Skip to main content

Proofpoint Protection Server v2

Proofpoint email security appliance.

This integration was integrated and tested with the following versions of Proofpoint Protection Server:

  • Cloud 8.16.2
  • On-promise 8.14.2

Authentication#

An administrator must have a role that includes access to a specific REST API.

Proofpoint on Demand (PoD) administrators must file a support ticket to Proofpoint support to obtain a role with access to an API.

On premise administrators: Edit the filter.cfg file and set the following key to true: com.proofpoint.admin.apigui.enable=t

In the management interface, create a role of type API and select the APIs under Managed Modules for the role and assign an administrator that role.

The following are the required managed modules for this integration:

  • pss

  • Quarantine

The operations are accessed through port 10000.

Configure Proofpoint Protection Server v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Proofpoint Protection Server v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    urlServer URL (e.g., https://xxxxxxxx.pphosted.com:10000)True
    credentialsUsernameTrue
    unsecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

proofpoint-pps-smart-search#


Trace and analyze information about messages after they have been filtered by the Proofpoint Protection Server.

Base Command#

proofpoint-pps-smart-search

Input#

Argument NameDescriptionRequired
actionFinal disposition action message. Possible values are: "accept", "continue", "discard", "redirect", "reject", "retry".Optional
start_timeTime from when the search should begin. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). Default is "24 hours".Optional
end_timeTime of when the search should end. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z).Optional
virusComma-separated list of the detected virus names that infected the message.Optional
senderEmail address of the sender.Optional
recipientEmail address of the recipient.Optional
attachmentComma-separated list of the message attachments.Optional
queue_idID of the message queue.Optional
hostThe host or IP address of the sent email message.Optional
sidThe SID of the email message.Optional
subjectThe subject of the email message.Optional
guidThe global unique ID of the email message.Optional
message_idThe ID of the header message. This corresponds to the Message ID field in the UI.Optional
limitThe maximum number of email messages to return. The maximum value is set by the com.proofpoint.pss.query.default-count value in the filter.cfg file. Default is "100".Optional

Context Output#

PathTypeDescription
Proofpoint.SmartSearch.Rule_IDStringThe ID of the message rule (e.g., system).
Proofpoint.SmartSearch.Disposition_ActionStringMessage disposition action.
Proofpoint.SmartSearch.Sendmail_ActionStringMessage send mail action.
Proofpoint.SmartSearch.Attachment_NamesStringNames of the email attachments.
Proofpoint.SmartSearch.RecipientsStringEmail addresses of the recipient of the email message.
Proofpoint.SmartSearch.SendmailRaw_LogStringThe raw log of the send mail email message.
Proofpoint.SmartSearch.GUIDStringGUID of the email message.
Proofpoint.SmartSearch.DateDateDate of the email message.
Proofpoint.SmartSearch.Raw_LogStringRaw log of the email message.
Proofpoint.SmartSearch.Sender_HostStringThe sender host of the email message.
Proofpoint.SmartSearch.Module_IDStringThe module ID of the email message (e.g., access).
Proofpoint.SmartSearch.Sender_IP_AddressStringIP address of the email message sender.
Proofpoint.SmartSearch.Quarantine_FolderStringThe email message quarantine folder.
Proofpoint.SmartSearch.QIDStringThe queue ID of the email message.
Proofpoint.SmartSearch.Quarantine_RuleStringThe quarantine rule of the email message.
Proofpoint.SmartSearch.Spam_ScoreStringThe spam score of the email message.
Proofpoint.SmartSearch.countryStringThe country of the email message (e.g., **).
Proofpoint.SmartSearch.TLSStringThe TLS of the email message.
Proofpoint.SmartSearch.Policy_RoutesStringComma-separated list of mail message policy routes (e.g., allow_relay,firewallsafe).
Proofpoint.SmartSearch.current_folderStringThe current folder of the email message.
Proofpoint.SmartSearch.FIDStringThe folder ID of the email message.
Proofpoint.SmartSearch.module_rulesStringThe module rules of the email message (e.g., access.system).
Proofpoint.SmartSearch.PE_RecipientsStringThe PE recipients of the email message.
Proofpoint.SmartSearch.Virus_NamesStringThe virus names of the email message.
Proofpoint.SmartSearch.Sendmail_ErrorcodeStringThe error codes of the email message.
Proofpoint.SmartSearch.FQINStringThe FQIN of the email message (e.g., example.com-10000_instance1).
Proofpoint.SmartSearch.SMIME_RecipientsStringThe SMIME recipients of the email message.
Proofpoint.SmartSearch.AgentStringThe agent host of the email message.
Proofpoint.SmartSearch.SubjectStringThe subject of the email message.
Proofpoint.SmartSearch.Final_RuleStringThe final rule of the email message (e.g., access.system).
Proofpoint.SmartSearch.SuborgStringThe sub-organization of the email message.
Proofpoint.SmartSearch.SMIME_Recipients_SignedStringThe SMIME signed recipients for the email message.
Proofpoint.SmartSearch.Message_EncryptedStringThe encrypted email message.
Proofpoint.SmartSearch.Message_SplitStringThe split of the email message.
Proofpoint.SmartSearch.Disposition_SmtpProfileStringThe disposition SMTP profile of the email message.
Proofpoint.SmartSearch.Sendmail_ToStringThe send to address in the email message.
Proofpoint.SmartSearch.Sendmail_StatStringThe send email status of the email message.
Proofpoint.SmartSearch.SIDStringThe SID of the email message.
Proofpoint.SmartSearch.Message_IDStringThe ID of the email message.
Proofpoint.SmartSearch.Final_ActionStringThe final action of the email message (e.g., accept).
Proofpoint.SmartSearch.SenderStringThe sender of the email message.
Proofpoint.SmartSearch.Sendmail_To_StatStringThe send mail to status of the email message.
Proofpoint.SmartSearch.Message_SizeStringThe size of the email message.

Command Example#

!proofpoint-pps-smart-search recipient=user@example.com sender=root@user.example.com start_time="24 hours ago"

Context Example#

{
"Proofpoint": {
"SmartSearch": [
{
"Agent": "example.com",
"Attachment_Names": "",
"Date": "2020-05-20 14:13:02 [UTC-0600]",
"Disposition_Action": "",
"Disposition_SmtpProfile": "",
"Duration": "0.124094999905240",
"FID": "8lLtu31xs8H24NF8McYw-S6EidtLK-y_",
"FQIN": "example.com-10000_instance1",
"Final_Action": "accept",
"Final_Rule": "access.system",
"GUID": "9rLtu31xs8H24NF8KcRw-S6EihtLK-y_",
"Message_Encrypted": "",
"Message_ID": "<551609250613.u8P6D1l3019878@user.example.com>",
"Message_Size": "1142",
"Message_Split": "",
"Module_ID": "access",
"PE_Recipients": "",
"Policy_Routes": "allow_relay,firewallsafe,internalnet",
"QID": "u8P6D24m919880",
"Quarantine_Folder": "",
"Quarantine_Rule": "",
"Raw_Log": "",
"Recipients": "user@example.com",
"Rule_ID": "system",
"SID": "25nnq08028",
"SMIME_Recipients": "",
"SMIME_Recipients_Signed": "",
"Sender": "root@user.example.com",
"Sender_Host": "localhost",
"Sender_IP_Address": "127.0.0.1",
"SendmailRaw_Log": "",
"Sendmail_Action": "",
"Sendmail_Errorcode": "",
"Sendmail_Stat": "",
"Sendmail_To": "",
"Sendmail_To_Stat": "",
"Spam_Score": "",
"Subject": "Cron <pps@user> /opt/proofpoint/pps8.0.1.1446/admin/tools/dbutil.sh -optimize -db msgqueue",
"Suborg": "",
"TLS": "",
"Virus_Names": "",
"country": "**",
"current_folder": "",
"module_rules": [
"access.system"
]
}
]
}
}

Human Readable Output#

Proofpoint Protection Server Smart Search Results#

GUIDDateSenderRecipientsSubjectFinal_Action
8lLtu31xs8H24NF8McYw-S6EidtLK-y_2020-05-20 14:13:02 [UTC-0600]root@user.example.comuser@example.comCron \pps@user\ /opt/proofpoint/pps8.0.1.1446/admin/tools/dbutil.sh -optimize -db msgqueueaccept

Partial Search Matches#

Smart Search parses email addresses to support a variety of partial matches.

For example, the email address a.b@c.d can be found with these partial searches:

  • a.b
  • a.b*
  • a.b@
  • a.b@*
  • *@c.d
  • @c.d
  • a.*@
  • a*@
  • @*.d
  • @*d

If there is an @ sign, the * is not ignored. If you enter only @, no results are returned.

Source AddressMatching Search
example.user@abc.com*example\*
user.example\@abc.com*example\*
example@abc.com*example*
user@example.com*example*
user@example.org*example*
user@example.com@*example*
user@example.org@*example*

Analyzed Fields#

The subject is passed through an Analyzer that applies stemming and removes stop words.

Here is a list of stop words:

"a", "an", "and", "are", "as", "at", "be", "but", "by", "for", "if", "in", "into",

"is", "it", "no", "not", "of", "on", "or", "such", "that", "the", "their", "then",

"there", "these", "they", "this", "to", "was", "will", "with"

Example: "I'm going to a party" becomes "I go party"

proofpoint-pps-quarantine-messages-list#


Search for quarantined messages.

Base Command#

proofpoint-pps-quarantine-messages-list

Input#

Argument NameDescriptionRequired
senderEnvelope message sender equals, starts with, ends with, or is in a domain such as "bar.com". At least one of the following arguments must be specified: sender, recipient, subject.Optional
recipientEnvelope message recipient equals, starts with, ends with, or is in a domain such as "bar.com". At least one of the following arguments must be specified: sender, recipient, subject.Optional
subjectMessage subject starts with, ends with, or contains. At least one of the following arguments must be specified: sender, recipient, subject.Optional
start_timeTime from when the search should begin. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z). Default is "24 hours".Optional
end_timeTime of when the search should end. Can be either free text (\<number> \<time unit>, e.g., 12 hours, 7 days) or ISO-8601 (YYYY-MM-DDThh:mm:ssZ, e.g., 2020-01-25T10:00:00Z).Optional
folder_nameQuarantine folder name. Default is "Quarantine".Optional
guidMessage Global Unique Identifier (generated by PPS) to retrieve raw data for a message. If it is specified and a message is found, the message’s raw data will be returned.Optional

Context Output#

PathTypeDescription
Proofpoint.QuarantinedMessage.processingserverStringThe processing server of the quarantined message.
Proofpoint.QuarantinedMessage.dateDateThe date of the quarantined message.
Proofpoint.QuarantinedMessage.subjectStringThe subject of the quarantined message.
Proofpoint.QuarantinedMessage.messageidStringThe ID of the quarantined message.
Proofpoint.QuarantinedMessage.folderStringThe folder of the quarantined message.
Proofpoint.QuarantinedMessage.sizeStringThe size of the quarantined message.
Proofpoint.QuarantinedMessage.rcptsStringThe recipients of the quarantined message.
Proofpoint.QuarantinedMessage.fromStringThe sender of the quarantined message.
Proofpoint.QuarantinedMessage.spamscoreStringThe spam score of the quarantined message.
Proofpoint.QuarantinedMessage.guidStringThe GUID of the quarantined message.
Proofpoint.QuarantinedMessage.host_ipStringThe host IP address of the quarantined message.
Proofpoint.QuarantinedMessage.localguidStringThe local GUID of the quarantined message.

Command Example#

!proofpoint-pps-quarantine-messages-list subject=Loan* sender=john@doe.com

Context Example#

{
"Proofpoint": {
"QuarantinedMessage": [
{
"date": "2020-01-15 20:00:00",
"folder": "Quarantine",
"from": "john@doe.com",
"guid": "lR_SjEF1Llfn9gML8YZzpVPUukjXQcPO",
"host_ip": "[10.54.40.3] [10.54.40.3]",
"localguid": "6:6:239",
"messageid": "YATQ2LPCWC3MFA2YUTDH.448380834@example.net",
"processingserver": "...",
"rcpts": [
"foo@bar.com"
],
"size": "6496",
"spamscore": "100",
"subject": "Loan"
},
{
"date": "2020-01-22 10:00:18",
"folder": "Quarantine",
"from": "john@doe.com",
"guid": "edlp0pU9YXkWB5nmat91i9HUl7J-K-ep",
"host_ip": "[10.12.40.4] [10.12.40.4]",
"localguid": "6:6:4",
"messageid": "TLW25LKOCDR72DBE06JF.221045479@email1.example.com",
"processingserver": "...",
"rcpts": [
"user@test.com"
],
"size": "6143",
"spamscore": "100",
"subject": "Loan"
}
]
}
}

Human Readable Output#

Proofpoint Protection Server Quarantined Messages#

localguidfolderspamscorefromrcptssubjectdatesizehost_ip
6:6:239Quarantine100john@doe.comfoo@bar.comLoan2020-01-15 20:00:006496[10.54.40.3][10.54.40.3]
6:6:4Quarantine100john@doe.comuser@test.comLoan2020-01-22 10:00:186143[10.12.40.4][10.12.40.4]

proofpoint-pps-quarantine-message-release#


Releases the message to the email infrastructure without further scanning. The message remains in the folder and is moved to the deleted_folder if specified.

Base Command#

proofpoint-pps-quarantine-message-release

Input#

Argument NameDescriptionRequired
folder_nameName of the folder where the message is stored (e.g., HIPAA).Required
local_guidComma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required
deleted_folderName of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP incidents, and vice versa.Optional
scanWhether to rescan the message by the DLP and Attachment Defense filtering modules. Possible values are: "true" and "false". Default is "false".Optional
brand_templateWhen encryption is licensed, the Branding Template to use when an encrypted message is released. The Branding Templates are listed on the System > End User Services > Branding Templates page in the management interface (admin GUI).Optional
security_policyThe Secure Reader response profile to use when the release is used for an encrypted message.The Response Profiles are listed on the Information Protection > Encryption > Response Profiles page in the management interface (admin GUI).Optional

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-release folder_name=HIPAA local_guid=4:2:6

Human Readable Output#

Request sent. Message 4:2:6 will be released momentarily'

proofpoint-pps-quarantine-message-resubmit#


Resubmits the message to the filtering modules. The message is removed from the folder and is moved to any folder.

Base Command#

proofpoint-pps-quarantine-message-resubmit

Input#

Argument NameDescriptionRequired
folder_nameName of the folder where the message is stored (e.g., HIPAA).Required
local_guidComma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-resubmit folder_name=HIPAA local_guid=4:2:6

Human Readable Output#

Request sent. Message 4:2:6 will be resubmitted momentarily

proofpoint-pps-quarantine-message-forward#


Forwards the message to another recipient. The message remains in the folder and will be moved to the deleted_folder if specified.

Base Command#

proofpoint-pps-quarantine-message-forward

Input#

Argument NameDescriptionRequired
folder_nameName of the folder where the message is stored (e.g., HIPAA).Required
local_guidComma-separated list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required
deleted_folderName of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP Incidents, and vice versa.Optional
subjectThe new subject with which to overwrite the original subject for the message.Optional
append_old_subjectWhether to append the original subject to the string specified in the subject argument. Possible values are: "true" and "false". Default is "false".Optional
senderThe envelope email address of the sender.Optional
header_fromThe header from email address.Optional
recipientComma-separate list of recipient email addresses.Required
commentNew message body. (The original message is sent as an attachment.)Optional

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-forward folder_name=HIPAA local_guid=4:2:6

Human Readable Output#

Request sent. Message 4:2:6 will be forwarded momentarily

proofpoint-pps-quarantine-message-move#


Moves the message to the specified target folder.

Base Command#

proofpoint-pps-quarantine-message-move

Input#

Argument NameDescriptionRequired
folder_nameName of the folder where the message is stored (e.g., HIPAA).Required
local_guidComma-separate list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required
target_folderName of the folder to move the email message to (e.g., PCI).The folder for moved messages must be for quarantined messages from the same type of module. For example, you cannot move spam messages to a folder for DLP Incidents, and vice versa.Required

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-move folder_name=HIPAA local_guid=4:2:6 target_folder=PCI

Human Readable Output#

Successfully moved message 4:2:6

proofpoint-pps-quarantine-message-delete#


Deletes the message from the quarantine folder. The message is removed from its folder and is moved to the deleted_folder if specified.

Base Command#

proofpoint-pps-quarantine-message-delete

Input#

Argument NameDescriptionRequired
folder_nameName of the folder where the message is stored (e.g., HIPAA).Required
local_guidComma-separate list of message GUIDs. Format is folder_id:table_id:dbase_id (e.g., 4:2:6), or in Cloud Quarantine format is GUID (e.g., g4fsnj_sTLMk9hECaJ wmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required
deleted_folderName of the folder to move the message to. The folder must be for quarantined messages from the same type of module. For example, you cannot send deleted spam messages to a folder for deleted DLP Incidents, and vice versa.Optional

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-delete folder_name=HIPAA local_guid=4:2:6

Human Readable Output#

Successfully deleted message 4:2:6

proofpoint-pps-quarantine-message-download#


Downloads an email message's raw data.

Base Command#

proofpoint-pps-quarantine-message-download

Input#

Argument NameDescriptionRequired
folder_nameGlobal unique ID of the email message (e.g., g4fsnj_sTLMk9hECaJwmmxwP6lQkr5k7). Can be retrieved using the proofpoint-pps-quarantine-messages-list command.Required

Context Output#

There is no context output for this command.

Command Example#

!proofpoint-pps-quarantine-message-download guid=g4fsnj_sTLMk9hECaJwmmxwP6lQkr5k7