": { + "73dab922-14a4-4c5c-a297-9873a91dad59": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b12333e5-b88d-4a3e-96bb-467efc2745b5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.type" + }, + "b12333e5-b88d-4a3e-96bb-467efc2745b5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "73dab922-14a4-4c5c-a297-9873a91dad59" + ], + "layerId": "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", + "layerType": "data", + "legendDisplay": "default", + "metric": "b12333e5-b88d-4a3e-96bb-467efc2745b5", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Type [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c9517aa1-8122-434d-b93d-719030617688", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "c9517aa1-8122-434d-b93d-719030617688", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { + "columnOrder": [ + "4507c7f7-7878-40d4-905f-50360a596573", + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "columns": { + "4507c7f7-7878-40d4-905f-50360a596573": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Email Mailer", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.x_mailer" + }, + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "layerId": "657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "4507c7f7-7878-40d4-905f-50360a596573" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "6b458dd4-988b-44d1-bd30-1bfadd99712b", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "6b458dd4-988b-44d1-bd30-1bfadd99712b", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8bc257b1-f278-4281-b618-12892df43c90": { + "columnOrder": [ + "bd52eba0-e079-4b31-b053-d6d8e519b21d", + "a9cf6093-c996-4557-8819-3d2b273e62b0" + ], + "columns": { + "a9cf6093-c996-4557-8819-3d2b273e62b0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "bd52eba0-e079-4b31-b053-d6d8e519b21d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Quarantine Folder", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a9cf6093-c996-4557-8819-3d2b273e62b0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.quarantine.folder" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "a9cf6093-c996-4557-8819-3d2b273e62b0" + ], + "layerId": "8bc257b1-f278-4281-b618-12892df43c90", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "bd52eba0-e079-4b31-b053-d6d8e519b21d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Blocked Messages by Quarantine Folder [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "91bf4cc9-d875-476b-afa9-353e6a6115d2", + "w": 24, + "x": 0, + "y": 75 + }, + "panelIndex": "91bf4cc9-d875-476b-afa9-353e6a6115d2", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4b31f83f-2fc1-4509-8a5b-0c80eea8c627": { + "columnOrder": [ + "aec564b0-2091-4304-8a29-d839f9aec0aa", + "efe56213-9c9c-4215-91cd-907114802d3a" + ], + "columns": { + "aec564b0-2091-4304-8a29-d839f9aec0aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Quarantine Rule", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "efe56213-9c9c-4215-91cd-907114802d3a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.quarantine.rule" + }, + "efe56213-9c9c-4215-91cd-907114802d3a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "efe56213-9c9c-4215-91cd-907114802d3a" + ], + "layerId": "4b31f83f-2fc1-4509-8a5b-0c80eea8c627", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "aec564b0-2091-4304-8a29-d839f9aec0aa" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Blocked Messages by Quarantine Rule [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce", + "w": 24, + "x": 24, + "y": 75 + }, + "panelIndex": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"c6a42104-e390-4c56-8ef8-5bd774773e72\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\",\"includeInFitToBounds\":true,\"label\":\"Sender\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":33.09876,\"lon\":73.8871},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.91}", + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "title": "Sender of Messages by Region [Logs Proofpoint TAP]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 89.78601, + "maxLon": 720, + "minLat": -89.78601, + "minLon": -540 + }, + "mapCenter": { + "lat": 0, + "lon": 96.98463, + "zoom": 0.12 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 21, + "i": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e", + "w": 48, + "x": 0, + "y": 90 + }, + "panelIndex": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e", + "type": "map", + "version": "7.17.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Proofpoint TAP] Blocked Messages", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", + "name": "e5247373-1ae6-403b-89b5-93281d642883:panel_e5247373-1ae6-403b-89b5-93281d642883", + "type": "search" + }, + { + "id": "logs-*", + "name": "2cfc095d-92da-4512-bf45-21f3a7508129:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2cfc095d-92da-4512-bf45-21f3a7508129:indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efdb9e8c-8541-401c-acc6-767c1a637db4:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "efdb9e8c-8541-401c-acc6-767c1a637db4:indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "637266a0-908f-40ee-aa10-55569e7cbd29:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "637266a0-908f-40ee-aa10-55569e7cbd29:indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e565fd9-f29d-41b5-a084-7393d29028d9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e565fd9-f29d-41b5-a084-7393d29028d9:indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2371e369-c82c-4443-bbf5-9d2b119fb9e9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2371e369-c82c-4443-bbf5-9d2b119fb9e9:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a3d367ee-91bb-421d-b6fc-27daabd46a54:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a3d367ee-91bb-421d-b6fc-27daabd46a54:indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3a258b28-29d4-4719-a65e-db1153b954fc:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3a258b28-29d4-4719-a65e-db1153b954fc:indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "850608eb-ca33-452f-a129-c4719224c52f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "850608eb-ca33-452f-a129-c4719224c52f:indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9517aa1-8122-434d-b93d-719030617688:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c9517aa1-8122-434d-b93d-719030617688:indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b458dd4-988b-44d1-bd30-1bfadd99712b:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b458dd4-988b-44d1-bd30-1bfadd99712b:indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "91bf4cc9-d875-476b-afa9-353e6a6115d2:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "91bf4cc9-d875-476b-afa9-353e6a6115d2:indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f8ff2974-b1e9-4a81-a5af-8f5d6d13abce:indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d40b322b-8b5a-4614-9a7f-f6bf33ba8e7e:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..f0de223b92a --- /dev/null +++ b/packages/proofpoint_tap/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,1189 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 21, + "i": "a0cc1e4c-3327-478b-94ec-519ebf9582ab", + "w": 48, + "x": 0, + "y": 96 + }, + "panelIndex": "a0cc1e4c-3327-478b-94ec-519ebf9582ab", + "panelRefName": "panel_a0cc1e4c-3327-478b-94ec-519ebf9582ab", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "66e9770d-b676-49a0-b502-b3cf64aae59d": { + "columnOrder": [ + "7afa9eab-9e68-42c1-a5f8-7891197560e2" + ], + "columns": { + "7afa9eab-9e68-42c1-a5f8-7891197560e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Messages", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", + "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", + "layerType": "data" + } + }, + "title": "Count of Messages [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "057e2ef6-0316-4896-ab34-8aafca79b009", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "057e2ef6-0316-4896-ab34-8aafca79b009", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e7630b81-f809-4d49-b269-1788bdbdf649": { + "columnOrder": [ + "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "ba6e6c21-db26-4ce1-9608-ebc8562ee460" + ], + "columns": { + "8a033b2f-c808-4ae0-b593-862e401fd4d0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "ba6e6c21-db26-4ce1-9608-ebc8562ee460": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "isTransposed": false + }, + { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "isTransposed": false + } + ], + "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", + "layerType": "data" + } + }, + "title": "Top 10 Sender IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "410012cf-d8df-4277-ac28-305ea82a09a3": { + "columnOrder": [ + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a", + "68cf8e68-186a-40c7-a199-0463ca8741d8" + ], + "columns": { + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rewritten URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "68cf8e68-186a-40c7-a199-0463ca8741d8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.completely_rewritten" + }, + "68cf8e68-186a-40c7-a199-0463ca8741d8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a" + ], + "layerId": "410012cf-d8df-4277-ac28-305ea82a09a3", + "layerType": "data", + "legendDisplay": "default", + "metric": "68cf8e68-186a-40c7-a199-0463ca8741d8", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Rewritten URL [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f5b71bf4-d93b-4383-aee3-0fba04633f7e", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "f5b71bf4-d93b-4383-aee3-0fba04633f7e", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006": { + "columnOrder": [ + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993", + "22bcb44a-ba59-4c78-a069-277e45c5d6ef" + ], + "columns": { + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Disposition", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.message_parts.disposition" + }, + "22bcb44a-ba59-4c78-a069-277e45c5d6ef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993" + ], + "layerId": "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", + "layerType": "data", + "legendDisplay": "default", + "metric": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Disposition [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { + "columnOrder": [ + "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" + ], + "columns": { + "394062e2-3219-4ff0-b930-7dceb79cb5cd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "isTransposed": false + }, + { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "isTransposed": false + } + ], + "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "layerType": "data" + } + }, + "title": "Top 10 Recipient [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3dc5d286-d7b8-4a47-bd70-7699375f31de", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "3dc5d286-d7b8-4a47-bd70-7699375f31de", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5b8645f9-f56a-44ea-b567-dad4d9da2824": { + "columnOrder": [ + "bc4689d4-0411-44f9-add5-ffa0705584dc", + "612fda22-416a-4171-8854-f9cb30a4ae05" + ], + "columns": { + "612fda22-416a-4171-8854-f9cb30a4ae05": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "bc4689d4-0411-44f9-add5-ffa0705584dc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "612fda22-416a-4171-8854-f9cb30a4ae05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "bc4689d4-0411-44f9-add5-ffa0705584dc" + ], + "layerId": "5b8645f9-f56a-44ea-b567-dad4d9da2824", + "layerType": "data", + "legendDisplay": "default", + "metric": "612fda22-416a-4171-8854-f9cb30a4ae05", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "080a6554-cbad-4aa0-b8a6-d82de9dab805", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "080a6554-cbad-4aa0-b8a6-d82de9dab805", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "17b04f1e-6124-4c6c-9464-e29a98d97bcf": { + "columnOrder": [ + "20a072f6-3895-45a1-a585-875852453a05", + "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0" + ], + "columns": { + "20a072f6-3895-45a1-a585-875852453a05": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.status" + }, + "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "20a072f6-3895-45a1-a585-875852453a05" + ], + "layerId": "17b04f1e-6124-4c6c-9464-e29a98d97bcf", + "layerType": "data", + "legendDisplay": "default", + "metric": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ec9ba9eb-371c-430a-afc5-f6edf039bd91", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "ec9ba9eb-371c-430a-afc5-f6edf039bd91", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "590e841c-2ef7-4ace-b981-4bb9d3160054": { + "columnOrder": [ + "7066eb8e-8f19-4826-adbb-7550c8ea2636", + "1bc5c276-8229-422d-bb16-a63859e6f34c" + ], + "columns": { + "1bc5c276-8229-422d-bb16-a63859e6f34c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7066eb8e-8f19-4826-adbb-7550c8ea2636": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sandbox Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1bc5c276-8229-422d-bb16-a63859e6f34c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.message_parts.sandbox_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7066eb8e-8f19-4826-adbb-7550c8ea2636" + ], + "layerId": "590e841c-2ef7-4ace-b981-4bb9d3160054", + "layerType": "data", + "legendDisplay": "default", + "metric": "1bc5c276-8229-422d-bb16-a63859e6f34c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Sandbox Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c1acfbb3-c3ca-436d-b54e-47f288677136", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "c1acfbb3-c3ca-436d-b54e-47f288677136", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ecc13edd-9962-402c-b12e-180cccc46f08": { + "columnOrder": [ + "21d701b1-4d50-4480-94e0-bfd2616489f5", + "0bc203c5-ff36-4db6-ad1a-441828203815" + ], + "columns": { + "0bc203c5-ff36-4db6-ad1a-441828203815": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "21d701b1-4d50-4480-94e0-bfd2616489f5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0bc203c5-ff36-4db6-ad1a-441828203815", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "21d701b1-4d50-4480-94e0-bfd2616489f5" + ], + "layerId": "ecc13edd-9962-402c-b12e-180cccc46f08", + "layerType": "data", + "legendDisplay": "default", + "metric": "0bc203c5-ff36-4db6-ad1a-441828203815", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Type [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f1256b4b-8872-4d25-82cd-5a7004108d91", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "f1256b4b-8872-4d25-82cd-5a7004108d91", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { + "columnOrder": [ + "4507c7f7-7878-40d4-905f-50360a596573", + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "columns": { + "4507c7f7-7878-40d4-905f-50360a596573": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Email Mailer", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.x_mailer" + }, + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "layerId": "657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "4507c7f7-7878-40d4-905f-50360a596573" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f721f663-e2fd-44c9-88bc-639bff7bc700", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "f721f663-e2fd-44c9-88bc-639bff7bc700", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "attributes": { + "description": "", + "layerListJSON": "[{\"alpha\":1,\"id\":\"c6a42104-e390-4c56-8ef8-5bd774773e72\",\"includeInFitToBounds\":true,\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"f8e2c82c-56b8-425d-a79d-ab24baf35f89\",\"includeInFitToBounds\":true,\"label\":\"Sender\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyForceRefresh\":true,\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"geoField\":\"source.geo.location\",\"id\":\"ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e\",\"metrics\":[{\"label\":\"Count\",\"type\":\"count\"}],\"requestType\":\"heatmap\",\"resolution\":\"COARSE\",\"type\":\"ES_GEO_GRID\",\"indexPatternId\":\"logs-*\"},\"style\":{\"colorRampName\":\"theclassic\",\"type\":\"HEATMAP\"},\"type\":\"HEATMAP\",\"visible\":true}]", + "mapStateJSON": "{\"center\":{\"lat\":33.09876,\"lon\":73.8871},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-1y/d\",\"to\":\"now\"},\"zoom\":1.91}", + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "title": "Sender of Messages by Region [Logs Proofpoint TAP]", + "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + }, + "enhancements": {}, + "hiddenLayers": [], + "isLayerTOCOpen": true, + "mapBuffer": { + "maxLat": 66.51326, + "maxLon": 180, + "minLat": -66.51326, + "minLon": 0 + }, + "mapCenter": { + "lat": 33.09876, + "lon": 73.8871, + "zoom": 1.91 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 21, + "i": "de4c11a4-6831-4ad4-92b6-7dc434430690", + "w": 48, + "x": 0, + "y": 75 + }, + "panelIndex": "de4c11a4-6831-4ad4-92b6-7dc434430690", + "type": "map", + "version": "7.17.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-24h/h", + "timeRestore": true, + "timeTo": "now", + "title": "[Logs Proofpoint TAP] Delivered Messages", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", + "name": "a0cc1e4c-3327-478b-94ec-519ebf9582ab:panel_a0cc1e4c-3327-478b-94ec-519ebf9582ab", + "type": "search" + }, + { + "id": "logs-*", + "name": "057e2ef6-0316-4896-ab34-8aafca79b009:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "057e2ef6-0316-4896-ab34-8aafca79b009:indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e54a8fb5-eee6-409a-8065-91a4e7b3ac4f:indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5b71bf4-d93b-4383-aee3-0fba04633f7e:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f5b71bf4-d93b-4383-aee3-0fba04633f7e:indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddaa2940-7c3a-4d0c-8fad-a87d3d92725a:indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3dc5d286-d7b8-4a47-bd70-7699375f31de:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3dc5d286-d7b8-4a47-bd70-7699375f31de:indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "080a6554-cbad-4aa0-b8a6-d82de9dab805:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "080a6554-cbad-4aa0-b8a6-d82de9dab805:indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec9ba9eb-371c-430a-afc5-f6edf039bd91:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ec9ba9eb-371c-430a-afc5-f6edf039bd91:indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1acfbb3-c3ca-436d-b54e-47f288677136:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1acfbb3-c3ca-436d-b54e-47f288677136:indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1256b4b-8872-4d25-82cd-5a7004108d91:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f1256b4b-8872-4d25-82cd-5a7004108d91:indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f721f663-e2fd-44c9-88bc-639bff7bc700:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f721f663-e2fd-44c9-88bc-639bff7bc700:indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "de4c11a4-6831-4ad4-92b6-7dc434430690:layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..0f2025d8a36 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4ff0e011-970a-4b60-9158-962f4e89fbbe": { + "columnOrder": [ + "dc762ac8-6645-45a7-ba44-b3fbd0309338" + ], + "columns": { + "dc762ac8-6645-45a7-ba44-b3fbd0309338": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Clicks", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "dc762ac8-6645-45a7-ba44-b3fbd0309338", + "layerId": "4ff0e011-970a-4b60-9158-962f4e89fbbe", + "layerType": "data" + } + }, + "title": "Count of Clicks [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-22c1fd60-b5a6-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4ff0e011-970a-4b60-9158-962f4e89fbbe", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..9ff144aee81 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e7630b81-f809-4d49-b269-1788bdbdf649": { + "columnOrder": [ + "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "ba6e6c21-db26-4ce1-9608-ebc8562ee460" + ], + "columns": { + "8a033b2f-c808-4ae0-b593-862e401fd4d0": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "ba6e6c21-db26-4ce1-9608-ebc8562ee460": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "8a033b2f-c808-4ae0-b593-862e401fd4d0", + "isTransposed": false + }, + { + "columnId": "ba6e6c21-db26-4ce1-9608-ebc8562ee460", + "isTransposed": false + } + ], + "layerId": "e7630b81-f809-4d49-b269-1788bdbdf649", + "layerType": "data" + } + }, + "title": "Top 10 Sender IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-2e596430-b5ae-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e7630b81-f809-4d49-b269-1788bdbdf649", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..ea814f05724 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "17b04f1e-6124-4c6c-9464-e29a98d97bcf": { + "columnOrder": [ + "20a072f6-3895-45a1-a585-875852453a05", + "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0" + ], + "columns": { + "20a072f6-3895-45a1-a585-875852453a05": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.status" + }, + "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "20a072f6-3895-45a1-a585-875852453a05" + ], + "layerId": "17b04f1e-6124-4c6c-9464-e29a98d97bcf", + "layerType": "data", + "legendDisplay": "default", + "metric": "a4ba65e4-6bb1-401e-9a55-f90e5f5a32f0", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-31d88f20-b5ca-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-17b04f1e-6124-4c6c-9464-e29a98d97bcf", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..a4e657b967b --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4080ef48-91f4-4339-a059-fa6a9d0fcce8": { + "columnOrder": [ + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "366f6367-65c3-4e65-8c28-f41b1ef719cf" + ], + "columns": { + "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "destination.ip" + }, + "366f6367-65c3-4e65-8c28-f41b1ef719cf": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "2f67b930-a92f-41ef-96cd-5d9cc5de8d8d", + "isTransposed": false + }, + { + "columnId": "366f6367-65c3-4e65-8c28-f41b1ef719cf", + "isTransposed": false + } + ], + "layerId": "4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "layerType": "data" + } + }, + "title": "Top 10 Click IP [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-32f38a20-b5cc-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4080ef48-91f4-4339-a059-fa6a9d0fcce8", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..1fb9462f4d2 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "66e9770d-b676-49a0-b502-b3cf64aae59d": { + "columnOrder": [ + "7afa9eab-9e68-42c1-a5f8-7891197560e2" + ], + "columns": { + "7afa9eab-9e68-42c1-a5f8-7891197560e2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Messages", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "7afa9eab-9e68-42c1-a5f8-7891197560e2", + "layerId": "66e9770d-b676-49a0-b502-b3cf64aae59d", + "layerType": "data" + } + }, + "title": "Count of Messages [Logs Proofpoint TAP]", + "visualizationType": "lnsMetric" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-3872f3b0-b5ad-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66e9770d-b676-49a0-b502-b3cf64aae59d", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..b4184161244 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8bc257b1-f278-4281-b618-12892df43c90": { + "columnOrder": [ + "bd52eba0-e079-4b31-b053-d6d8e519b21d", + "a9cf6093-c996-4557-8819-3d2b273e62b0" + ], + "columns": { + "a9cf6093-c996-4557-8819-3d2b273e62b0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "bd52eba0-e079-4b31-b053-d6d8e519b21d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Quarantine Folder", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a9cf6093-c996-4557-8819-3d2b273e62b0", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.quarantine.folder" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "a9cf6093-c996-4557-8819-3d2b273e62b0" + ], + "layerId": "8bc257b1-f278-4281-b618-12892df43c90", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "bd52eba0-e079-4b31-b053-d6d8e519b21d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "title": "Empty XY chart", + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Blocked Messages by Quarantine Folder [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-3d9cb8d0-b5b2-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8bc257b1-f278-4281-b618-12892df43c90", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..f1cd9a906c1 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "09466534-a461-4fbb-850b-fba8df6b7c37": { + "columnOrder": [ + "caef084e-7dca-43d6-8538-a2806796463e", + "8c76f7ef-0d3f-4558-8835-17fa53443a49", + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" + ], + "columns": { + "8c76f7ef-0d3f-4558-8835-17fa53443a49": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "formula", + "params": { + "formula": "count()", + "isFormulaBroken": false + }, + "references": [ + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0" + ], + "scale": "ratio" + }, + "8c76f7ef-0d3f-4558-8835-17fa53443a49X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of count()", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "caef084e-7dca-43d6-8538-a2806796463e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "fallback": true, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_blocked.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "caef084e-7dca-43d6-8538-a2806796463e" + ], + "layerId": "09466534-a461-4fbb-850b-fba8df6b7c37", + "layerType": "data", + "legendDisplay": "default", + "metric": "8c76f7ef-0d3f-4558-8835-17fa53443a49", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Clicks by Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-4363e9b0-b5a7-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-09466534-a461-4fbb-850b-fba8df6b7c37", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..7146fe2aed1 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "402e61cc-9dba-466f-9269-27b48dd2e4a1": { + "columnOrder": [ + "d1076744-9ca0-4908-a16f-ef349e2cd32a", + "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241" + ], + "columns": { + "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "d1076744-9ca0-4908-a16f-ef349e2cd32a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Disposition", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.message_parts.disposition" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "d1076744-9ca0-4908-a16f-ef349e2cd32a" + ], + "layerId": "402e61cc-9dba-466f-9269-27b48dd2e4a1", + "layerType": "data", + "legendDisplay": "default", + "metric": "9b3ba2ba-191d-4e9b-bf2c-ebaf2c43e241", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Disposition [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-458b3ce0-b5af-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-402e61cc-9dba-466f-9269-27b48dd2e4a1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..2959bdf2512 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006": { + "columnOrder": [ + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993", + "22bcb44a-ba59-4c78-a069-277e45c5d6ef" + ], + "columns": { + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Disposition", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.message_parts.disposition" + }, + "22bcb44a-ba59-4c78-a069-277e45c5d6ef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "02195bc5-0e17-4c5d-bf4c-5bcf165cd993" + ], + "layerId": "b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", + "layerType": "data", + "legendDisplay": "default", + "metric": "22bcb44a-ba59-4c78-a069-277e45c5d6ef", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Disposition [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-47aeba50-b5c9-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b0d8b2b8-81ef-4c98-bad2-20e10a9d4006", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..6559cea6751 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ec2f7bac-2077-4709-9d52-3ae3c0a582de": { + "columnOrder": [ + "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f" + ], + "columns": { + "394062e2-3219-4ff0-b930-7dceb79cb5cd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Recipient", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.to.address" + }, + "8c5a8f23-a89c-459e-8fdb-07844dc1c19f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "394062e2-3219-4ff0-b930-7dceb79cb5cd", + "isTransposed": false + }, + { + "columnId": "8c5a8f23-a89c-459e-8fdb-07844dc1c19f", + "isTransposed": false + } + ], + "layerId": "ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "layerType": "data" + } + }, + "title": "Top 10 Recipient [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-4b9175c0-b5a8-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec2f7bac-2077-4709-9d52-3ae3c0a582de", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..a8d881f6f2c --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "01c9ddee-f668-4ee5-8bb6-98e74d2e1439": { + "columnOrder": [ + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d", + "47666138-8fdd-4735-9a26-d5586276afe9" + ], + "columns": { + "47666138-8fdd-4735-9a26-d5586276afe9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sandbox Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "47666138-8fdd-4735-9a26-d5586276afe9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.message_parts.sandbox_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7d6f8989-f0ce-4a9c-b24e-42c9ad42431d" + ], + "layerId": "01c9ddee-f668-4ee5-8bb6-98e74d2e1439", + "layerType": "data", + "legendDisplay": "default", + "metric": "47666138-8fdd-4735-9a26-d5586276afe9", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Sandbox Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-5820b4a0-b5b1-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-01c9ddee-f668-4ee5-8bb6-98e74d2e1439", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..b6b78067615 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "4b31f83f-2fc1-4509-8a5b-0c80eea8c627": { + "columnOrder": [ + "aec564b0-2091-4304-8a29-d839f9aec0aa", + "efe56213-9c9c-4215-91cd-907114802d3a" + ], + "columns": { + "aec564b0-2091-4304-8a29-d839f9aec0aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Quarantine Rule", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "efe56213-9c9c-4215-91cd-907114802d3a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.quarantine.rule" + }, + "efe56213-9c9c-4215-91cd-907114802d3a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "efe56213-9c9c-4215-91cd-907114802d3a" + ], + "layerId": "4b31f83f-2fc1-4509-8a5b-0c80eea8c627", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "aec564b0-2091-4304-8a29-d839f9aec0aa" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Blocked Messages by Quarantine Rule [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-72f5f2d0-b5b2-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4b31f83f-2fc1-4509-8a5b-0c80eea8c627", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..c44707ee39a --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "590e841c-2ef7-4ace-b981-4bb9d3160054": { + "columnOrder": [ + "7066eb8e-8f19-4826-adbb-7550c8ea2636", + "1bc5c276-8229-422d-bb16-a63859e6f34c" + ], + "columns": { + "1bc5c276-8229-422d-bb16-a63859e6f34c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "7066eb8e-8f19-4826-adbb-7550c8ea2636": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sandbox Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "1bc5c276-8229-422d-bb16-a63859e6f34c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.message_parts.sandbox_status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "7066eb8e-8f19-4826-adbb-7550c8ea2636" + ], + "layerId": "590e841c-2ef7-4ace-b981-4bb9d3160054", + "layerType": "data", + "legendDisplay": "default", + "metric": "1bc5c276-8229-422d-bb16-a63859e6f34c", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Sandbox Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-80dd97f0-b5ca-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-590e841c-2ef7-4ace-b981-4bb9d3160054", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..64a8ebea53c --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f7d425df-4f7d-4e18-993d-b8a10cdffe22": { + "columnOrder": [ + "967f19a8-3944-4a64-a05f-037bcf1f238c", + "ea922d0b-14cf-4625-b038-71d6a627f340" + ], + "columns": { + "967f19a8-3944-4a64-a05f-037bcf1f238c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ea922d0b-14cf-4625-b038-71d6a627f340", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_blocked.threat.status" + }, + "ea922d0b-14cf-4625-b038-71d6a627f340": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "967f19a8-3944-4a64-a05f-037bcf1f238c" + ], + "layerId": "f7d425df-4f7d-4e18-993d-b8a10cdffe22", + "layerType": "data", + "legendDisplay": "default", + "metric": "ea922d0b-14cf-4625-b038-71d6a627f340", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Clicks by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-89f9d420-b5a7-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f7d425df-4f7d-4e18-993d-b8a10cdffe22", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..a751663f758 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a0987be1-b682-412e-8d46-a4ad00e985c1": { + "columnOrder": [ + "74697bb2-b72f-4b6e-b651-06f50ef31467", + "87ce1993-56c0-4458-9cb1-ae12af5a629a" + ], + "columns": { + "74697bb2-b72f-4b6e-b651-06f50ef31467": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rewritten URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "87ce1993-56c0-4458-9cb1-ae12af5a629a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.completely_rewritten" + }, + "87ce1993-56c0-4458-9cb1-ae12af5a629a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "74697bb2-b72f-4b6e-b651-06f50ef31467" + ], + "layerId": "a0987be1-b682-412e-8d46-a4ad00e985c1", + "layerType": "data", + "legendDisplay": "default", + "metric": "87ce1993-56c0-4458-9cb1-ae12af5a629a", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Rewritten URL [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-a0565740-b5af-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a0987be1-b682-412e-8d46-a4ad00e985c1", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..1ee34ed7903 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691": { + "columnOrder": [ + "73dab922-14a4-4c5c-a297-9873a91dad59", + "b12333e5-b88d-4a3e-96bb-467efc2745b5" + ], + "columns": { + "73dab922-14a4-4c5c-a297-9873a91dad59": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b12333e5-b88d-4a3e-96bb-467efc2745b5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.type" + }, + "b12333e5-b88d-4a3e-96bb-467efc2745b5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "73dab922-14a4-4c5c-a297-9873a91dad59" + ], + "layerId": "b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", + "layerType": "data", + "legendDisplay": "default", + "metric": "b12333e5-b88d-4a3e-96bb-467efc2745b5", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Type [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-a1aed070-b5b1-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b71a1c6d-1b9f-4b5f-ad26-7de6a5601691", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..d36afe3d9c9 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4": { + "columnOrder": [ + "f13e79eb-00ed-4e68-98b5-b5c927055fec", + "0466e119-38e8-4d0a-a48f-9b2e7a89d213" + ], + "columns": { + "0466e119-38e8-4d0a-a48f-9b2e7a89d213": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f13e79eb-00ed-4e68-98b5-b5c927055fec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_permitted.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f13e79eb-00ed-4e68-98b5-b5c927055fec" + ], + "layerId": "1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", + "layerType": "data", + "legendDisplay": "default", + "metric": "0466e119-38e8-4d0a-a48f-9b2e7a89d213", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Permitted Clicks by Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-b2134d80-b5aa-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1c93261b-da1f-4d85-aaaf-3457bdcc6ff4", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..0f67deea68b --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "ecc13edd-9962-402c-b12e-180cccc46f08": { + "columnOrder": [ + "21d701b1-4d50-4480-94e0-bfd2616489f5", + "0bc203c5-ff36-4db6-ad1a-441828203815" + ], + "columns": { + "0bc203c5-ff36-4db6-ad1a-441828203815": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "21d701b1-4d50-4480-94e0-bfd2616489f5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0bc203c5-ff36-4db6-ad1a-441828203815", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.threat.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "21d701b1-4d50-4480-94e0-bfd2616489f5" + ], + "layerId": "ecc13edd-9962-402c-b12e-180cccc46f08", + "layerType": "data", + "legendDisplay": "default", + "metric": "0bc203c5-ff36-4db6-ad1a-441828203815", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Type [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-bb5e8d80-b5ca-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ecc13edd-9962-402c-b12e-180cccc46f08", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..f7ce515a068 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "5b8645f9-f56a-44ea-b567-dad4d9da2824": { + "columnOrder": [ + "bc4689d4-0411-44f9-add5-ffa0705584dc", + "612fda22-416a-4171-8854-f9cb30a4ae05" + ], + "columns": { + "612fda22-416a-4171-8854-f9cb30a4ae05": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "bc4689d4-0411-44f9-add5-ffa0705584dc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "612fda22-416a-4171-8854-f9cb30a4ae05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.threat_info_map.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "bc4689d4-0411-44f9-add5-ffa0705584dc" + ], + "layerId": "5b8645f9-f56a-44ea-b567-dad4d9da2824", + "layerType": "data", + "legendDisplay": "default", + "metric": "612fda22-416a-4171-8854-f9cb30a4ae05", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Threat Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-d3107d90-b5c9-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5b8645f9-f56a-44ea-b567-dad4d9da2824", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..6660eaa4fe0 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "410012cf-d8df-4277-ac28-305ea82a09a3": { + "columnOrder": [ + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a", + "68cf8e68-186a-40c7-a199-0463ca8741d8" + ], + "columns": { + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rewritten URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "68cf8e68-186a-40c7-a199-0463ca8741d8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_delivered.completely_rewritten" + }, + "68cf8e68-186a-40c7-a199-0463ca8741d8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_delivered\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "05e673b3-ec58-44eb-ad0b-c88a43e44a8a" + ], + "layerId": "410012cf-d8df-4277-ac28-305ea82a09a3", + "layerType": "data", + "legendDisplay": "default", + "metric": "68cf8e68-186a-40c7-a199-0463ca8741d8", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Delivered Messages by Rewritten URL [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-d3560780-b5c8-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-410012cf-d8df-4277-ac28-305ea82a09a3", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..0a16c6c33bc --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "062ab937-584b-4266-b89a-e0965350fd15": { + "columnOrder": [ + "b4231a92-a121-4d7b-8975-7deb595868c2", + "e4a9c4a7-4e05-4669-8842-47a87900ad7c" + ], + "columns": { + "b4231a92-a121-4d7b-8975-7deb595868c2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.full" + }, + "e4a9c4a7-4e05-4669-8842-47a87900ad7c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b4231a92-a121-4d7b-8975-7deb595868c2", + "isTransposed": false + }, + { + "columnId": "e4a9c4a7-4e05-4669-8842-47a87900ad7c", + "isTransposed": false + } + ], + "layerId": "062ab937-584b-4266-b89a-e0965350fd15", + "layerType": "data" + } + }, + "title": "Top 10 Malicious URL [Logs Proofpoint TAP]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-dc148bf0-b5a8-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-062ab937-584b-4266-b89a-e0965350fd15", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..d771fbe8c08 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f2e404cb-ffef-4218-a7d7-20a1972f7fe5": { + "columnOrder": [ + "86527e47-1073-45bd-8f35-657f4d277b62", + "f40e0576-52c6-4c09-8b8e-446699fed30e" + ], + "columns": { + "86527e47-1073-45bd-8f35-657f4d277b62": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "f40e0576-52c6-4c09-8b8e-446699fed30e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.threat.status" + }, + "f40e0576-52c6-4c09-8b8e-446699fed30e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "86527e47-1073-45bd-8f35-657f4d277b62" + ], + "layerId": "f2e404cb-ffef-4218-a7d7-20a1972f7fe5", + "layerType": "data", + "legendDisplay": "default", + "metric": "f40e0576-52c6-4c09-8b8e-446699fed30e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-e3c98870-b5b0-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f2e404cb-ffef-4218-a7d7-20a1972f7fe5", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..0261506f727 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "657c0ea2-d756-4c8e-8638-4a2cf8a00bad": { + "columnOrder": [ + "4507c7f7-7878-40d4-905f-50360a596573", + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "columns": { + "4507c7f7-7878-40d4-905f-50360a596573": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Email Mailer", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "email.x_mailer" + }, + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d7959ce0-0861-4dd4-bdb3-42d8578ebd2f" + ], + "layerId": "657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "layerType": "data", + "seriesType": "bar", + "xAccessor": "4507c7f7-7878-40d4-905f-50360a596573" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Messages by Email X_Mailer [Logs Proofpoint TAP]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-e741c9d0-b5b1-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-657c0ea2-d756-4c8e-8638-4a2cf8a00bad", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..9b59636ba23 --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c4191f86-9c54-4a06-a3dd-842b3ef7c241": { + "columnOrder": [ + "a3e04efb-2f37-464b-a6f2-23c0e19d790d", + "40a5f8c4-9eb3-4dcf-8520-acdb820944df" + ], + "columns": { + "40a5f8c4-9eb3-4dcf-8520-acdb820944df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "a3e04efb-2f37-464b-a6f2-23c0e19d790d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat Status", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.clicks_permitted.threat.status" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.clicks_permitted\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "a3e04efb-2f37-464b-a6f2-23c0e19d790d" + ], + "layerId": "c4191f86-9c54-4a06-a3dd-842b3ef7c241", + "layerType": "data", + "legendDisplay": "default", + "metric": "40a5f8c4-9eb3-4dcf-8520-acdb820944df", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Permitted Clicks by Threat Status [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-eff98e20-b5aa-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c4191f86-9c54-4a06-a3dd-842b3ef7c241", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..ed61751782f --- /dev/null +++ b/packages/proofpoint_tap/kibana/lens/proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "description": "", + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "e327fec5-d799-4b3f-acfc-32c1ecaac682": { + "columnOrder": [ + "f096fb9b-5208-4f47-b5a5-0ad3de754fda", + "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8" + ], + "columns": { + "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "f096fb9b-5208-4f47-b5a5-0ad3de754fda": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Classification", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "proofpoint_tap.message_blocked.threat_info_map.classification" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"proofpoint_tap.message_blocked\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "f096fb9b-5208-4f47-b5a5-0ad3de754fda" + ], + "layerId": "e327fec5-d799-4b3f-acfc-32c1ecaac682", + "layerType": "data", + "legendDisplay": "default", + "metric": "8b4a490d-a36c-4a6a-86b0-7dea7d28c2c8", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Distribution of Blocked Messages by Threat Classification [Logs Proofpoint TAP]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-fb0adc60-b5af-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e327fec5-d799-4b3f-acfc-32c1ecaac682", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json b/packages/proofpoint_tap/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json new file mode 100644 index 00000000000..44fa31031c9 --- /dev/null +++ b/packages/proofpoint_tap/kibana/map/proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "c6a42104-e390-4c56-8ef8-5bd774773e72", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "f8e2c82c-56b8-425d-a79d-ab24baf35f89", + "includeInFitToBounds": true, + "label": "Sender", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "source.geo.location", + "id": "ce99667c-f3a0-4d3c-b0d0-6e6ba88f1a9e", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 33.09876, + "lon": 73.8871 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 1.91 + }, + "title": "Sender of Messages by Region [Logs Proofpoint TAP]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-31abbc50-b5d6-11ec-a9d0-e94ed15a14b9", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json b/packages/proofpoint_tap/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json new file mode 100644 index 00000000000..8266761a653 --- /dev/null +++ b/packages/proofpoint_tap/kibana/map/proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "description": "", + "layerListJSON": [ + { + "alpha": 1, + "id": "1d744b4f-b6df-4195-bfea-8e64340b7da1", + "includeInFitToBounds": true, + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "48984da5-6c09-4c75-86d5-b9c1791d120d", + "includeInFitToBounds": true, + "label": "Clicks", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyForceRefresh": true, + "applyGlobalQuery": true, + "applyGlobalTime": true, + "geoField": "destination.geo.location", + "id": "35e48033-3f9a-4228-98be-980fff6c70a1", + "indexPatternRefName": "layer_1_source_index_pattern", + "metrics": [ + { + "label": "Count", + "type": "count" + } + ], + "requestType": "heatmap", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "colorRampName": "theclassic", + "type": "HEATMAP" + }, + "type": "HEATMAP", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "showTimesliderToggleButton": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-1y/d", + "to": "now" + }, + "zoom": 1.14 + }, + "title": "Clicks on URL by Region [Logs Proofpoint TAP]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-40a91cd0-c197-11ec-aabc-2f1ab05698f9", + "migrationVersion": { + "map": "7.14.0" + }, + "references": [ + { + "id": "logs-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json b/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json new file mode 100644 index 00000000000..a4ea02f2eec --- /dev/null +++ b/packages/proofpoint_tap/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "email.message_id", + "email.sender.address", + "email.to.address", + "email.subject", + "source.ip" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Messages Essential Details [Logs Proofpoint TAP]" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json b/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json new file mode 100644 index 00000000000..1ef1d4cfb67 --- /dev/null +++ b/packages/proofpoint_tap/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "columns": [ + "event.created", + "email.message_id", + "email.from.address", + "email.to.address" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Clicks Essential Details [Logs Proofpoint TAP]" + }, + "coreMigrationVersion": "7.17.0", + "id": "proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/proofpoint_tap/manifest.yml b/packages/proofpoint_tap/manifest.yml new file mode 100644 index 00000000000..69c83c7db53 --- /dev/null +++ b/packages/proofpoint_tap/manifest.yml @@ -0,0 +1,84 @@ +format_version: 1.0.0 +name: proofpoint_tap +title: Proofpoint TAP +version: 0.1.0 +license: basic +description: Collect logs from Proofpoint TAP with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/proofpoint_tap-screenshot.png + title: Proofpoint TAP blocked clicks dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/proofpoint_tap-logo.svg + title: Proofpoint TAP logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Proofpoint TAP + title: Proofpoint_TAP logs + description: Collect proofpoint_tap logs. + inputs: + - type: httpjson + title: Collect Proofpoint TAP logs via API + description: Collecting Proofpoint TAP logs via API. + vars: + - name: url + type: text + title: URL + description: Proofpoint TAP URL. Find URL in the console dashboard at the beginning of the web address. + required: true + - name: principal + type: text + title: Principal + description: Principal for the Basic Authentication. + required: true + - name: secret + type: password + title: Secret Key + description: Secret Key for the Basic Authentication. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-external-integrations