Proofpoint Protection Server v2
Proofpoint Protection Server Pack.#
This Integration is part of theProofpoint email security appliance.
This integration was integrated and tested with the following versions of Proofpoint Protection Server:
- Cloud 8.16.2
- On-premise 8.14.2
#
AuthenticationAn administrator must have a role that includes access to a specific REST API.
Proofpoint on Demand (PoD) administrators must file a support ticket to Proofpoint support to obtain a role with access to an API.
On premise administrators: Edit the filter.cfg file and set the following key to true: com.proofpoint.admin.apigui.enable=t
In the management interface, create a role of type API and select the APIs under Managed Modules for the role and assign an administrator that role.
The following are the required managed modules for this integration:
pss
Quarantine
The operations are accessed through port 10000.
#
Configure Proofpoint Protection Server v2 in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g., https://xxxxxxxx.pphosted.com:10000 ) | True |
credentials | Username | True |
unsecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
proofpoint-pps-smart-searchTrace and analyze information about messages after they have been filtered by the Proofpoint Protection Server.
#
Base Commandproofpoint-pps-smart-search
#
InputArgument Name | Description | Required |
---|---|---|
action | Final disposition action message. Possible values are: "accept", "continue", "discard", "redirect", "reject", "retry". | Optional |
start_time | Time from when the search should begin. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). Default is "24 hours". | Optional |
end_time | Time of when the search should end. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). | Optional |
virus | Comma-separated list of the detected virus names that infected the message. | Optional |
sender | Email address of the sender. | Optional |
recipient | Email address of the recipient. | Optional |
attachment | Comma-separated list of the message attachments. | Optional |
queue_id | ID of the message queue. | Optional |
host | The host or IP address of the sent email message. | Optional |
sid | The SID of the email message. | Optional |
subject | The subject of the email message. | Optional |
guid | The global unique ID of the email message. | Optional |
message_id | The ID of the header message. This corresponds to the Message ID field in the UI. | Optional |
limit | The maximum number of email messages to return. The maximum value is set by the com.proofpoint.pss.query.default-count value in the filter.cfg file. Default is "100". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Proofpoint.SmartSearch.Rule_ID | String | The ID of the message rule (e.g., system). |
Proofpoint.SmartSearch.Disposition_Action | String | Message disposition action. |
Proofpoint.SmartSearch.Sendmail_Action | String | Message send mail action. |
Proofpoint.SmartSearch.Attachment_Names | String | Names of the email attachments. |
Proofpoint.SmartSearch.Recipients | String | Email addresses of the recipient of the email message. |
Proofpoint.SmartSearch.SendmailRaw_Log | String | The raw log of the send mail email message. |
Proofpoint.SmartSearch.GUID | String | GUID of the email message. |
Proofpoint.SmartSearch.Date | Date | Date of the email message. |
Proofpoint.SmartSearch.Raw_Log | String | Raw log of the email message. |
Proofpoint.SmartSearch.Sender_Host | String | The sender host of the email message. |
Proofpoint.SmartSearch.Module_ID | String | The module ID of the email message (e.g., access). |
Proofpoint.SmartSearch.Sender_IP_Address | String | IP address of the email message sender. |
Proofpoint.SmartSearch.Quarantine_Folder | String | The email message quarantine folder. |
Proofpoint.SmartSearch.QID | String | The queue ID of the email message. |
Proofpoint.SmartSearch.Quarantine_Rule | String | The quarantine rule of the email message. |
Proofpoint.SmartSearch.Spam_Score | String | The spam score of the email message. |
Proofpoint.SmartSearch.country | String | The country of the email message (e.g., **). |
Proofpoint.SmartSearch.TLS | String | The TLS of the email message. |
Proofpoint.SmartSearch.Policy_Routes | String | Comma-separated list of mail message policy routes (e.g., allow_relay,firewallsafe). |
Proofpoint.SmartSearch.current_folder | String | The current folder of the email message. |
Proofpoint.SmartSearch.FID | String | The folder ID of the email message. |
Proofpoint.SmartSearch.module_rules | String | The module rules of the email message (e.g., access.system). |
Proofpoint.SmartSearch.PE_Recipients | String | The PE recipients of the email message. |
Proofpoint.SmartSearch.Virus_Names | String | The virus names of the email message. |
Proofpoint.SmartSearch.Sendmail_Errorcode | String | The error codes of the email message. |
Proofpoint.SmartSearch.FQIN | String | The FQIN of the email message (e.g., example.com-10000_instance1). |
Proofpoint.SmartSearch.SMIME_Recipients | String | The SMIME recipients of the email message. |
Proofpoint.SmartSearch.Agent | String | The agent host of the email message. |
Proofpoint.SmartSearch.Subject | String | The subject of the email message. |
Proofpoint.SmartSearch.Final_Rule | String | The final rule of the email message (e.g., access.system). |
Proofpoint.SmartSearch.Suborg | String | The sub-organization of the email message. |
Proofpoint.SmartSearch.SMIME_Recipients_Signed | String | The SMIME signed recipients for the email message. |
Proofpoint.SmartSearch.Message_Encrypted | String | The encrypted email message. |
Proofpoint.SmartSearch.Message_Split | String | The split of the email message. |
Proofpoint.SmartSearch.Disposition_SmtpProfile | String | The disposition SMTP profile of the email message. |
Proofpoint.SmartSearch.Sendmail_To | String | The send to address in the email message. |
Proofpoint.SmartSearch.Sendmail_Stat | String | The send email status of the email message. |
Proofpoint.SmartSearch.SID | String | The SID of the email message. |
Proofpoint.SmartSearch.Message_ID | String | The ID of the email message. |
Proofpoint.SmartSearch.Final_Action | String | The final action of the email message (e.g., accept). |
Proofpoint.SmartSearch.Sender | String | The sender of the email message. |
Proofpoint.SmartSearch.Sendmail_To_Stat | String | The send mail to status of the email message. |
Proofpoint.SmartSearch.Message_Size | String | The size of the email message. |
#
Command Example!proofpoint-pps-smart-search recipient=user@example.com sender=root@user.example.com start_time="24 hours ago"
#
Context Example#
Human Readable Output#
Proofpoint Protection Server Smart Search Results
GUID Date Sender Recipients Subject Final_Action 8lLtu31xs8H24NF8McYw-S6EidtLK-y_ 2020-05-20 14:13:02 [UTC-0600] root@user.example.com user@example.com Cron \pps@user\ /opt/proofpoint/pps8.0.1.1446/admin/tools/dbutil.sh -optimize -db msgqueue accept
#
Partial Search MatchesSmart Search parses email addresses to support a variety of partial matches.
For example, the email address a.b@c.d can be found with these partial searches:
- a.b
- a.b*
- a.b@
- a.b@*
- *@c.d
- @c.d
- a.*@
- a*@
- @*.d
- @*d
If there is an @ sign, the * is not ignored. If you enter only @, no results are returned.
Source Address | Matching Search |
---|---|
example.user@abc.com | *example\* |
user.example\@abc.com | *example\* |
example@abc.com | *example* |
user@example.com | *example* |
user@example.org | *example* |
user@example.com | @*example* |
user@example.org | @*example* |
#
Analyzed FieldsThe subject is passed through an Analyzer that applies stemming and removes stop words.
Here is a list of stop words:
"a", "an", "and", "are", "as", "at", "be", "but", "by", "for", "if", "in", "into",
"is", "it", "no", "not", "of", "on", "or", "such", "that", "the", "their", "then",
"there", "these", "they", "this", "to", "was", "will", "with"
Example: "I'm going to a party" becomes "I go party"
#
proofpoint-pps-quarantine-messages-listSearch for quarantined messages.
#
Base Commandproofpoint-pps-quarantine-messages-list
#
InputArgument Name | Description | Required |
---|---|---|
sender | Envelope message sender equals, starts with, ends with, or is in a domain such as "bar.com". At least one of the following arguments must be specified: sender, recipient, subject. | Optional |
recipient | Envelope message recipient equals, starts with, ends with, or is in a domain such as "bar.com". At least one of the following arguments must be specified: sender, recipient, subject. | Optional |
subject | Message subject starts with, ends with, or contains. At least one of the following arguments must be specified: sender, recipient, subject. | Optional |
start_time | Time from when the search should begin. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). Default is "24 hours". | Optional |
end_time | Time of when the search should end. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). | Optional |
folder_name | Quarantine folder name. Default is "Quarantine". | Optional |
guid | Message Global Unique Identifier (generated by PPS) to retrieve raw data for a message. If it is specified and a message is found, the message’s raw data will be returned. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Proofpoint.QuarantinedMessage.processingserver | String | The processing server of the quarantined message. |
Proofpoint.QuarantinedMessage.date | Date | The date of the quarantined message. |
Proofpoint.QuarantinedMessage.subject | String | The subject of the quarantined message. |
Proofpoint.QuarantinedMessage.messageid | String | The ID of the quarantined message. |
Proofpoint.QuarantinedMessage.folder | String | The folder of the quarantined message. |
Proofpoint.QuarantinedMessage.size | String | The size of the quarantined message. |
Proofpoint.QuarantinedMessage.rcpts | String | The recipients of the quarantined message. |
Proofpoint.QuarantinedMessage.from | String | The sender of the quarantined message. |
Proofpoint.QuarantinedMessage.spamscore | String | The spam score of the quarantined message. |
Proofpoint.QuarantinedMessage.guid | String | The GUID of the quarantined message. |
Proofpoint.QuarantinedMessage.host_ip | String | The host IP address of the quarantined message. |
Proofpoint.QuarantinedMessage.localguid | String | The local GUID of the quarantined message. |
#
Command Example!proofpoint-pps-quarantine-messages-list subject=Loan* sender=john@doe.com
#
Context Example#
Human Readable Output#
Proofpoint Protection Server Quarantined Messages
localguid folder spamscore from rcpts subject date size host_ip 6:6:239 Quarantine 100 john@doe.com foo@bar.com Loan 2020-01-15 20:00:00 6496 [10.54.40.3][10.54.40.3] 6:6:4 Quarantine 100 john@doe.com user@test.com Loan 2020-01-22 10:00:18 6143 [10.12.40.4][10.12.40.4]
#
proofpoint-pps-quarantine-message-releaseReleases the message to the email infrastructure without further scanning. The message remains in the folder and is moved to the deleted_folder if specified.
#
Base Commandproofpoint-pps-quarantine-message-release
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Name of the folder where the message is stored (e.g., HIPAA). | Required |
local_guid | Comma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
deleted_folder | Name of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP incidents, and vice versa. | Optional |
scan | Whether to rescan the message by the DLP and Attachment Defense filtering modules. Possible values are: "true" and "false". Default is "false". | Optional |
brand_template | When encryption is licensed, the Branding Template to use when an encrypted message is released. The Branding Templates are listed on the System > End User Services > Branding Templates page in the management interface (admin GUI). | Optional |
security_policy | The Secure Reader response profile to use when the release is used for an encrypted message.The Response Profiles are listed on the Information Protection > Encryption > Response Profiles page in the management interface (admin GUI). | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-release folder_name=HIPAA local_guid=4:2:6
#
Human Readable OutputRequest sent. Message 4:2:6 will be released momentarily'
#
proofpoint-pps-quarantine-message-resubmitResubmits the message to the filtering modules. The message is removed from the folder and is moved to any folder.
#
Base Commandproofpoint-pps-quarantine-message-resubmit
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Name of the folder where the message is stored (e.g., HIPAA). | Required |
local_guid | Comma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-resubmit folder_name=HIPAA local_guid=4:2:6
#
Human Readable OutputRequest sent. Message 4:2:6 will be resubmitted momentarily
#
proofpoint-pps-quarantine-message-forwardForwards the message to another recipient. The message remains in the folder and will be moved to the deleted_folder if specified.
#
Base Commandproofpoint-pps-quarantine-message-forward
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Name of the folder where the message is stored (e.g., HIPAA). | Required |
local_guid | Comma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
deleted_folder | Name of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP Incidents, and vice versa. | Optional |
subject | The new subject with which to overwrite the original subject for the message. | Optional |
append_old_subject | Whether to append the original subject to the string specified in the subject argument. Possible values are: "true" and "false". Default is "false". | Optional |
sender | The envelope email address of the sender. | Optional |
header_from | The header from email address. | Optional |
recipient | Comma-separate list of recipient email addresses. | Required |
comment | New message body. (The original message is sent as an attachment.) | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-forward folder_name=HIPAA local_guid=4:2:6
#
Human Readable OutputRequest sent. Message 4:2:6 will be forwarded momentarily
#
proofpoint-pps-quarantine-message-moveMoves the message to the specified target folder.
#
Base Commandproofpoint-pps-quarantine-message-move
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Name of the folder where the message is stored (e.g., HIPAA). | Required |
local_guid | Comma-separate list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
target_folder | Name of the folder to move the email message to (e.g., PCI).The folder for moved messages must be for quarantined messages from the same type of module. For example, you cannot move spam messages to a folder for DLP Incidents, and vice versa. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-move folder_name=HIPAA local_guid=4:2:6 target_folder=PCI
#
Human Readable OutputSuccessfully moved message 4:2:6
#
proofpoint-pps-quarantine-message-deleteDeletes the message from the quarantine folder. The message is removed from its folder and is moved to the deleted_folder if specified.
#
Base Commandproofpoint-pps-quarantine-message-delete
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Name of the folder where the message is stored (e.g., HIPAA). | Required |
local_guid | Comma-separate list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
deleted_folder | Name of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP Incidents, and vice versa. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-delete folder_name=HIPAA local_guid=4:2:6
#
Human Readable OutputSuccessfully deleted message 4:2:6
#
proofpoint-pps-quarantine-message-downloadDownloads an email message's raw data.
#
Base Commandproofpoint-pps-quarantine-message-download
#
InputArgument Name | Description | Required |
---|---|---|
folder_name | Global unique ID of the email message (e.g., g4fsnj_sTLMk9hECaJwmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!proofpoint-pps-quarantine-message-download guid=g4fsnj_sTLMk9hECaJwmmxwP6lQkr5k7
#
proofpoint-pps-get-userGets the end user resource with the specified email address or UID.
#
Base Commandproofpoint-pps-get-user
#
InputArgument Name | Description | Required |
---|---|---|
Email address of the user. | Optional | |
uid | UID of the user. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Proofpoint.User.alias | unknown | List of aliases for the enduser. |
Proofpoint.User.attributes | unknown | All attributes for this user profile. The value of these attributes is calculated based on the Organization, Sub-Org/Group membership and Profile settings. For a description of these attributes, see the table at the end of this document. |
Proofpoint.User.blocklist | unknown | List of all block list entries for the enduser. |
Proofpoint.User.created | unknown | Timestamp when profile was created (in UTC). |
Proofpoint.User.creationsource | unknown | Source for the profile creation (see the table below). |
Proofpoint.User.email | unknown | Primary email address of the enduser. |
Proofpoint.User.firstname | unknown | First name of enduser. |
Proofpoint.User.groups | unknown | List of all the groups to which the user belongs. |
Proofpoint.User.lastmodified | unknown | Timestamp when profile changes were made (in UTC). |
Proofpoint.User.lastname | unknown | Last name of enduser. |
Proofpoint.User.lastpasswordchange | unknown | Timestamp for the last password change. |
Proofpoint.User.lastsignon | unknown | Timestamp for the last login by the end user. |
Proofpoint.User.safelist | unknown | List of all safe list entries for the enduser. |
Proofpoint.User.suborg | unknown | Defines the sub-organization to which this user profile belongs. |
Proofpoint.User.type | unknown | 0=User 1=Mailing List |
Proofpoint.User.uid | unknown | uid of the user. |
#
proofpoint-pps-create-userCreates a new end user resource with the specified email address.
#
Base Commandproofpoint-pps-create-user
#
InputArgument Name | Description | Required |
---|---|---|
Email address of the user. | Required | |
fields | Request fields in JSON string format (e.g., firstname, lastname, addgroup). | Optional |
attributes | Attributes in JSON string format. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Proofpoint.User.alias | unknown | List of aliases for the enduser. |
Proofpoint.User.attributes | unknown | All attributes for this user profile. The value of these attributes is calculated based on the Organization, Sub-Org/Group membership and Profile settings. For a description of these attributes, see the table at the end of this document. |
Proofpoint.User.blocklist | unknown | List of all block list entries for the enduser. |
Proofpoint.User.created | unknown | Timestamp when profile was created (in UTC). |
Proofpoint.User.creationsource | unknown | Source for the profile creation (see the table below). |
Proofpoint.User.email | unknown | Primary email address of the enduser. |
Proofpoint.User.firstname | unknown | First name of enduser. |
Proofpoint.User.groups | unknown | List of all the groups to which the user belongs. |
Proofpoint.User.lastmodified | unknown | Timestamp when profile changes were made (in UTC). |
Proofpoint.User.lastname | unknown | Last name of enduser. |
Proofpoint.User.lastpasswordchange | unknown | Timestamp for the last password change. |
Proofpoint.User.lastsignon | unknown | Timestamp for the last login by the end user. |
Proofpoint.User.safelist | unknown | List of all safe list entries for the enduser. |
Proofpoint.User.suborg | unknown | Defines the sub-organization to which this user profile belongs. |
Proofpoint.User.type | unknown | 0=User 1=Mailing List |
Proofpoint.User.uid | unknown | uid of the user. |
#
proofpoint-pps-modify-userModifies a user profile.
#
Base Commandproofpoint-pps-modify-user
#
InputArgument Name | Description | Required |
---|---|---|
Email address of the user. | Optional | |
UID | UID of the user. | Optional |
fields | Request fields in JSON string format (e.g., firstname, lastname, addgroup). | Optional |
attributes | Attributes in JSON string format. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Proofpoint.User.alias | unknown | List of aliases for the enduser. |
Proofpoint.User.attributes | unknown | All attributes for this user profile. The value of these attributes is calculated based on the Organization, Sub-Org/Group membership and Profile settings. For a description of these attributes, see the table at the end of this document. |
Proofpoint.User.blocklist | unknown | List of all block list entries for the enduser. |
Proofpoint.User.created | unknown | Timestamp when profile was created (in UTC). |
Proofpoint.User.creationsource | unknown | Source for the profile creation (see the table below). |
Proofpoint.User.email | unknown | Primary email address of the enduser. |
Proofpoint.User.firstname | unknown | First name of enduser. |
Proofpoint.User.groups | unknown | List of all the groups to which the user belongs. |
Proofpoint.User.lastmodified | unknown | Timestamp when profile changes were made (in UTC). |
Proofpoint.User.lastname | unknown | Last name of enduser. |
Proofpoint.User.lastpasswordchange | unknown | Timestamp for the last password change. |
Proofpoint.User.lastsignon | unknown | Timestamp for the last login by the end user. |
Proofpoint.User.safelist | unknown | List of all safe list entries for the enduser. |
Proofpoint.User.suborg | unknown | Defines the sub-organization to which this user profile belongs. |
Proofpoint.User.type | unknown | 0=User 1=Mailing List |
Proofpoint.User.uid | unknown | uid of the user. |
#
proofpoint-pps-delete-userDelete a user profile.
#
Base Commandproofpoint-pps-delete-user
#
InputArgument Name | Description | Required |
---|---|---|
Email address of the user. | Optional | |
uid | UID of the user. | Optional |
#
Context OutputThere is no context output for this command.