Overview

PerceptionPoint is a Prevention-as-a-Service company, offering fast interception of any content-based attack across all channels.

PerceptionPoint products are scanning for various channels that includes : email, internalemail, onedrivebiz, analyze, s3, dropbox etc.

Integrating PerceptionPoint into Hunters will allow collection and ingestion of key data types into the datalake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

PerceptionPoint’s API provides the following data types:

  1. Scans- Information on every email message scanned by PerceptionPoint, including information on the scanned email, recipients and verdicts.

Sending data to Hunters

API Integration

Hunters support API collection for PerceptionPoint scans. In order to enable it, supply the following API key in the Hunters platform:

  • Client token

Expected Format

In case PerceptionPoint’s events are already being collected on your environment, it is possible to ship them to Hunters via a shared blob storage such as AWS S3. The expected format for the events is:

Scans example

{
"origin": "email",
"sub_verdict": "MAL",
"scan_layers": [
"Anti Spam",
"Anti Phishing"
],
"finished_at": "2022-04-11T10:55:21.624222",
"group_keys": [
"domain-gmail.com",
],
"marked_as_fp_by": null,
"evidence": [
{
"category": "",
"confidence": 0.0,
"description": "",
"scan_id": "",
"root_scan_id": "",
"identifiers": "[]",
"trace_id": "",
"name": "new_sender_vector",
"verdict": "",
"key": "",
"timestamp": 1649674510.30517,
"data": {},
"full_key": ""
}
],
"sample": {
"receiver_domain": "",
"cc_addresses": "",
"from_address": "",
"recipients": "",
"delivery_time": null,
"return_path_address_main_domain": "gmail.com",
"source_ip": "",
"links": {},
"sender_domain": "gmail.com",
"headers": null,
"to_addresses": "undisclosed-recipients:;",
"sha1": "",
"file_size": null,
"pe_icon_link": null,
"sha256": "",
"message_id": "",
"return_path_address_mail_box": "",
"md5": ""
},
"images": [
{
"id": "",
"links": {
"image": ""
},
"description": "Email Image"
}
],
"max_group_size": 18,
"id": "",
"verbose_automation_status": null,
"organization_name": "",
"confidence": 0.0,
"max_external_bulk_size": 179627,
"scan_engines": [],
"verdict_changed_at": "2022-04-11T10:55:21.273247",
"decisions": [],
"sample_type_str": "email",
"full_scan_id": "",
"ir_decision": null,
"highlighted": false,
"parent_organization_name": "",
"payload_type": "payloadless",
"attachment": "",
"sample_from": "",
"search_descendants": [
{
"envelope_to": "",
"from_address": "",
"scan_layers": [
"Anti Spam",
"Anti Phishing"
],
"group_keys": [
"domain-gmail.com",
],
"parent_scan_id": "",
"scan_traces_count": 0,
"decisions": [
{
"verdict": "MAL",
"decision_name": "IR - empty subject + undisclosed recipients"
}
],
"subject": "",
"verbose_status": "CMP",
"scan_id": "",
"sample_type_str": "email",
"source": "",
"sample_from": "",
"sample_sha256": "",
"recipients": "",
"verbose_verdict": "MAL",
"malicious_file_link": null,
"to_addresses": "undisclosed-recipients:;",
"verdict_changed_by": "System",
"receiver_domain": "",
"original_message_id": "",
"source_ip": "",
"upload": "",
"headers": null,
"reply_to": "",
"sample_title": ""
}
],
"verbose_status": "CMP",
"verbose_verdict": "MAL",
"is_highlighted": null,
"organization_id": 377,
"was_requested_for_investigation": false,
"queued_for_bulk_action": false,
"verbose_origin": "Exchange",
"sample_to": "",
"attachments_names": null,
"root_scan_summary": {
"verbose_verdict": "MAL",
"is_fn": false,
"sub_verdict": "MAL",
"was_requested_for_investigation": false
},
"handle_status": "AAP",
"root_scan_id": "",
"created_at": "2022-04-11T10:55:08.732808",
"verbose_confidence": null,
"verbose_action": "SCANNED",
"is_fn": false,
"sample_file_type": "eml",
"sub_origin": "",
"sample_title": "",
"sample_to_type": "user",
"sample_from_type": "user"
}