one pain for me is to have to decide on each new TAP alert with global artifacts if this is gonna be a 1:1 ticket/tap event or not.
To clarify when a new tap alert comes in, I have it set to create a new SNOW incident. But TAP sends 10x emails for the same bad email, one for each recipient of the same email…same sender… really annoying
any ideas
my decision tree is ugly as all get out
Hayden, if you’re creating a SNOW ticket for each one, what about doing a lookup in SNOW to see if we already have a ticket for the e-mail? I’m thinking something like:
what would you search by in the tickets?
My original problem is consistently looking for a unique field in the new alert that is never empty
that brought me to the GUID which worked… until the GUID changed every 6 times, etc.
so now im just checking like this:
I do like your ticket idea I may have to just start searching tickets for the URL from the alert that seems to remain unique and constant.
Yeah, I think the URL may be the only thing that stays consistent (at least based on your description).
Looking at the TAP plugin output, what about incorporating the threat_id? Maybe group all events together using date delivered (derived by taking just the bit of the time_delivered variable before the T), sender_ip, and threat_id? You could just concat them together and use either the hashit or base64 plugin to construct a unique key to write to the ticket as your own “incident key”.
I’m just not sure with proofpoint if the threat_id is linked to the specific threat or if it’s an ID associated with the detection instance.