IBM Security Resilient

Expand all | Collapse all

ProofPoint TAP Filtering

Jump to Best Answer
  • 1.  ProofPoint TAP Filtering

    Posted Mon February 24, 2020 01:00 PM
    I was wondering if anyone else had determined how to filter out the blocked events. I could write a script to do this in Resilient, but I would prefer to not have a million incidents created that are going to be automatically closed. I see that I can filter based on URL or Attachment etc... I want to also filter on if they were blocked or not.

    Also does this auto update previously created incidents if they suddenly are marked as a false positive by ProofPoint?

    Any help is greatly appreciated.

    ------------------------------
    Nick Mumaw
    ------------------------------


  • 2.  RE: ProofPoint TAP Filtering

    Posted Tue February 25, 2020 10:02 AM
    I looked through the TAP integration code and did not see a way to filter by one of the four event types (messagesBlocked, messagesDelivered, clicksPermitted, clicksBlocked).  To do this, you would probably need to modify fn_proofpoint_tap\components\fn_pp_threat_polling.py and add in functionality to ignore certain event types around line 173 (within the for data in datas loop).

    for data in datas:
        if 'eventType' in data and data['eventType'] == 'messagesBlocked':
            pass

    That same loop does look for existing incidents within Resilient, but it looks like it only adds new artifacts.

    ------------------------------
    David Vasil
    ------------------------------



  • 3.  RE: ProofPoint TAP Filtering

    Posted Tue February 25, 2020 10:35 AM
    Thanks! I also added a pass for clicksBlocked. Hopefully this will work! Also not sure if you know, but does this also update tickets that later get marked as false positives?

    Thanks!

    ------------------------------
    Nick Mumaw
    ------------------------------



  • 4.  RE: ProofPoint TAP Filtering
    Best Answer

    Posted Tue February 25, 2020 03:08 PM
    Hello Nick,

    At the moment this function polls events for all clicks and messages relating to known threats within the specified time period. Endpoint /v2/siem/all is hardcoded in the code. As a workaround you could edit it in https://github.com/ibmresilient/resilient-community-apps/blob/8f4ffdebb5f0f5bf180ee22858b47bfaf681423b/fn_proofpoint_tap/fn_proofpoint_tap/util/proofpoint_common.py#L40 and use any of the other available endpoints:

    /v2/siem/clicks/blocked Fetch events for clicks to malicious URLs blocked in the specified time period
    /v2/siem/clicks/permitted Fetch events for clicks to malicious URLs permitted in the specified time period
    /v2/siem/messages/blocked Fetch events for messages blocked in the specified time period which contained a known threat
    /v2/siem/messages/delivered Fetch events for messages delivered in the specified time period which contained a known threat
    /v2/siem/issues Fetch events for clicks to malicious URLs permitted and messages delivered containing a known attachment threat within the specified time period
    /v2/siem/all Fetch events for all clicks and messages relating to known threats within the specified time period

    We plan to make an update to have a separate setting in app.config to define the endpoint to use. I hope this will help.

    David's suggestion is also a good one!

    We do not auto update previously created incidents based on false positive flag. Could you tell me more about how this would work? I see in the TAP API documentation threatStatus has falsePositive value so maybe we could include something like this in one of the future releases.

    Thanks,
    Tamara

    ------------------------------
    Tamara Zlender
    Integrations Engineer - IBM Resilient
    ------------------------------



  • 5.  RE: ProofPoint TAP Filtering

    Posted Thu February 27, 2020 10:22 AM
    Hey Tamara,

    I appreciate that input. After doing what David suggested I noticed that I was getting incidents of delivered email that were URL. Well since they were delivered and determined that the URL was bad they were blocking it and is now not a concern. What I needed was the Issues API which from what you suggested I changed the script. Hopefully this will work.

    As for the false positives, We regularly see incidents from ProofPoint that they flag as a bad URL or bad attachment that later gets closed as a false positive. We because their TAP events (emails that say if something needs addressed or not) work these incidents and can later be marked as a false positive. I would like, and was working on building a script that could do this, to have the update procedure check to see if the any of the previously determined incidents were marked as false positive and then close them automatically. This could either be done by the poller or could be something within the Resilient platform that uses the threatID or campaignID to look up the incident and determine if any changes have been done with them.

    Hope this helps, but feel free to reach out again with any questions!

    Thanks!

    ------------------------------
    Nick Mumaw
    ------------------------------



  • 6.  RE: ProofPoint TAP Filtering

    Posted Thu February 27, 2020 10:35 AM
    Also if I could add one more thing, it would be nice if we can have some kind of template that would allow us to put the information gathered from the poller into the incident in the way that we want to as well as defined standard or default owners and other fields and artifacts.

    Thanks!

    ------------------------------
    Nick Mumaw
    ------------------------------