Issue with SecOps User Reported Phishing v2 - URL Observables - Known Error

Issue with SecOps User Reported Phishing v2 - URL Observables Description The emails being forwarded to ServiceNow, have URLs encoded / re-written by Proofpoint URL Defense.

We are observing that the native ServiceNow Observable parsing engine, is not handling these URLs appropriately: 1) ServiceNow is stripping the $ off at the end of the URLs from - breaking the encoded URL and the Analyst cannot use this 2) ServiceNow sometimes parses the true URL, embedded in between the two "__" in the URL String and sometimes it does not parse it out

Steps to Reproduce

Install, SIR and URP 2.0 Fwd emails into ServiceNow with Proofpoint encoded URLs (the same technology we use at ServiceNow) Notice, Phish recs created and SIR recs created Notice, URLs parsed out that create Observables are broken Notice, there is no proper URL parsed out that we can provide to a supported Threat Lookup provider

Workaround Attached the modified version of the script include: EmailUserReportedPhishing

The new method: _decodeURLFromProofpointv3 (line 522) will decode the URLs that are encoded by ProofPoint v3, the new method is invoked in line 498 inside method: _getObservablesFromText

Please import the attached XML and the issue will not occur