From 283c306b05d2dc78964af8841d5dbbefa3702f1d Mon Sep 17 00:00:00 2001 From: "Ajeet Prakash (MSTIC)" Date: Mon, 31 Aug 2020 07:51:25 -0700 Subject: [PATCH] Proofpoint Bug Bash changes --- Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml | 4 ++-- Detections/ProofpointTAP/MalwareLinkClicked.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml b/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml index 9f83f5e5d0..f4edb95454 100644 --- a/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml +++ b/Detections/ProofpointTAP/MalwareAttachmentDelivered.yaml @@ -1,7 +1,7 @@ id: 0558155e-4556-447e-9a22-828f2a7de06b name: Malware attachment delivered description: | - 'Creates an incident in the event a message containing a malware attachment was delivered.' + 'This query identifies a message containing a malware attachment that was delivered.' severity: Medium requiredDataConnectors: - connectorId: ProofpointTAP @@ -26,4 +26,4 @@ query: | | extend filename = tostring(messageParts_s.filename) | where threatType =~ "attachment" and classification =~ "malware" | summarize filenames = make_set(filename), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by TimeGenerated, Sender = sender_s, SenderIPAddress = senderIP_s, Recipient = recipient_s, threatType, classification, Subject = subject_s - | extend timestamp = StartTime, extend AccountCustomEntity = Sender, IPCustomEntity = SenderIPAddress + | extend timestamp = StartTime, extend AccountCustomEntity = Recipient, IPCustomEntity = SenderIPAddress diff --git a/Detections/ProofpointTAP/MalwareLinkClicked.yaml b/Detections/ProofpointTAP/MalwareLinkClicked.yaml index 0e67a095e4..dbea86b703 100644 --- a/Detections/ProofpointTAP/MalwareLinkClicked.yaml +++ b/Detections/ProofpointTAP/MalwareLinkClicked.yaml @@ -1,7 +1,7 @@ id: 8675dd7a-795e-4d56-a79c-fc848c5ee61c name: Malware Link Clicked description: | - 'Creates an incident in the event a user clicks on an email link that is classified as a malware.' + 'This query identifies a user clicking on an email link whose threat category is classified as a malware' severity: Medium requiredDataConnectors: - connectorId: ProofpointTAP