Skip to main content

Proofpoint TAP

Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version v2 of Proofpoint TAP v2

Configure Proofpoint TAP v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Proofpoint TAP v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLe.g., https://tap-api-v2.proofpoint.comTrue
    Service PrincipalThe password refers to secretTrue
    API Versionv1 is deprecated for new instances. The current API version is v2.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Threat typeA string specifying which threat type to return. If empty, all threat types are returned. Can be "url", "attachment", or "messageText".False
    Threat statusA string specifying which threat statuses to return. If empty, will return "active" and "cleared" threats. Can be "active", "cleared", or "falsePositive".False
    Events to fetchFalse
    First fetch time rangeFirst fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Proofpoint supports a maximum 1 week fetch back.False
    Fetch incidentsFalse
    Incident typeFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

proofpoint-get-events#


Fetches events for all clicks and messages relating to known threats within the specified time period. Details as per clicks/blocked.

Base Command#

proofpoint-get-events

Input#

Argument NameDescriptionRequired
intervalA string containing an ISO8601-formatted interval. If this interval overlaps with previous requests for data, records from the previous request might be duplicated. The minimum interval is thirty seconds. The maximum interval is one hour. Examples: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - the thirty minutes beginning at noon UTC on 05-01-2016 and ending at 12:30pm * UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone.Optional
threatTypeA comma-separated list of the threat types to return. If empty, all threat types are returned. The following values are accepted: "url", "attachment", and "messageText". Possible values are: url, attachment, messageText.Optional
threatStatusA string specifying which threat statuses to return. If empty, active and cleared threats are returned. Can be "active", "cleared", "falsePositive". Possible values are: active, cleared, falsePositive.Optional
sinceTimeA string containing an ISO8601 date. It represents the start of the data retrieval period. The end of the period is determined by the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result. Example: 2016-05-01T12:00:00Z.Optional
sinceSecondsAn integer representing a time window (in seconds) from the current API server time. The start of the window is the current API server time, rounded to the nearest minute, less the number of seconds provided. The end of the window is the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result.Optional
eventTypesEvent types to return. Possible values: "All", "Issues", "Delivered Messages", "Blocked Messages", "Permitted Clicks", and "Blocked Clicks". Possible values are: All, Issues, Delivered Messages, Blocked Messages, Permitted Clicks, Blocked Clicks. Default is All.Optional

Context Output#

PathTypeDescription
Proofpoint.MessagesDelivered.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS, which is unique.
Proofpoint.MessagesDelivered.QIDStringThe queue ID of the message within PPS. It can be used to identify the message in PPS, which is not unique.
Proofpoint.MessagesDelivered.ccAddressesStringA list of email addresses contained within the CC: header, excluding any friendly names.
Proofpoint.MessagesDelivered.clusterIdStringThe name of the PPS cluster which processed the message.
Proofpoint.MessagesDelivered.fromAddressStringThe email address contained in the From: header, excluding any friendly name.
Proofpoint.MessagesDelivered.headerCCStringThe CC header.
Proofpoint.MessagesDelivered.headerFromStringThe full content of the From: header, including any friendly name.
Proofpoint.MessagesDelivered.headerReplyToStringIf present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesDelivered.impostorScoreNumberThe impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.malwareScoreNumberThe malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.messageIdStringMessage-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS, which is not unique.
Proofpoint.MessagesDelivered.threatsInfoMap.threatStringThe artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
Proofpoint.MessagesDelivered.threatsInfoMap.threatIdStringThe unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.MessagesDelivered.threatsInfoMap.threatStatusStringThe current state of the threat (active, expired, false-positive, cleared).
Proofpoint.MessagesDelivered.threatsInfoMap.threatTimeDateThe time Proofpoint assigned the threatStatus (ISO8601 format).
Proofpoint.MessagesDelivered.threatsInfoMap.threatTypeStringWhether the threat was an attachment, URL, or message type.
Proofpoint.MessagesDelivered.threatsInfoMap.threatUrlStringA link to the entry about the threat on the TAP Dashboard.
Proofpoint.MessagesDelivered.messageTimeDateThe time the message was delivered to the user or quarantined by PPS.
Proofpoint.MessagesDelivered.modulesRunStringThe list of PPS modules that processed the message.
Proofpoint.MessagesDelivered.phishScoreNumberThe phishing score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.policyRoutesStringThe policy routes that the message matched during processing by PPS.
Proofpoint.MessagesDelivered.quarantineFolderStringThe name of the folder that contains the quarantined message. This appears only for messagesBlocked.
Proofpoint.MessagesDelivered.quarantineRuleStringThe name of the rule that quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesDelivered.recipientStringA list containing the email addresses of the recipients.
Proofpoint.MessagesDelivered.replyToAddressStringThe email address contained in the Reply-To: header, excluding any friendly name.
Proofpoint.MessagesDelivered.senderStringThe email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesDelivered.senderIPStringThe IP address of the sender.
Proofpoint.MessagesDelivered.spamScoreNumberThe spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.subjectStringThe subject line of the message, if available.
Proofpoint.MessagesBlocked.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS, which is unique.
Proofpoint.MessagesBlocked.QIDStringThe queue ID of the message within PPS. It can be used to identify the message in PPS, which is not unique.
Proofpoint.MessagesBlocked.ccAddressesStringA list of email addresses contained within the CC: header, excluding any friendly names.
Proofpoint.MessagesBlocked.clusterIdStringThe name of the PPS cluster that processed the message.
Proofpoint.MessagesBlocked.fromAddressStringThe email address contained in the From: header, excluding any friendly name.
Proofpoint.MessagesBlocked.headerCCStringThe CC header.
Proofpoint.MessagesBlocked.headerFromStringThe full content of the From: header, including any friendly name.
Proofpoint.MessagesBlocked.headerReplyToStringIf present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesBlocked.impostorScoreNumberThe impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.malwareScoreNumberThe malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.messageIdStringMessage-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS, which is not unique.
Proofpoint.MessagesBlocked.threatsInfoMap.threatStringThe artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
Proofpoint.MessagesBlocked.threatsInfoMap.threatIdStringThe unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.MessagesBlocked.threatsInfoMap.threatStatusStringThe current state of the threat (active, expired, false-positive, cleared).
Proofpoint.MessagesBlocked.threatsInfoMap.threatTimeDateThe time Proofpoint assigned the threatStatus (ISO8601 format).
Proofpoint.MessagesBlocked.threatsInfoMap.threatTypeStringWhether the threat was an attachment, URL, or message type.
Proofpoint.MessagesBlocked.threatsInfoMap.threatUrlStringA link to the entry about the threat on the TAP dashboard.
Proofpoint.MessagesBlocked.messageTimeDateThe time the message was blocked to the user or quarantined by PPS.
Proofpoint.MessagesBlocked.messageTimeStringThe list of PPS modules that processed the message.
Proofpoint.MessagesBlocked.modulesRunStringThe list of PPS modules that processed the message.
Proofpoint.MessagesBlocked.phishScoreNumberThe phishing score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.policyRoutesStringThe policy routes that the message matched during processing by PPS.
Proofpoint.MessagesBlocked.quarantineFolderStringThe name of the folder that contains the quarantined message. This appears only for messagesBlocked.
Proofpoint.MessagesBlocked.quarantineRuleStringThe name of the rule that quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesBlocked.recipientStringA list containing the email addresses of the recipients.
Proofpoint.MessagesBlocked.replyToAddressStringThe email address contained in the Reply-To: header, excluding any friendly name.
Proofpoint.MessagesBlocked.senderStringThe email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesBlocked.senderIPStringThe IP address of the sender.
Proofpoint.MessagesBlocked.spamScoreNumberThe spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.subjectStringThe subject line of the message, if available.
Proofpoint.ClicksPermitted.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS, which is unique.
Proofpoint.ClicksPermitted.campaignIdStringAn identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved.
Proofpoint.ClicksPermitted.classificationStringThe threat category of the malicious URL.
Proofpoint.ClicksPermitted.clickIPStringThe external IP address of the user who clicked the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
Proofpoint.ClicksPermitted.clickTimeDateThe time the user clicked the URL.
Proofpoint.ClicksPermitted.messageIDStringThe Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.ClicksPermitted.recipientStringThe email address of the recipient.
Proofpoint.ClicksPermitted.senderStringThe email address of the sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.ClicksPermitted.senderIPStringThe IP address of the sender.
Proofpoint.ClicksPermitted.threatIDStringThe unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.ClicksPermitted.threatTimeDateThe time Proofpoint identified the URL as a threat.
Proofpoint.ClicksPermitted.threatURLStringA link to the entry on the TAP Dashboard for the particular threat.
Proofpoint.ClicksPermitted.urlStringThe malicious URL which was clicked.
Proofpoint.ClicksPermitted.userAgentStringThe User-Agent header from the clicker's HTTP request.
Proofpoint.ClicksBlocked.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.ClicksBlocked.campaignIdStringAn identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved.
Proofpoint.ClicksBlocked.classificationStringThe threat category of the malicious URL.
Proofpoint.ClicksBlocked.clickIPStringThe external IP address of the user who clicked the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
Proofpoint.ClicksBlocked.clickTimeDateThe time the user clicked the URL.
Proofpoint.ClicksBlocked.messageIDStringMessage-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.ClicksBlocked.recipientStringThe email address of the recipient.
Proofpoint.ClicksBlocked.senderStringThe email address of the sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.ClicksBlocked.senderIPStringThe IP address of the sender.
Proofpoint.ClicksBlocked.threatIDStringThe unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.ClicksBlocked.threatTimeDateThe time Proofpoint identified the URL as a threat.
Proofpoint.ClicksBlocked.threatURLStringA link to the entry on the TAP dashboard for the particular threat.
Proofpoint.ClicksBlocked.urlStringThe malicious URL that was clicked.
Proofpoint.ClicksBlocked.userAgentStringThe User-Agent header from the clicker's HTTP request.

Command Example#

!proofpoint-get-events interval="2021-06-07T02:00:00Z/2021-06-07T03:00:00Z"

Context Example#

{
"Proofpoint": {
"ClicksBlocked": null,
"ClicksPermitted": null,
"MessagesBlocked": [
{
"GUID": "9JRzwqiZEzBesdfnEM48ItsowO9ZJ1jmBbo",
"QID": "3901vhsdfsdfg0q5d-1",
"ccAddresses": [],
"cluster": "hosted",
"completelyRewritten": false,
"fromAddress": [
"xxxx@xxx.com"
],
"headerFrom": "\"xxxx@xxx.com\" <xxxx@xxx.com>",
"headerReplyTo": null,
"id": "867899c4-bbbvnvde-9948-fxv0a2-740c13aafb98",
"impostorScore": 0,
"malwareScore": 0,
"messageID": "<98fd30b9-b15b-b883-ca4xcvxvc8-3a0dsfsf766719bc4@xxxx@xxx.com>",
"messageParts": [
{
"contentType": "text/html",
"disposition": "inline",
"filename": "text.html",
"md5": "af671999d59182d8e66e100d4140b577",
"oContentType": "text/html",
"sandboxStatus": null,
"sha256": "99e2546be00c1c2a763a51861dfgf6b2981871051843dc18542ba1417b0b464c00f"
}
],
"messageSize": 3684,
"messageTime": "2021-06-07T01:50:00.000Z",
"modulesRun": [
"av",
"spf",
"dkimv",
"spam",
"dmarc",
"pdr",
"urldefense"
],
"phishScore": 100,
"policyRoutes": [
"default_inbound"
],
"quarantineFolder": "Phish",
"quarantineRule": "inbound_spam_phish",
"recipient": [
"xxxx@xxx.com"
],
"replyToAddress": [],
"sender": "xxxx@xxx.com",
"senderIP": "000.000.000.000",
"spamScore": 100,
"subject": "Your mailbox is full......",
"threatsInfoMap": [
{
"campaignID": null,
"classification": "phish",
"threat": "io/login/verify",
"threatID": "9a53601a616eb78609e525sdfsdfc0f73356c3d9ff80f00e782105ff08c53ee5a3cfca",
"threatStatus": "active",
"threatTime": "2021-06-07T00:47:12.000Z",
"threatType": "url",
"threatUrl": "https://threatinsight.proofpoint.com"
}
],
"toAddresses": [
"xxxx@xxx.com"
],
"xmailer": null
}
],
"MessagesDelivered": null
}
}

Human Readable Output#

Proofpoint Events#

clicksBlockedclicksPermittedmessagesBlockedmessagesDeliveredqueryEndTime
{'spamScore': 100, 'phishScore': 100, 'threatsInfoMap': [{'threatID': '9a53601a616eb78609e525c0f73356c3d9ff80f00e782105ff08c53ee5a3cfca', 'threatStatus': 'active', 'classification': 'phish', 'threatUrl': 'https://threatinsight.proofpoint.com', 'threatTime': '2021-06-07T00:47:12.000Z', 'threat': 'storage.libertychurch9848737878.io/login/verify', 'campaignID': None, 'threatType': 'url'}, {'threatID': 'b72f9ac2cec86c5f2fb795ea47f2aea23d402fe46c5c64e2565363464b1b0eb2', 'threatStatus': 'active', 'classification': 'phish', 'threatUrl': 'https://threatinsight.proofpoint.com/1c863185-589c-ad2d-49cb-0020fe555aae/threat/email/b72f9ac2cec86c5f2fb795ea47f2aea23d402fe46c5c64e2565363464b1b0eb2', 'threatTime': '2021-06-07T00:47:23.000Z', 'threat': 'libertychurch9848737878.io', 'campaignID': None, 'threatType': 'url'}, {'threatID': 'da0ba8d6a9d5111900f5927eb4554e49fd30e6c5c4ad5b0c975feeb19c3bfc5b', 'threatStatus': 'active', 'classification': 'phish', 'threatUrl': 'https://threatinsight.proofpoint.com/1c863185-589c-ad2d-49cb-0020fe555aae/threat/email/da0ba8d6a9d5111900f5927eb4554e49fd30e6c5c4ad5b0c975feeb19c3bfc5b', 'threatTime': '2021-06-07T00:47:22.000Z', 'threat': 'storage.libertychurch9848737878.io/login/', 'campaignID': None, 'threatType': 'url'}], 'messageTime': '2021-06-07T01:50:00.000Z', 'impostorScore': 0.0, 'malwareScore': 0, 'cluster': 'hosted', 'subject': 'Your mailbox is full......', 'quarantineFolder': 'Phish', 'quarantineRule': 'inbound_spam_phish', 'policyRoutes': ['default_inbound'], 'modulesRun': ['av', 'spf', 'dkimv', 'spam', 'dmarc', 'pdr', 'urldefense'], 'messageSize': 3684, 'headerFrom': '"xxxx@xxx.com" xxxx@xxx.com', 'headerReplyTo': None, 'fromAddress': ['xxxx@xxx.com'], 'ccAddresses': [], 'replyToAddress': [], 'toAddresses': ['xxxx@xxx.com'], 'xmailer': None, 'messageParts': [{'disposition': 'inline', 'sha256': '99e2546be00c1c2a763a51861f6b29818710dsfsdf51843dc18542ba1417b0b464c00f', 'md5': 'af671999d59182d8e66e100d4140b577', 'filename': 'text.html', 'sandboxStatus': None, 'oContentType': 'text/html', 'contentType': 'text/html'}], 'completelyRewritten': False, 'id': '867899c4-bbde-9948-f0a2-740c13aafb98', 'QID': '3901vhsdvf0q5d-1', 'GUID': '9JRzwqisvsdvZEzBenEM48ItsowO9ZJ1jmBbo', 'sender': 'xxxx@xxx.com', 'recipient': ['xxxx@xxx.com'], 'senderIP': '000.000.000.000', 'messageID': 'xxxx@xxx.com'}

proofpoint-get-forensics#


Returns forensics evidence.

Base Command#

proofpoint-get-forensics

Input#

Argument NameDescriptionRequired
threatIdThe ID of the threat (use with either threatId or campaignId).Optional
campaignIdID of the campaign (use with either threatId or campaignId).Optional
includeCampaignForensicsWhether to include forensic evidence for the whole campaign. Can be used with threatId only. Default is false.Optional

Context Output#

PathTypeDescription
Proofpoint.Report.IDStringThe ID of the report.
Proofpoint.Report.TypeStringThe threat type. Can be: "attachment", "url", or "hybrid".
Proofpoint.Report.ScopeStringWhether the report scope covers a campaign or an individual threat.
Proofpoint.Report.Attachment.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Attachment.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Attachment.DisplayStringA friendly display string.
Proofpoint.Report.Attachment.SHA256StringThe SHA256 hash of the attachment's contents.
Proofpoint.Report.Attachment.MD5StringThe MD5 hash of the attachment's contents.
Proofpoint.Report.Attachment.BlacklistedNumberOptional. Whether the file was blacklisted.
Proofpoint.Report.Attachment.OffsetNumberOptional. The offset in bytes where the malicious content was found.
Proofpoint.Report.Attachment.SizeNumberOptional. The size in bytes of the attachment's contents.
Proofpoint.Report.Attachment.Platform.NameStringThe name of the platform.
Proofpoint.Report.Attachment.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Attachment.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Cookie.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Cookie.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Cookie.DisplayStringA friendly display string.
Proofpoint.Report.Cookie.ActionStringWhether the cookie was set or deleted.
Proofpoint.Report.Cookie.DomainStringThe domain that set the cookie.
Proofpoint.Report.Cookie.KeyStringThe name of the cookie being set or deleted.
Proofpoint.Report.Cookie.ValueStringOptional. The content of the cookie being set.
Proofpoint.Report.Cookie.Platform.NameStringName of the platform.
Proofpoint.Report.Cookie.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Cookie.Platform.VersionStringThe version of the platform.
Proofpoint.Report.DNS.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.DNS.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.DNS.DisplayStringA friendly display string.
Proofpoint.Report.DNS.HostStringThe hostname being resolved.
Proofpoint.Report.DNS.CNamesStringOptional. An array of CNames, which were associated with the hostname.
Proofpoint.Report.DNS.IPStringOptional. An array of IP addresses that were resolved to the hostname.
Proofpoint.Report.DNS.NameServersStringOptional. The nameservers responsible for the hostname's domain.
Proofpoint.Report.DNS.NameServersListStringOptional. The nameservers responsible for the hostnames.
Proofpoint.Report.DNS.Platform.NameStringThe name of the platform.
Proofpoint.Report.DNS.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.DNS.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Dropper.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Dropper.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Dropper.DisplayStringA friendly display string.
Proofpoint.Report.Dropper.PathStringThe location of the dropper file.
Proofpoint.Report.Dropper.URLStringOptional. The name of the static rule inside the sandbox that identified the dropper.
Proofpoint.Report.Dropper.RuleStringOptional. The URL the dropper contacted.
Proofpoint.Report.Dropper.Platform.NameStringThe name of the platform.
Proofpoint.Report.Dropper.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Dropper.Platform.VersionStringThe version of the platform.
Proofpoint.Report.File.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.File.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.File.DisplayStringA friendly display string.
Proofpoint.Report.File.PathStringOptional. The location of the file operated on.
Proofpoint.Report.File.ActionStringOptional. The filesystem call made (create, modify, or delete).
Proofpoint.Report.File.RuleStringOptional. The name of the static rule inside the sandbox that identified the suspicious file.
Proofpoint.Report.File.SHA256UnknownOptional. The SH256 hash of the file's contents.
Proofpoint.Report.File.MD5StringOptional. The MD5 hash of the file's contents.
Proofpoint.Report.File.SizeNumberOptional. The size in bytes of the file's contents.
Proofpoint.Report.File.Platform.NameStringThe name of the platform.
Proofpoint.Report.File.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.File.Platform.VersionStringThe version of the platform.
Proofpoint.Report.IDS.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.IDS.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.IDS.DisplayStringA friendly display string.
Proofpoint.Report.IDS.NameStringThe friendly name of the IDS rule that observed the malicious traffic.
Proofpoint.Report.IDS.SignatureIDStringThe identifier of the IDS rule that observed the malicious traffic.
Proofpoint.Report.IDS.Platform.NameStringThe name of the platform.
Proofpoint.Report.IDS.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.IDS.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Mutex.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Mutex.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Mutex.DisplayStringA friendly display string.
Proofpoint.Report.Mutex.NameStringThe name of the mutex.
Proofpoint.Report.Mutex.PathStringOptional. The path to the process which spawned the mutex.
Proofpoint.Report.Mutex.Platform.NameStringThe name of the platform.
Proofpoint.Report.Mutex.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Mutex.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Network.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Network.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Network.DisplayStringA friendly display string.
Proofpoint.Report.Network.ActionStringThe type of network activity being initiated (connect or listen).
Proofpoint.Report.Network.IPStringThe remote IP address being contacted.
Proofpoint.Report.Network.PortStringThe remote IP port being contacted.
Proofpoint.Report.Network.TypeStringThe protocol being used (tcp or udp).
Proofpoint.Report.Network.Platform.NameStringThe name of the platform.
Proofpoint.Report.Network.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Network.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Process.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Process.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Process.DisplayStringA friendly display string.
Proofpoint.Report.Process.ActionStringThe action performed on the process. Relevant when create is produced.
Proofpoint.Report.Process.PathStringThe location of the executable that spawned the process.
Proofpoint.Report.Process.Platform.NameStringThe name of the platform.
Proofpoint.Report.Process.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Process.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Registry.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Registry.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Registry.DisplayStringA friendly display string.
Proofpoint.Report.Registry.NameStringOptional. The name of the registry entry being created or set.
Proofpoint.Report.Registry.ActionStringThe registry change made (create or set).
Proofpoint.Report.Registry.KeyStringThe location of the registry key being modified.
Proofpoint.Report.Registry.ValueStringOptional. The contents of the key being created or set.
Proofpoint.Report.Registry.Platform.NameStringThe name of the platform.
Proofpoint.Report.Registry.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Registry.Platform.VersionStringThe version of the platform.
Proofpoint.Report.URL.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.URL.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.URL.DisplayStringA friendly display string.
Proofpoint.Report.URL.URLStringThe URL which was observed.
Proofpoint.Report.URL.BlacklistedBooleanOptional. Whether the URL appeared on a blacklist.
Proofpoint.Report.URL.SHA256StringOptional. The SHA256 hash of the file downloaded from the URL.
Proofpoint.Report.URL.MD5StringOptional. The MD5 hash of the file downloaded from the URL.
Proofpoint.Report.URL.SizeNumberOptional. The size in bytes of the file retrieved from the URL.
Proofpoint.Report.URL.HTTPStatusNumberOptional. The HTTP status code that was produced when our sandbox visited the URL.
Proofpoint.Report.URL.IPStringOptional. The IP address that was resolved to the hostname by the sandbox.
Proofpoint.Report.URL.Platform.NameStringThe name of the platform.
Proofpoint.Report.URL.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.URL.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Behavior.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Behavior.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Behavior.DisplayStringA friendly display string.
Proofpoint.Report.Behavior.URLStringThe URL that was observed.
Proofpoint.Report.Behavior.PathStringThe location of the executable which spawned the behavior.
Proofpoint.Report.Behavior.Platform.NameStringThe name of the platform.
Proofpoint.Report.Behavior.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Behavior.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Behavior.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Behavior.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Behavior.DisplayStringA friendly display string.
Proofpoint.Report.Behavior.URLStringThe URL that was observed.
Proofpoint.Report.Behavior.PathStringThe location of the executable that spawned the behavior.
Proofpoint.Report.Behavior.Platform.NameStringThe name of the platform.
Proofpoint.Report.Behavior.Platform.OSStringThe operating system of the platform.
Proofpoint.Report.Behavior.Platform.VersionStringThe version of the platform.
Proofpoint.Report.Screenshot.TimeDateThe relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Screenshot.MaliciousStringWhether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Screenshot.DisplayStringA friendly display string.
Proofpoint.Report.Screenshot.URLStringThe URL hosting the screenshot image.

Command Example#

!proofpoint-get-forensics campaignId="35e291e1-c9da-4ebd-b229-538bf759b546"

Context Example#

{
"Proofpoint": {
"Report": {
"Attachment": [
{
"Display": "Malicious attachment with SHA-256: 1c207a1ea4b89cc63c2d8391afcf25",
"Malicious": true,
"Platform": [
{
"Name": "Win10",
"OS": "win",
"Version": "win10"
}
],
"SHA256": "1c207da4b89cc63c2d8391afcf25",
"Time": 0
}
]
}
}
}

Human Readable Output#

Forensic results from ProofPoint for ID: 35e291e1-c9da-4ebd-b229-538bf759b546#

IDScopeType
35e291e1-c9da-4ebd-b229-538bf759b546CAMPAIGN

proofpoint-get-events-clicks-blocked#


Gets events for clicks to malicious URLs blocked in the specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-get-events-clicks-blocked

Input#

Argument NameDescriptionRequired
threat_statusClick's threat status to be retrieved. If no value is specified, active and cleared threats will be retrieved. Possible values: 'active', 'cleared', and 'falsePositive'. Possible values are: active, cleared, falsePositive.Optional
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one hour. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.ClicksBlocked.urlStringThe malicious URL was clicked.
Proofpoint.ClicksBlocked.classificationStringThe threat category of the malicious URL (Malware, Phish, or Spam)
Proofpoint.ClicksBlocked.clickTimeDateThe time the user clicked the URL.
Proofpoint.ClicksBlocked.threatTimeDateThe time that Proofpoint identified the URL as a threat.
Proofpoint.ClicksBlocked.userAgentStringThe User-Agent header from the clicker's HTTP request.
Proofpoint.ClicksBlocked.campaignIdStringAn identifier for the campaign of which the threat is a member.
Proofpoint.ClicksBlocked.idStringThe unique ID of the click.
Proofpoint.ClicksBlocked.clickIPStringThe external IP address of the user who clicked the link.
Proofpoint.ClicksBlocked.senderStringThe email address of the sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.ClicksBlocked.recipientStringThe email address of the recipient.
Proofpoint.ClicksBlocked.senderIPStringThe IP address of the sender.
Proofpoint.ClicksBlocked.threatIDStringThe unique identifier associated with this threat.
Proofpoint.ClicksBlocked.threatURLStringA link to the entry on the TAP dashboard for the particular threat.
Proofpoint.ClicksBlocked.threatStatusStringThe current state of the threat.
Proofpoint.ClicksBlocked.messageIDStringThe ID of the message that the URL belongs to.
Proofpoint.ClicksBlocked.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS.

Command Example#

!proofpoint-get-events-clicks-blocked time_range="1 hour"

Context Example#

{
"Proofpoint": {
"ClicksBlocked": {
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.2",
"clickTime": "2010-01-22T00:00:10.000Z",
"messageID": "4444",
"recipient": "xxxx@xxx.com",
"sender": "xxxx@xxx.com",
"senderIP": "000.000.000.000",
"threatID": "threat_num2",
"threatTime": "2010-01-22T00:00:20.000Z",
"threatURL": "https://threatinsight.proofpoint.com",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
}
}
}

Human Readable Output#

Blocked Clicks#

IdSender IPRecipientClassificationThreat IDThreat URLThreat StatusThreat TimeClick TimeCampaign IdUser Agent
000.000.000.000xxxx@xxx.comMALWAREthreat_num2https://threatinsight.proofpoint.com2010-01-22T00:00:20.000Z2010-01-22T00:00:10.000Z46e01b8a-c899-404d-bcd9-189bb393d1a7Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0

proofpoint-get-events-clicks-permitted#


Get events for clicks to malicious URLs permitted in the specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-get-events-clicks-permitted

Input#

Argument NameDescriptionRequired
threat_statusClick's threat status to be retrieved. If no value is specified, active and cleared threats will be retrieved. Possible values: 'active', 'cleared', and 'falsePositive'. Possible values are: active, cleared, falsePositive.Optional
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one hour. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.ClicksPermitted.urlStringThe malicious URL that was clicked.
Proofpoint.ClicksPermitted.classificationStringThe threat category of the malicious URL (Malware, Phish, or Spam).
Proofpoint.ClicksPermitted.clickTimeDateThe time the user clicked the URL.
Proofpoint.ClicksPermitted.threatTimeDateThe time that Proofpoint identified the URL as a threat.
Proofpoint.ClicksPermitted.userAgentStringThe User-Agent header from the clicker's HTTP request.
Proofpoint.ClicksPermitted.campaignIdStringAn identifier for the campaign of which the threat is a member.
Proofpoint.ClicksPermitted.idStringThe unique ID of the click.
Proofpoint.ClicksPermitted.clickIPStringThe external IP address of the user who clicked the link.
Proofpoint.ClicksPermitted.senderStringThe email address of the sender. The user-part is hashed. The domain-part is in cleartext.
Proofpoint.ClicksPermitted.recipientStringThe email address of the recipient.
Proofpoint.ClicksPermitted.senderIPStringThe IP address of the sender.
Proofpoint.ClicksPermitted.threatIDStringThe unique identifier associated with this threat.
Proofpoint.ClicksPermitted.threatURLStringA link to the entry on the TAP dashboard for the particular threat.
Proofpoint.ClicksPermitted.threatStatusStringThe current state of the threat.
Proofpoint.ClicksPermitted.messageIDStringThe ID of the message that the URL belongs to.
Proofpoint.ClicksPermitted.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS.

Command Example#

!proofpoint-get-events-clicks-permitted time_range="1 hour"

Context Example#

{
"Proofpoint": {
"ClicksPermitted": {
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.2",
"clickTime": "2010-01-22T00:00:10.000Z",
"messageID": "4444",
"recipient": "xxxx@xxx.com",
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
"senderIP": "000.000.000.000",
"threatID": "threat_num2",
"threatTime": "2010-01-22T00:00:20.000Z",
"threatURL": "https://threatinsight.proofpoint.com",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
}
}
}

Human Readable Output#

Permitted Clicks#

IdSender IPRecipientClassificationThreat IDThreat URLThreat StatusThreat TimeClick TimeCampaign IdUser Agent
192.0.2.255xxxx@xxx.comMALWAREthreat_num2https://threatinsight.proofpoint.com2010-01-22T00:00:20.000Z2010-01-22T00:00:10.000Z46e01b8a-c899-404d-bcd9-189bb393d1a7Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0

proofpoint-get-events-messages-blocked#


Get events for blocked messages in the specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-get-events-messages-blocked

Input#

Argument NameDescriptionRequired
threat_typeMessage's threat type to be retrieved. If no value is specified, all threat types will be retrieved. Possible values: 'url', 'attachment', and 'message'. Possible values are: url, attachment, message.Optional
threat_statusMessage's threat status to be retrieved. If no value is specified, active and cleared threats will be retrieved. Possible values: 'active', 'cleared', and 'falsePositive'. Possible values are: active, cleared, falsePositive.Optional
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one hour. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.MessagesBlocked.spamScoreNumberThe spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.phishScoreNumberThe phish score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.threatsInfoMapListList that contains details about detected threats within the message. Contains: campaignID, classification, threat, threatID, threatStatus,threatTime, threatType, threatUrl.
Proofpoint.MessagesBlocked.messageTimeDateThe time the message was delivered to the user or quarantined by PPS.
Proofpoint.MessagesBlocked.impostorScoreNumberThe impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.malwareScoreNumberThe malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.clusterStringThe name of the PPS cluster that processed the message.
Proofpoint.MessagesBlocked.subjectStringThe subject line of the message, if available.
Proofpoint.MessagesBlocked.quarantineFolderStringThe name of the folder that contains the quarantined message. This appears only for blocked messages. For delivered messages will be 'None'.
Proofpoint.MessagesBlocked.quarantineRuleStringThe name of the rule that quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesBlocked.policyRoutesListThe policy routes that the message matched during processing by PPS.
Proofpoint.MessagesBlocked.modulesRunStringThe list of PPS modules that processed the message.
Proofpoint.MessagesBlocked.messageSizeNumberThe size in bytes of the message, including headers and attachments.
Proofpoint.MessagesBlocked.Header.headerFromStringThe full content of the From header, including any friendly name.
Proofpoint.MessagesBlocked.Header.headerReplyToStringIf present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesBlocked.Header.fromAddressListThe email address contained in the From header, excluding the friendly name.
Proofpoint.MessagesBlocked.Header.ccAddressesListA list of email addresses contained within the CC: header, excluding friendly names.
Proofpoint.MessagesBlocked.Header.replyToAddressListThe email address contained in the Reply-To: header, excluding friendly name.
Proofpoint.MessagesBlocked.Header.toAddressesListA list of email addresses contained within the To: header, excluding friendly names.
Proofpoint.MessagesBlocked.Header.xmailerStringThe content of the X-Mailer: header, if present.
Proofpoint.MessagesBlocked.messagePartsListAn array of structures that contain details about parts of the message, including both message bodies and attachments.
Proofpoint.MessagesBlocked.completelyRewrittenStringThe rewrite status of the message. If value is true, all instances of URL threats within the message were successfully rewritten. If the value is false, at least one instance of the threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats.
Proofpoint.MessagesBlocked.idStringThe unique ID of the message.
Proofpoint.MessagesBlocked.senderStringThe email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesBlocked.recipientListA list containing the email addresses of the recipients.
Proofpoint.MessagesBlocked.senderIPStringThe IP address of the sender.
Proofpoint.MessagesBlocked.messageIDStringMessage-ID extracted from the headers of the email message.
Proofpoint.MessagesBlocked.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS.

Command Example#

!proofpoint-get-events-messages-blocked interval="2021-06-07T02:00:00Z/2021-06-07T03:00:00Z"

Context Example#

{
"Proofpoint": {
"MessagesBlocked": [
{
"GUID": "9JRzwqiZEzBenEMsdgsdfg48ItsowO9ZJ1jmBbo",
"Header": {
"ccAddresses": [],
"fromAddress": [
"xxxx@xxx.com"
],
"headerFrom": "\"xxxx@xxx.com\" <xxxx@xxx.com>",
"headerReplyTo": null,
"replyToAddress": [],
"toAddresses": [
"xxxx@xxx.com"
],
"xmailer": null
},
"cluster": "hosted",
"completelyRewritten": false,
"id": "867899c4-bbde-9948-f0a2-740c13aafb98",
"impostorScore": 0,
"malwareScore": 0,
"messageID": "<xxxx@xxx.com>",
"messageParts": [
{
"contentType": "text/html",
"disposition": "inline",
"filename": "text.html",
"md5": "a",
"oContentType": "text/html",
"sandboxStatus": null,
"sha256": "99843dc18542ba1417b0b464c00f"
}
],
"messageSize": 3684,
"messageTime": "2021-06-07T01:50:00.000Z",
"modulesRun": [
"av",
"spf",
"dkimv",
"spam",
"dmarc",
"pdr",
"urldefense"
],
"phishScore": 100,
"policyRoutes": [
"default_inbound"
],
"quarantineFolder": "Phish",
"quarantineRule": "inbound_spam_phish",
"recipient": [
"xxxx@xxx.com"
],
"sender": "xxxx@xxx.com",
"senderIP": "000.000.000.000",
"spamScore": 100,
"subject": "Your mailbox is full......",
"threatsInfoMap": [
{
"campaignID": null,
"classification": "phish",
"threat": "login/verify",
"threatID": "9a",
"threatStatus": "active",
"threatTime": "2021-06-07T00:47:12.000Z",
"threatType": "url",
"threatUrl": "https://threatinsight.proofpoint.com"
},
]
}
]
}
}

Human Readable Output#

Blocked Messages#

Sender IPSenderRecipientSubjectMessage SizeMessage TimeMalware ScorePhish ScoreSpam Score
000.000.000.000xxxx@xxx.comxxxx@xxx.comYour mailbox is full......36842021-06-07T01:50:00.000Z0100100

Blocked Messages Threats Information#

SenderRecipientSubjectClassificationThreatThreat StatusThreat UrlThreat IDThreat TimeCampaign ID
xxxx@xxx.comxxxx@xxx.comYour mailbox is full......phishlogin/verifyactivehttps://threatinsight.proofpoint.com9a53601a616eb78609e525c0f3ee5a3cfca2021-06-07T00:47:12.000Z

proofpoint-get-events-messages-delivered#


Get events for delivered messages in the specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-get-events-messages-delivered

Input#

Argument NameDescriptionRequired
threat_typeMessage's threat type to be retrieved. If no value is specified, all threat types will be retrieved. Possible values: 'url', 'attachment', and 'message'. Possible values are: url, attachment, message.Optional
threat_statusMessage's threat status to be retrieved. If no value is specified, active and cleared threats will be retrieved. Possible values: 'active', 'cleared', and 'falsePositive'. Possible values are: active, cleared, falsePositive.Optional
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one hour. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.MessagesDelivered.spamScoreNumberThe spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.phishScoreNumberThe phish score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.threatsInfoMapListList that contains details about detected threats within the message. Contains: campaignID, classification, threat, threatID, threatStatus,threatTime, threatType, threatUrl.
Proofpoint.MessagesDelivered.messageTimeDateThe time the message was delivered to the user or quarantined by PPS.
Proofpoint.MessagesDelivered.impostorScoreNumberThe impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.malwareScoreNumberThe malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.clusterStringThe name of the PPS cluster that processed the message.
Proofpoint.MessagesDelivered.subjectStringThe subject line of the message, if available.
Proofpoint.MessagesDelivered.quarantineFolderStringThe name of the folder that contains the quarantined message. This appears only for blocked messages. For delivered messages will be 'None'.
Proofpoint.MessagesDelivered.quarantineRuleStringThe name of the rule that quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesDelivered.policyRoutesListThe policy routes that the message matched during processing by PPS.
Proofpoint.MessagesDelivered.modulesRunStringThe list of PPS modules that processed the message.
Proofpoint.MessagesDelivered.messageSizeNumberThe size in bytes of the message, including headers and attachments.
Proofpoint.MessagesDelivered.Header.headerFromStringThe full content of the From header, including any friendly name.
Proofpoint.MessagesDelivered.Header.headerReplyToStringIf present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesDelivered.Header.fromAddressListThe email address contained in the From header, excluding the friendly name.
Proofpoint.MessagesDelivered.Header.ccAddressesListA list of email addresses contained within the CC: header, excluding friendly names.
Proofpoint.MessagesDelivered.Header.replyToAddressListThe email address contained in the Reply-To: header, excluding friendly name.
Proofpoint.MessagesDelivered.Header.toAddressesListA list of email addresses contained within the To: header, excluding friendly names.
Proofpoint.MessagesDelivered.Header.xmailerStringThe content of the X-Mailer: header, if present.
Proofpoint.MessagesDelivered.messagePartsListAn array of structures that contains details about parts of the message, including both message bodies and attachments.
Proofpoint.MessagesDelivered.completelyRewrittenStringThe rewrite status of the message. If value is true, all instances of URL threats within the message were successfully rewritten. If the value is false, at least one instance of the threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats.
Proofpoint.MessagesDelivered.idStringThe unique ID of the message.
Proofpoint.MessagesDelivered.senderStringThe email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesDelivered.recipientListA list containing the email addresses of the recipients.
Proofpoint.MessagesDelivered.senderIPStringThe IP address of the sender.
Proofpoint.MessagesDelivered.messageIDStringMessage-ID extracted from the headers of the email message.
Proofpoint.MessagesDelivered.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.

Command Example#

!proofpoint-get-events-messages-delivered interval="2021-06-03T17:00:00Z/2021-06-03T18:00:00Z"

Context Example#

{
"Proofpoint": {
"MessagesDelivered": {
"GUID": "Ggfsdfsdf",
"Header": {
"ccAddresses": [],
"fromAddress": [
"xxxx@xxx.com"
],
"headerFrom": "\"j.\" <xxxx@xxx.com>",
"headerReplyTo": null,
"replyToAddress": [],
"toAddresses": [],
"xmailer": null
},
"cluster": "hosted",
"completelyRewritten": true,
"id": "1828003vsdv05566e842",
"impostorScore": 0,
"malwareScore": 0,
"messageID": "<SI2PR0dfbvd.xxxx@xxx.com.com>",
"messageParts": [
{
"contentType": "text/html",
"disposition": "inline",
"filename": "text.html",
"md5": "fcfa9b21f43fbdf02965263c63e",
"oContentType": "text/html",
"sandboxStatus": null,
"sha256": "72d3dc7a01dfbdbe8e871536864f56bf235ba08ff259105ac"
},
],
"messageSize": 10171,
"messageTime": "2021-06-02T13:41:32.000Z",
"modulesRun": [
"av",
"spf",
"dkimv",
"spam",
"dmarc",
"urldefense"
],
"phishScore": 0,
"policyRoutes": [
"default_inbound",
"allow_relay"
],
"quarantineFolder": null,
"quarantineRule": null,
"recipient": [
"xxxx@xxx.com"
],
"sender": "xxxx@xxx.com",
"senderIP": "400.000.000",
"spamScore": 43,
"subject": "=",
"threatsInfoMap": [
{
"campaignID": null,
"classification": "phish",
"threat": "https://bit.ly",
"threatID": "45fe3b35ghkk2b8916934b6c0a536cc9b2603d03",
"threatStatus": "active",
"threatTime": "2021-06-03T07:17:11.000Z",
"threatType": "url",
"threatUrl": "https://threatinsight.proofpoint.com"
}
]
}
}
}

Human Readable Output#

Delivered Messages#

Sender IPSenderRecipientSubjectMessage SizeMessage TimeMalware ScorePhish ScoreSpam Score
00.000.000.0000xxxx@xxx.comxxxx@xxx.com=101712021-06-02T13:41:32.000Z0043

Delivered Messages Threats Information#

SenderRecipientSubjectClassificationThreatThreat StatusThreat UrlThreat IDThreat TimeCampaign ID
xxxx@xxx.comxxxx@xxx.com=phishhttps://bit.lyactivehttps://threatinsight.proofpoint.com45fe3b35b7bd2adfad6dea4d305bea3e7c1a2b8gfhh03d032021-06-03T07:17:11.000Z

proofpoint-list-issues#


Get events for clicks to malicious URLs permitted and messages delivered containing a known attachment threat within the specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-list-issues

Input#

Argument NameDescriptionRequired
threat_typeEvent's threat type to be retrieved. If no value is specified, all threat types will be retrieved. Possible values: 'url', 'attachment', and 'message'. Possible values are: url, attachment, message.Optional
threat_statusEvent's threat status to be retrieved.If no value is specified, active and cleared threats will be retrieved. Possible values: 'url', 'attachment', and 'message'. Possible values are: active, cleared, falsePositive.Optional
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one hour. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.ClicksPermitted.urlStringThe malicious URL was clicked.
Proofpoint.ClicksPermitted.classificationStringThe threat category of the malicious URL (Malware, Phish, or Spam).
Proofpoint.ClicksPermitted.clickTimeDateThe time the user clicked the URL.
Proofpoint.ClicksPermitted.threatTimeDateThe time that Proofpoint identified the URL as a threat.
Proofpoint.ClicksPermitted.userAgentStringThe User-Agent header from the clicker's HTTP request.
Proofpoint.ClicksPermitted.campaignIdStringAn identifier for the campaign of which the threat is a member.
Proofpoint.ClicksPermitted.idStringThe unique ID of the click.
Proofpoint.ClicksPermitted.clickIPStringThe external IP address of the user who clicked the link.
Proofpoint.ClicksPermitted.senderStringThe email address of the sender. The user-part is hashed. The domain-part is in cleartext.
Proofpoint.ClicksPermitted.recipientStringThe email address of the recipient.
Proofpoint.ClicksPermitted.senderIPStringThe IP address of the sender.
Proofpoint.ClicksPermitted.threatIDStringThe unique identifier associated with this threat.
Proofpoint.ClicksPermitted.threatURLStringA link to the entry on the TAP dashboard for the particular threat.
Proofpoint.ClicksPermitted.threatStatusStringThe current state of the threat.
Proofpoint.ClicksPermitted.messageIDStringThe ID of the message that the URL belongs to.
Proofpoint.ClicksPermitted.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.MessagesDelivered.spamScoreNumberThe spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.phishScoreNumberThe phish score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.threatsInfoMapListList which contain details about detected threats within the message. Contains: campaignID, classification, threat, threatID, threatStatus,threatTime, threatType, threatUrl.
Proofpoint.MessagesDelivered.messageTimeDateTHe time the message was delivered to the user or quarantined by PPS.
Proofpoint.MessagesDelivered.impostorScoreNumberThe impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.malwareScoreNumberThe malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.clusterStringThe name of the PPS cluster that processed the message.
Proofpoint.MessagesDelivered.subjectStringThe subject line of the message, if available.
Proofpoint.MessagesDelivered.quarantineFolderStringThe name of the folder that contains the quarantined message. This appears only for blocked messages. For delivered messages will be 'None'.
Proofpoint.MessagesDelivered.quarantineRuleStringThe name of the rule that quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesDelivered.policyRoutesListThe policy routes that the message matched during processing by PPS.
Proofpoint.MessagesDelivered.modulesRunStringThe list of PPS modules that processed the message.
Proofpoint.MessagesDelivered.messageSizeNumberThe size in bytes of the message, including headers and attachments.
Proofpoint.MessagesDelivered.Header.headerFromStringThe full content of the From header, including any friendly name.
Proofpoint.MessagesDelivered.Header.headerReplyToStringIf present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesDelivered.Header.fromAddressListThe email address contained in the From header, excluding any friendly name.
Proofpoint.MessagesDelivered.Header.ccAddressesListA list of email addresses contained within the CC: header, excluding any friendly names.
Proofpoint.MessagesDelivered.Header.replyToAddressListThe email address contained in the Reply-To: header, excluding any friendly name.
Proofpoint.MessagesDelivered.Header.toAddressesListA list of email addresses contained within the To: header, excluding any friendly names.
Proofpoint.MessagesDelivered.Header.xmailerStringThe content of the X-Mailer: header, if present.
Proofpoint.MessagesDelivered.messagePartsListAn array of structures that contain details about parts of the message, including both message bodies and attachments.
Proofpoint.MessagesDelivered.completelyRewrittenStringThe rewrite status of the message. If value is true, all instances of URL threats within the message were successfully rewritten. If the value is false, at least one instance of the threat URL was not rewritten. If the value is 'na', the message did not contain any URL-based threats.
Proofpoint.MessagesDelivered.idStringThe unique ID of the message.
Proofpoint.MessagesDelivered.senderStringThe email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesDelivered.recipientListA list containing the email addresses of the recipients
Proofpoint.MessagesDelivered.senderIPStringThe IP address of the sender.
Proofpoint.MessagesDelivered.messageIDStringMessage-ID extracted from the headers of the email message.
Proofpoint.MessagesDelivered.GUIDStringThe ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.

Command Example#

!proofpoint-list-issues interval="2021-06-03T17:00:00Z/2021-06-03T18:00:00Z"

Context Example#

{
"Proofpoint": {
"MessagesDelivered": {
"GUID": "Ggfsdfsdf",
"Header": {
"ccAddresses": [],
"fromAddress": [
"xxxx@xxx.com"
],
"headerFrom": "\"j.\" <xxxx@xxx.com>",
"headerReplyTo": null,
"replyToAddress": [],
"toAddresses": [],
"xmailer": null
},
"cluster": "hosted",
"completelyRewritten": true,
"id": "1828003vsdv05566e842",
"impostorScore": 0,
"malwareScore": 0,
"messageID": "<SI2PR0dfbvd.xxxx@xxx.com.com>",
"messageParts": [
{
"contentType": "text/html",
"disposition": "inline",
"filename": "text.html",
"md5": "fcfa9b21f43fbdf02965263c63e",
"oContentType": "text/html",
"sandboxStatus": null,
"sha256": "72d3dc7a01dfbdbe8e871536864f56bf235ba08ff259105ac"
},
],
"messageSize": 10171,
"messageTime": "2021-06-02T13:41:32.000Z",
"modulesRun": [
"av",
"spf",
"dkimv",
"spam",
"dmarc",
"urldefense"
],
"phishScore": 0,
"policyRoutes": [
"default_inbound",
"allow_relay"
],
"quarantineFolder": null,
"quarantineRule": null,
"recipient": [
"xxxx@xxx.com"
],
"sender": "xxxx@xxx.com",
"senderIP": "400.000.000",
"spamScore": 43,
"subject": "=",
"threatsInfoMap": [
{
"campaignID": null,
"classification": "phish",
"threat": "https://bit.ly",
"threatID": "45fe3b35ghkk2b8916934b6c0a536cc9b2603d03",
"threatStatus": "active",
"threatTime": "2021-06-03T07:17:11.000Z",
"threatType": "url",
"threatUrl": "https://threatinsight.proofpoint.com"
}
]
}
}
}

Human Readable Output#

Delivered Messages#

Sender IPSenderRecipientSubjectMessage SizeMessage TimeMalware ScorePhish ScoreSpam Score
00.000.000.0000xxxx@xxx.comxxxx@xxx.com=101712021-06-02T13:41:32.000Z0043

Delivered Messages Threats Information#

SenderRecipientSubjectClassificationThreatThreat StatusThreat UrlThreat IDThreat TimeCampaign ID
xxxx@xxx.comxxxx@xxx.com=phishhttps://bit.lyactivehttps://threatinsight.proofpoint.com45fe3b35b7bd2adfad6dea4d305bea3e7c1a2b8gfhh03d032021-06-03T07:17:11.000Z

Permitted click from list-issues command result:#

No entries.

proofpoint-list-campaigns#


Gets a list of IDs of campaigns active in a specified time period. Must provide either the interval or time_range arguments.

Base Command#

proofpoint-list-campaigns

Input#

Argument NameDescriptionRequired
intervalISO8601-formatted interval date. The minimum interval is thirty seconds. The maximum interval is one day. For example: 2021-04-27T09:00:00Z/2021-04-27T10:00:00Z.Optional
limitThe maximum number of campaign IDs to produce in the response. Defaults to 100 and the maximum supported value is 200. Default is 100.Optional
pageThe page of results to return, in multiples of the specified size. Default is 1.Optional
time_rangeRepresents the start of the data retrieval period. For example: 1 week, 2 days, 3 hours, etc. The maximum is 1 week.Optional

Context Output#

PathTypeDescription
Proofpoint.Campaigns.idStringThe campaign ID.
Proofpoint.Campaigns.lastUpdatedAtStringLast updated timestamp of the campaign.

Command Example#

!proofpoint-list-campaigns interval="2021-06-01T11:00:00Z/2021-06-02T11:00:00Z"

Context Example#

{
"Proofpoint": {
"Campaign": {
"id": "7c91b71fdgdfgdfg591a1ad38",
"lastUpdatedAt": "2021-06-03T13:01:57.000Z"
}
}
}

Human Readable Output#

Campaigns List#

IdLast Updated At
7c91b71fdgdfgdfg591a1ad382021-06-03T13:01:57.000Z

proofpoint-get-campaign#


Gets details for a given campaign.

Base Command#

proofpoint-get-campaign

Input#

Argument NameDescriptionRequired
campaign_idID of the required campaign.Required

Context Output#

PathTypeDescription
Proofpoint.Campaign.infoListThe campaign information - ID,name, description, startDate, and notable.
Proofpoint.Campaign.actorsListA list of actor objects.
Proofpoint.Campaign.familiesListA list of family objects.
Proofpoint.Campaign.malwareListA list of malware objects.
Proofpoint.Campaign.techniquesListA list of technique objects.
Proofpoint.Campaign.brandsListA list of brand objects.
Proofpoint.Campaign.campaignMembersListA list of campaign member objects.

Command Example#

!proofpoint-get-campaign campaign_id="f3ff0874-85ef-475e-b3fe-d05f97b2ed3f"

Context Example#

{
"Proofpoint": {
"Campaign": {
"actors": [],
"brands": [],
"campaignMembers": [],
"families": [
{
"id": "69a63403-f478-40f6-a4cb-3d2ffb85b98e",
"name": "Keylogger"
}
],
"info": {
"description": "Messages purporting to be e.g.\r\n\r\n* from &lt;xxxx@xxx.com;' and subject \"Re: New Order From customer\".\r\n\r\nThese messages contain compressed executables that lead to the installation of AgentTesla with the following example configuration:\r\n\r\n<pre>{`C2_Email_Address: xxxx@xxx.com\r\nC2_Email_Password: \r\nC2_Email_Server: xxxx@xxx.com`}</pre>",
"id": "f3ff087dfgdfge-d05f97b2ed3f",
"name": "AgentTesla | Compressed Executables | \"techie\" | 25 March 2021",
"notable": false,
"startDate": "2021-03-25T00:00:00.000Z"
},
"malware": [
{
"id": "4b50dfbdfb-901a-1cb4cf8a21fb",
"name": "AgentTesla"
}
],
"techniques": [
{
"id": "e488ddfbdfb20-a1aa-d1a85494067c",
"name": "Compressed Executable"
}
]
}
}
}

Human Readable Output#

Campaign Information#

IdNameDescriptionStart DateNotable
f3ff08dfbdb5e-b3fe-d05f97b2ed3fAgentTesla | Compressed Executables | "techie" | 25 March 2021Messages purporting to be e.g.

* from <xxxx@xxx.com>' and subject "Re: New Order From customer".

These messages contain compressed executables that lead to the installation of AgentTesla with the following example configuration:

{[object Object]}
2021-03-25T00:00:00.000Zfalse

Campaign Members#

No entries.

Families#

IdName
69a63403-dbfdfb4cb-3d2ffb85b98eKeylogger

Techniques#

IdName
e48835be-xcvxcvaa-d1a85494067cCompressed Executable

Actors#

No entries.

Brands#

No entries.

Malware#

IdName
4b500558-23d0-sfdsdf1cb4cf8a21fbAgentTesla

proofpoint-list-most-attacked-users#


Gets a list of the most attacked users in the organization.

Base Command#

proofpoint-list-most-attacked-users

Input#

Argument NameDescriptionRequired
windowAn integer indicating how many days the data should be retrieved for. Possible values: "14", "30", "90". Possible values are: 14, 30, 90. Default is false.Required
limitThe maximum number of users to produce in the response. Default is 1000.Optional
pageThe page of results to return. Default is 1.Optional

Context Output#

PathTypeDescription
Proofpoint.Vap.usersListList of users in the organization.
Proofpoint.Vap.totalVapUsersNumberThe total number of VAP users for the interval.
Proofpoint.Vap.intervalStringAn ISO8601-formatted interval showing the time the response was calculated for.
Proofpoint.Vap.averageAttackIndexNumberThe average attack index value for users during the interval.
Proofpoint.Vap.vapAttackIndexThresholdNumberThis interval's attack index threshold, past which a user is considered a VAP.

Command Example#

!proofpoint-list-most-attacked-users window="14"

Context Example#

{
"Proofpoint": {
"Vap": {
"averageAttackIndex": 307.05145,
"interval": "2021-05-23T21:44:53Z/2021-06-06T21:44:53Z",
"totalVapUsers": 1,
"users": [
{
"identity": {
"customerUserId": null,
"department": null,
"emails": [
"xxxx@xxx.com"
],
"guid": "3b5132sdvsd76-c442-919e69175bdd",
"location": null,
"name": null,
"title": null,
"vip": false
},
"threatStatistics": {
"attackIndex": 4576,
"families": [
{
"name": "credential phishing",
"score": 7008
}
]
}
}
],
"vapAttackIndexThreshold": 965.9637
}
}
}

Human Readable Output#

Most Attacked Users Information#

Total Vap UsersIntervalAverage Attack IndexVap Attack Index Threshold
72021-05-23T21:44:53Z/2021-06-06T21:44:53Z307.05145965.9637

Threat Families#

MailboxThreat Family NameThreat Score
xxxx@xxx.comcredential phishing7008

proofpoint-get-top-clickers#


Gets a list of the top clickers in the organization for a specified time period.

Base Command#

proofpoint-get-top-clickers

Input#

Argument NameDescriptionRequired
windowAn integer indicating how many days the data should be retrieved for. Possible values: "14", "30", "90". Possible values are: 14, 30, 90. Default is false.Required
limitThe maximum number of top clickers to produce in the response.The max supported value is 200. Default is 100.Optional
pageThe page of results to return. Default is 1.Optional

Context Output#

PathTypeDescription
Proofpoint.Topclickers.usersListList of users in the organization.
Proofpoint.Topclickers.totalTopClickersintThe total number of top clickers in the time interval.
Proofpoint.Topclickers.intervalDateAn ISO8601-formatted interval showing the time the response was calculated for.

Command Example#

!proofpoint-get-top-clickers window="90"

Context Example#

{
"Proofpoint": {
"Topclickers": {
"interval": "2021-03-09T07:17:00Z/2021-06-07T07:17:00Z",
"totalTopClickers": 1,
"users": [
{
"clickStatistics": {
"clickCount": 2,
"families": [
{
"clicks": 2,
"name": "Malware"
}
]
},
"identity": {
"customerUserId": null,
"department": null,
"emails": [
"xxxx@xxx.come"
],
"guid": "44fa5svfdgae-f22f-b49b49b1e4e3",
"location": null,
"name": null,
"title": null,
"vip": false
}
}
]
}
}
}

Human Readable Output#

Top Clickers Users Information#

Total Top ClickersInterval
12021-03-09T07:17:00Z/2021-06-07T07:17:00Z

Threat Families#

MailboxThreat Family NameThreat Score
xxxx@xxx.comMalware

proofpoint-url-decode#


Decodes URLs that have been rewritten by TAP to their original, target URL.

Base Command#

proofpoint-url-decode

Input#

Argument NameDescriptionRequired
urlsA comma-separated list of encoded URLs.Required

Context Output#

PathTypeDescription
Proofpoint.URL.encodedUrlStringThe original, rewritten URL supplied to the endpoint.
Proofpoint.URL.decodedUrlStringThe target URL embedded inside the rewritten link.
Proofpoint.URL.successBooleanIndicates whether the URL could successfully be decoded.

Command Example#

!proofpoint-url-decode urls="https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt3337.com_ctt-3Fkn-3D3-26ms-3DMzQ3OTg3MDQS1-26r-3DMzkxNzk3NDkwMDA0S0-26b-3D0-26j-3DMTMwMjA1ODYzNQS2-26mt-3D1-26rt-3D0&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=MujLDFBJstxoxZI_GKbsW7wxGM7nnIK__qZvVy6j9Wc&m=QJGhloAyfD0UZ6n8r6y9dF-khNKqvRAIWDRU_K65xPI&s=ew-rOtBFjiX1Hgv71XQJ5BEgl9TPaoWRm_Xp9Nuo8bk&e="

Context Example#

{
"Proofpoint": {
"URL": {
"decodedUrl": "http://links.mkt3337.com/ctt?kn=3&ms=MzQ3OTg3MDQS1&r=MzkxNzk3NDkwMDA0S0&b=0&j=MTMwMjA1ODYzNQS2&mt=1&rt=0",
"encodedUrl": "https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt3337.com_ctt-3Fkn-3D3-26ms-3DMzQ3OTg3MDQS1-26r-3DMzkxNzk3NDkwMDA0S0-26b-3D0-26j-3DMTMwMjA1ODYzNQS2-26mt-3D1-26rt-3D0&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=MujLDFBJstxoxZI_GKbsW7wxGM7nnIK__qZvVy6j9Wc&m=QJGhloAyfD0UZ6n8r6y9dF-khNKqvRAIWDRU_K65xPI&s=ew-rOtBFjiX1Hgv71XQJ5BEgl9TPaoWRm_Xp9Nuo8bk&e=",
"success": true
}
}
}

Human Readable Output#

URLs decoded information#

Encoded UrlDecoded Url
https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt3337.com_ctt-3Fkn-3D3-26ms-3DMzQ3OTg3MDQS1-26r-3DMzkxNzk3NDkwMDA0S0-26b-3D0-26j-3DMTMwMjA1ODYzNQS2-26mt-3D1-26rt-3D0&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=MujLDFBJstxoxZI_GKbsW7wxGM7nnIK__qZvVy6j9Wc&m=QJGhloAyfD0UZ6n8r6y9dF-khNKqvRAIWDRU_K65xPI&s=ew-rOtBFjiX1Hgv71XQJ5BEgl9TPaoWRm_Xp9Nuo8bk&e=http://links.mkt3337.com/ctt?kn=3&ms=MzQ3OTg3MDQS1&r=MzkxNzk3NDkwMDA0S0&b=0&j=MTMwMjA1ODYzNQS2&mt=1&rt=0