Merge pull request #1023 from Azure/ProofPoint_Bugbash

Proofpoint Bug Bash changes
2020-08-31 23:38:36 -07:00 · 2020-08-31 23:38:36 -07:00 · 780590159a
--- a/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml
+++ b/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml
@ -1,7 +1,7 @@
 id: 0558155e-4556-447e-9a22-828f2a7de06b
 name: Malware attachment delivered
 description: |
-  'Creates an incident in the event a message containing a malware attachment was delivered.'
+  'This query identifies a message containing a malware attachment that was delivered.'
 severity: Medium
 requiredDataConnectors:
  - connectorId: ProofpointTAP
@ -26,4 +26,4 @@ query: |
  | extend filename = tostring(messageParts_s.filename)
  | where threatType =~ "attachment" and classification =~ "malware"
  | summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification,  Subject = subject_s
-  | extend timestamp = StartTime, extend AccountCustomEntity = Sender, IPCustomEntity = SenderIPAddress
+  | extend timestamp = StartTime, extend AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress
--- a/Detections/ProofpointTAP/MalwareLinkClicked.yaml
+++ b/Detections/ProofpointTAP/MalwareLinkClicked.yaml
@ -1,7 +1,7 @@
 id: 8675dd7a-795e-4d56-a79c-fc848c5ee61c
 name: Malware Link Clicked
 description: |
-  'Creates an incident in the event a user clicks on an email link that is classified as a malware.'
+  'This query identifies a user clicking on an email link whose threat category is classified as a malware'
 severity: Medium
 requiredDataConnectors:
  - connectorId: ProofpointTAP