Fix proofpoint schema (demisto#29037)

evisochek · eepstain · yasta5 · xsoar-bot · commit fcba5d0d6e37 · 2023-10-05T11:32:31.000Z
* update schema

* update rn

* add emails

* ad bracet

* update rn

* Update ProofpointThreatResponseModelingRules_1_3_schema.json

* Update ProofpointThreatResponseModelingRules_1_3_schema.json

* Update 2_0_13.md

* update rn

* Modified the parsing rule header to match the modeling rule.
Modified the modeling rule to refer to event and not events.

* Modified the id and name of the parsing rule and the modeling rule.

* Modified the release note.

* Modified the modeling rule and the schema file

---------

Co-authored-by: eepstain &lt;116078117+eepstain@users.noreply.github.com&gt;
Co-authored-by: Yehonatan Asta &lt;yasta@paloaltonetworks.com&gt;
Co-authored-by: Dan Sterenson &lt;38375556+dansterenson@users.noreply.github.com&gt;
diff --git a/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3.xif b/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3.xif
@@ -1,28 +1,32 @@
 [MODEL: dataset = proofpoint_threat_response_raw]
-//| alter XDM.Email.event_timestamp = updated_at
-alter xdm.event.id = to_string(id),
-    xdm.alert.category = json_extract_scalar(events, "$.category"),
-    xdm.alert.severity = json_extract_scalar(events, "$.severity"),
-    emails = arrayindex(json_extract_array(events, "$.emails"), 0),
-    attacker_ip_1 = json_extract_scalar(hosts, "$.attacker.0"),
-    attacker_ip_2 = json_extract_scalar(hosts, "$.attacker.1"),
-    attacker_ip_3 = json_extract_scalar(hosts, "$.attacker.2")
-| alter xdm.email.sender = json_extract_scalar(emails, "$.sender.email"),
-    xdm.email.message_id = json_extract_scalar(emails, "$.messageId"),
-    xdm.email.subject = json_extract_scalar(emails, "$.subject"),
-    xdm.email.recipients = arraycreate(coalesce(json_extract_scalar(emails, "$.recipient.email"), "")),
-    incident_field_values = incident_field_values -> [],
-    src_ipv4 = arraycreate(attacker_ip_1, attacker_ip_2, attacker_ip_3)
-| alter xdm.alert.name = json_extract_scalar(arrayindex(incident_field_values, 1), "$.value"),
-    xdm.alert.description = json_extract_scalar(events, "$.description"),
-    xdm.email.attachment.path = json_extract_scalar(events, "$.fileName"),
-    xdm.alert.original_alert_id = json_extract_scalar(events, "$.id"),
-    xdm.source.ipv4 = 
-		to_string(
-    		if(arrayindex(src_ipv4, 0) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 0), 
-				if(arrayindex(src_ipv4, 1) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 1), 
-					if(arrayindex(src_ipv4, 2) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 2), null 
-					)
-				)
-			)
-		);
+// Parsing fields
+alter
+        emails = arrayindex(json_extract_array(event, "$.emails"), 0),
+        attacker_ip_1 = json_extract_scalar(hosts, "$.attacker.0"),
+        attacker_ip_2 = json_extract_scalar(hosts, "$.attacker.1"),
+        attacker_ip_3 = json_extract_scalar(hosts, "$.attacker.2"),
+        incident_field_values = incident_field_values -> []
+| alter
+        src_ipv4 = arraycreate(attacker_ip_1, attacker_ip_2, attacker_ip_3)
+// Mapping fields
+| alter
+        xdm.event.id = to_string(id),
+        xdm.alert.category = json_extract_scalar(event, "$.category"),
+        xdm.alert.severity = json_extract_scalar(event, "$.severity"),
+        xdm.email.sender = json_extract_scalar(emails, "$.sender.email"),
+        xdm.email.message_id = json_extract_scalar(emails, "$.messageId"),
+        xdm.email.subject = json_extract_scalar(emails, "$.subject"),
+        xdm.email.recipients = arraycreate(coalesce(json_extract_scalar(emails, "$.recipient.email"), "")),
+        xdm.alert.name = json_extract_scalar(arrayindex(incident_field_values, 1), "$.value"),
+        xdm.alert.description = json_extract_scalar(event, "$.description"),
+        xdm.email.attachment.path = json_extract_scalar(event, "$.fileName"),
+        xdm.alert.original_alert_id = to_string(json_extract_scalar(event, "$.id")),
+        xdm.source.ipv4 =
+            to_string(
+                if(arrayindex(src_ipv4, 0) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 0),
+                    if(arrayindex(src_ipv4, 1) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 1),
+                        if(arrayindex(src_ipv4, 2) ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(src_ipv4, 2), null
+                        )
+                    )
+                )
+            );
diff --git a/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3.yml b/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3.yml
@@ -1,5 +1,5 @@
 fromversion: 6.10.0
-id: proofpoint_threat_response_collection
+id: proofpoint_threat_response_ModelingRule
 name: Proofpoint Threat Response Modeling Rule
 rules: ''
 schema: ''
diff --git a/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3_schema.json b/Packs/ProofpointThreatResponse/ModelingRules/ProofpointThreatResponseModelingRules_1_3/ProofpointThreatResponseModelingRules_1_3_schema.json
@@ -1,12 +1,20 @@
 {
   "proofpoint_threat_response_raw": {
     "id": {
+      "type": "int",
+      "is_array": false
+    },
+    "event": {
+      "type": "string",
+      "is_array": false
+    },
+    "hosts": {
       "type": "string",
       "is_array": false
     },
-    "events": {
+    "incident_field_values": {
       "type": "string",
       "is_array": false
     }
   }
-}
+}
diff --git a/Packs/ProofpointThreatResponse/ParsingRules/ProofpointThreatResponse/ProofpointThreatResponse.xif b/Packs/ProofpointThreatResponse/ParsingRules/ProofpointThreatResponse/ProofpointThreatResponse.xif
@@ -1,3 +1,3 @@
-[INGEST:vendor="proofpoint", product="trap", target_dataset="proofpoint_trap_raw", no_hit=keep]
+[INGEST:vendor = "proofpoint", product = "threat_response", target_dataset = "proofpoint_threat_response_raw", no_hit = keep]
 filter to_string(updated_at) ~= ".*\d{2}:\d{2}:\d{2}.*"
 | alter _time = updated_at;
diff --git a/Packs/ProofpointThreatResponse/ParsingRules/ProofpointThreatResponse/ProofpointThreatResponse.yml b/Packs/ProofpointThreatResponse/ParsingRules/ProofpointThreatResponse/ProofpointThreatResponse.yml
@@ -1,5 +1,5 @@
-id: proofpoint_threat_response
-name: Proofpoint Threat Response
+id: proofpoint_threat_response_ParsingRule
+name: Proofpoint Threat Response Parsing Rule
 fromversion: 6.10.0
 tags: []
 rules: ''
diff --git a/Packs/ProofpointThreatResponse/ReleaseNotes/2_0_13.md b/Packs/ProofpointThreatResponse/ReleaseNotes/2_0_13.md
@@ -0,0 +1,8 @@
+#### Modeling Rules
+##### Proofpoint Threat Response Modeling Rule
+- Updated the schema with the missing fields "hosts", "emails" and "incident_field_values".
+
+#### Parsing Rules
+##### Proofpoint Threat Response Parsing Rule
+- Updated the dataset name.
+
diff --git a/Packs/ProofpointThreatResponse/pack_metadata.json b/Packs/ProofpointThreatResponse/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Proofpoint Threat Response",
     "description": "Use the Proofpoint Threat Response integration to orchestrate and automate incident response.",
     "support": "xsoar",
-    "currentVersion": "2.0.12",
+    "currentVersion": "2.0.13",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
