CRTX-143494-ProofPoint-CASB (demisto#37846)

* init

* added readme file

* fixed readme file

* added folder

* fix

* fixed README.md

* Update ProofpointCasb.xif

* CR fix

---------

Co-authored-by: eepstain <[email protected]>

Packs/ProofpointCasb/ModelingRules/ProofpointCasb/ProofpointCasb.xif

@@ -0,0 +1,40 @@
+[MODEL: dataset = proofpoint_casb_raw]
+  alter os = lowercase(event -> remote.client.device.os.name), 
+        email = event -> user.email, 
+        group = event -> resources[0].permissions.share.level.designation, 
+        owner = event -> resources[0].owner.user.name, 
+        last_modified = to_string(event -> resources[0].modifiedAt),
+        src_ipv4 = if(event -> remote.client.ip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", event -> remote.client.ip, null),
+        src_ipv6 = if(event -> remote.client.ip ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", event -> remote.client.ip, null)
+| alter xdm.source.location.country = event -> remote.client.geo.address.country.name,
+        xdm.source.location.latitude = to_float(event -> remote.client.geo.coordinates.lat),
+        xdm.source.location.longitude = to_float(event -> remote.client.geo.coordinates.lon),  
+        xdm.source.location.region = event -> remote.client.geo.address.area1.name,
+        xdm.source.location.city = event -> remote.client.geo.address.area2.name,
+        xdm.source.ipv4 = src_ipv4,
+        xdm.source.ipv6 = src_ipv6,
+        xdm.source.host.os = os,
+        xdm.source.host.os_family = if(os contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, os contains "mac", XDM_CONST.OS_FAMILY_MACOS, os contains "linux", XDM_CONST.OS_FAMILY_LINUX, os contains "android", XDM_CONST.OS_FAMILY_ANDROID, os contains "ios", XDM_CONST.OS_FAMILY_IOS, os contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, os contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, os contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, os contains "centos", XDM_CONST.OS_FAMILY_CENTOS, os contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, os contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, os contains "scada", XDM_CONST.OS_FAMILY_SCADA, null),
+        xdm.alert.subcategory = event -> activity.primaryCategory,
+        xdm.target.file.size = to_integer(event -> activity.stats.size),
+        xdm.observer.content_version = event -> rver,
+        xdm.network.rule = event -> incident.reasons[0].name,
+        xdm.source.asn.isp = event -> remote.host.ip.isp.name,
+        xdm.source.user_agent = event -> remote.client.agent.description,
+        xdm.event.id = event -> id,
+        xdm.target.file.path = event -> resources[0].path,
+        xdm.target.file.extension = event -> resources[0].extension,
+        xdm.target.file.file_type = event -> resources[0].kind,
+        xdm.target.file.filename = event -> resources[0].name,
+        xdm.target.file.directory = arrayindex(regextract(event -> resources[0].path, "^(.+?)\/[^\/]+$"), 0),
+        xdm.source.user.first_name = event -> user.firstName,
+        xdm.source.user.last_name = event -> user.lastName,
+        xdm.source.user.username = event -> user.name,
+        xdm.source.user.groups = event -> user.groups[],
+        xdm.source.user.identifier = event -> user.id,
+        xdm.alert.severity = event -> incident.severity,
+        xdm.observer.type = event -> feed.kind,
+        xdm.observer.name = event -> feed.data.source.kind,
+        xdm.network.application_protocol = event -> remote.protocol,
+        xdm.event.description = object_create("user.email",email,"file.owner:",owner,"file.last.modified",last_modified),
+        xdm.target.url = event -> resources[0].url;

Packs/ProofpointCasb/ModelingRules/ProofpointCasb/ProofpointCasb.yml

@@ -0,0 +1,5 @@
+fromversion: 8.2.0
+id: ProofpointCASB_ModelingRule
+name: ProofpointCASB Modeling Rule
+rules: ''
+schema: ''

Packs/ProofpointCasb/ModelingRules/ProofpointCasb/ProofpointCasb_schema.json

@@ -0,0 +1,10 @@
+{
+    "proofpoint_casb_raw": {
+      "event": {
+        "type": "string",
+        "is_array": false
+      }
+    }
+  }
+
+

Packs/ProofpointCasb/ParsingRules/ProofpointCasb/ProofpointCasb.xif

@@ -0,0 +1,5 @@
+[INGEST:vendor="proofpoint", product="casb", target_dataset="proofpoint_casb_raw", no_hit=keep]
+config case_sensitive=false 
+| alter tmp_timestamp = event -> event.occurredAt
+| filter tmp_timestamp ~= "\d{4}\-\d{2}\-\d{2}T\d{2}\:\d{2}\:\d{2}\.\d{3}Z"
+| alter _time = parse_timestamp("%Y-%m-%dT%H:%M:%E3SZ", tmp_timestamp);

Packs/ProofpointCasb/ParsingRules/ProofpointCasb/ProofpointCasb.yml

@@ -0,0 +1,6 @@
+name: ProofpointCASB Parsing Rule
+id: ProofpointCASB_ParsingRule
+fromversion: 8.2.0
+tags: []
+rules: ''
+samples: ''

Packs/ProofpointCasb/README.md

@@ -0,0 +1,43 @@
+### Proofpoint CASB
+This pack includes parsing and modeling rules for Proofpoint CASB logs sent via HTTP Event Collector.
+
+### Supported Timestamp Formats:
+Timestamp is extracted from the occurredAt field with the following format - yyyy-mm-ddTHH:MM:SS.SSSZ
+
+### Collect Events from Proofpoint CASB (XSIAM)
+
+**On XSIAM side:**
+
+1. Navigate to **Settings** -> **Data Sources** -> **Add Data Source**.
+2. From the Type dropdown list, select **Custom Integrations**.
+3. Click **Custom - HTTP based Collector**.
+4. Click **Connect**.
+5. Set the following values:
+   - Name as `Proofpoint CASB`
+   - Compression as `uncompressed`
+   - Log Format as `JSON`
+   - Vendor as `proofpoint`
+   - Product as `casb`
+6. Creating a new HTTP Log Collector will allow you to generate a unique token. Save it since it will be used later.
+7. Click the 3 dots next to the newly created instance and copy the **API Url**. It will also be used later.
+
+**On Proofpoint CASB side:**
+
+ [Link to Proofpoint webhook docs](https://docs.public.analyze.proofpoint.com/admin/notification_policies_webhooks.htm)
+
+<u>Guidelines:</u>
+1. Navigate to **Integrations** >  **Notification Policies**. Click **New Notification**.
+2. Select **For Rules** > **Create**.
+3. Name the new policy as "Forward events to XSIAM".
+4. Click **Add** in the Webhooks area.
+5. From the dropdown, select **Generic Template**.
+6. In the **URL** field paste the **API Url** from the last section.
+7. In the **Method** field select **POST**.
+8. In the **Headers** field do the following:
+    a. Click **Add Row**.
+    b. Add the value **Authorization** to the **Name** field of the first row. 
+    c. In the **Value** field paste the unique token you created in the last section.
+    d. Add the value **Content-Type** to the **Name** field of the second row. 
+    e. In the **Value** field add the value **application/json**.
+9. In the **Data** section use the given default format.
+10. Click **Save**.

Packs/ProofpointCasb/pack_metadata.json

@@ -0,0 +1,25 @@
+{
+    "name": "Proofpoint CASB",
+    "description": "Parsing and modeling rules for Proofpoint CASB logs",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [
+        "Analytics & SIEM"
+    ],
+    "tags": [
+        "Security",
+        "Compliance"
+    ],
+    "useCases": [],
+    "keywords": [
+        "proofpoint",
+        "casb",
+        "cloud security"
+    ],
+    "marketplaces": [
+        "marketplacev2"
+    ]
+}