TAP alerts & Tickets Sob Story Of the Day

one pain for me is to have to decide on each new TAP alert with global artifacts if this is gonna be a 1:1 ticket/tap event or not.

To clarify when a new tap alert comes in, I have it set to create a new SNOW incident. But TAP sends 10x emails for the same bad email, one for each recipient of the same email…same sender… really annoying

any ideas

my decision tree is ugly as all get out

Hayden, if you’re creating a SNOW ticket for each one, what about doing a lookup in SNOW to see if we already have a ticket for the e-mail? I’m thinking something like:

  1. e-mail comes in
  2. search snow for existing ticket
    1. decision point
      1. if ticket exists, update ticket to reference this additional alert
      2. if ticket doesn’t exist, create it.
    2. join paths with ticket-id as join-step variable
  3. proceed with workflow, appending comments to the SNOW ticket as the workflow progresses - using the ticket-id from the join-step
1 Like

what would you search by in the tickets?

My original problem is consistently looking for a unique field in the new alert that is never empty

that brought me to the GUID which worked… until the GUID changed every 6 times, etc.

so now im just checking like this:

  1. if subject check global exists if not add
  2. if no subject check sender check global exists if not add
  3. if no subject or sender use GUID - last resort

I do like your ticket idea I may have to just start searching tickets for the URL from the alert that seems to remain unique and constant.

Yeah, I think the URL may be the only thing that stays consistent (at least based on your description).

Looking at the TAP plugin output, what about incorporating the threat_id? Maybe group all events together using date delivered (derived by taking just the bit of the time_delivered variable before the T), sender_ip, and threat_id? You could just concat them together and use either the hashit or base64 plugin to construct a unique key to write to the ticket as your own “incident key”.

I’m just not sure with proofpoint if the threat_id is linked to the specific threat or if it’s an ID associated with the detection instance.