natesmalley · natesmalley · Feb 19, 2026 · Feb 18, 2026
diff --git a/Backend/api/app/services/scenario_service.py b/Backend/api/app/services/scenario_service.py
@@ -260,6 +260,70 @@ async def start_scenario(
 
         return execution_id
 
+    async def start_correlation_scenario(
+        self, 
+        scenario_id: str, 
+        siem_context: Dict[str, Any],
+        speed: str = "fast", 
+        dry_run: bool = False,
+        background_tasks=None
+    ) -> str:
+        """Start correlation scenario execution with SIEM context"""
+        execution_id = str(uuid.uuid4())
+
+        self.running_scenarios[execution_id] = {
+            "scenario_id": scenario_id,
+            "execution_id": execution_id,
+            "status": "running",
+            "started_at": datetime.utcnow().isoformat(),
+            "speed": speed,
+            "dry_run": dry_run,
+            "siem_context": siem_context,
+            "progress": 0
+        }
+
+        if background_tasks:
+            background_tasks.add_task(self._execute_correlation_scenario, execution_id, scenario_id, siem_context)
+
+        return execution_id
+
+    async def _execute_correlation_scenario(self, execution_id: str, scenario_id: str, siem_context: Dict[str, Any]):
+        """Execute correlation scenario with SIEM context"""
+        import sys
+        import os
+        from pathlib import Path
+
+        # Add scenarios directory to path
+        scenarios_dir = Path(__file__).parent.parent.parent / "scenarios"
+        if str(scenarios_dir) not in sys.path:
+            sys.path.insert(0, str(scenarios_dir))
+
+        try:
+            # Set SIEM context environment variable for the scenario
+            siem_context_json = json.dumps(siem_context)
+            os.environ['SIEM_CONTEXT'] = siem_context_json
+
+            # Import and run the scenario
+            module = __import__(scenario_id)
+            scenario_result = module.generate_apollo_ransomware_scenario(siem_context=siem_context)
+
+            # Update execution status
+            if execution_id in self.running_scenarios:
+                self.running_scenarios[execution_id]["status"] = "completed"
+                self.running_scenarios[execution_id]["progress"] = 100
+                self.running_scenarios[execution_id]["completed_at"] = datetime.utcnow().isoformat()
+                self.running_scenarios[execution_id]["result"] = scenario_result
+
+        except Exception as e:
+            logger.error(f"Correlation scenario execution failed: {e}")
+            if execution_id in self.running_scenarios:
+                self.running_scenarios[execution_id]["status"] = "failed"
+                self.running_scenarios[execution_id]["error"] = str(e)
+                self.running_scenarios[execution_id]["completed_at"] = datetime.utcnow().isoformat()
+        finally:
+            # Clean up environment variable
+            os.environ.pop('SIEM_CONTEXT', None)
+
     async def _execute_scenario(self, execution_id: str, scenario: Dict[str, Any]):
         """Execute scenario in background"""
         try:

diff --git a/Backend/event_generators/email_security/proofpoint.py b/Backend/event_generators/email_security/proofpoint.py
@@ -192,8 +192,18 @@ def proofpoint_log(overrides: dict | None = None) -> Dict:
     Pass `overrides` to force any field to a specific value:
         proofpoint_log({"phishScore": 95})
     """
-    # Determine threat type
-    threat_type = random.choice(THREAT_TYPES)
+    # Apply overrides first to determine threat type
+    if overrides:
+        # If phishScore is high, make it malicious
+        if overrides.get("phishScore", 0) > 50:
+            threat_type = random.choice(["phish", "malware", "spam"])
+        elif overrides.get("phishScore", 0) == 0:
+            threat_type = "none"
+        else:
+            threat_type = random.choice(THREAT_TYPES)
+    else:
+        threat_type = random.choice(THREAT_TYPES)
+
     is_malicious = threat_type != "none"
 
     # Generate sender and recipient
@@ -275,6 +285,26 @@ def proofpoint_log(overrides: dict | None = None) -> Dict:
     # Add message parts
     event["messageParts"] = _generate_message_parts(threat_type)
 
+    # Add click-related fields for parser detection
+    if is_malicious:
+        event["clickIP"] = _generate_ip()
+        event["clickTime"] = (message_time + timedelta(minutes=random.randint(1, 30))).strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
+        event["threatURL"] = f"https://threatinsight.proofpoint.com/#/threat_id/{uuid.uuid4()}"
+        event["userAgent"] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
+        event["event.type"] = "Click"
+    else:
+        event["event.type"] = "Email"
+
+    # Add unmapped fields and other required fields
+    event["unmapped.classification"] = threat_type
+    event["unmapped.recipient"] = recipient_email
+    event["unmapped.sender"] = sender_email
+    event["url.url_string"] = f"https://threatinsight.proofpoint.com/#/threat_id/{uuid.uuid4()}"
+    event["device.ip"] = _generate_ip()
+
+    # Add timestamp field directly
+    event["timestamp"] = message_time.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
+
     # Add SPF, DKIM, DMARC results
     event["spf"] = random.choice(["pass", "fail", "softfail", "neutral", "none"])
     event["dkimv"] = random.choice(["pass", "fail", "none"])