Proofpoint TAP v2
Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version 8.15.0 of Proofpoint TAP
Detailed Description
- ## Configure an API account
- To configure an instance of the integration in Demisto, you need to supply your Service Principal and Service Secret. When you configure the integration instance, enter the Service Principal in the Service Principal field, and the Service Secret in the Password field.
- 1. Log in to your Proofpoint TAP environment.
- 2. Navigate to **Connect Applications > Service Credentials**.
Fetch Incidents
Populate this section with Fetch incidents data
Configure Proofpoint TAP v2 on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for Proofpoint TAP v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://tap-api-v2.proofpoint.com)
- Service Principal (the Password refers to Secret)
- API Version
- Trust any certificate (not secure)
- Use system proxy settings
- A string specifying which threat type to return. If empty, all threat types are returned. Can be "url", "attachment", or "messageText".
- A string specifying which threat statuses to return. If empty, will return "active" and "cleared" threats.
- Events to fetch
-
First fetch time range (
- Fetch incidents
- Incident type
- Click Test to validate the new instance.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- proofpoint-get-events: proofpoint-get-events
- proofpoint-get-forensics: proofpoint-get-forensics
1. proofpoint-get-events
Fetches events for all clicks and messages relating to known threats within the specified time period. Details as per clicks/blocked.
Base Command
proofpoint-get-events
Input
| Argument Name | Description | Required |
|---|---|---|
| interval | A string containing an ISO8601-formatted interval. If this interval overlaps with previous requests for data, records from the previous request might be duplicated. The minimum interval is thirty seconds. The maximum interval is one hour. Examples: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - the thirty minutes beginning at noon UTC on 05-01-2016 and ending at 12:30pm UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone | Optional |
| threatType | A string specifying which threat type to return. If empty, all threat types are returned. The following values are accepted: url,attachment, messageText | Optional |
| threatStatus | A string specifying which threat statuses to return. If empty, active and cleared threats are returned. Can be "active", "cleared", "falsePositive". | Optional |
| sinceTime | A string containing an ISO8601 date. It represents the start of the data retrieval period. The end of the period is determined by the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result. Example: 2016-05-01T12:00:00Z | Optional |
| sinceSeconds | An integer representing a time window (in seconds) from the current API server time. The start of the window is the current API server time, rounded to the nearest minute, less the number of seconds provided. The end of the window is the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result. | Optional |
| eventTypes | Event types to return. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Proofpoint.MessagesDelivered.GUID | String | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. |
| Proofpoint.MessagesDelivered.QID | String | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. |
| Proofpoint.MessagesDelivered.ccAddresses | String | A list of email addresses contained within the CC: header, excluding friendly names. |
| Proofpoint.MessagesDelivered.clusterId | String | The name of the PPS cluster which processed the message. |
| Proofpoint.MessagesDelivered.fromAddress | String | The email address contained in the From: header, excluding friendly name. |
| Proofpoint.MessagesDelivered.headerCC | String | headerCC |
| Proofpoint.MessagesDelivered.headerFrom | String | The full content of the From: header, including any friendly name. |
| Proofpoint.MessagesDelivered.headerReplyTo | String | If present, the full content of the Reply-To: header, including any friendly names. |
| Proofpoint.MessagesDelivered.impostorScore | Number | The impostor score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesDelivered.malwareScore | Number | The malware score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesDelivered.messageId | String | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. |
| Proofpoint.MessagesDelivered.threatsInfoMap.threat | String | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. |
| Proofpoint.MessagesDelivered.threatsInfoMap.threatId | String | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. |
| Proofpoint.MessagesDelivered.threatsInfoMap.threatStatus | String | The current state of the threat (active, expired, falsepositive, cleared). |
| Proofpoint.MessagesDelivered.threatsInfoMap.threatTime | Date | Proofpoint assigned the threatStatus at this time (ISO8601 format). |
| Proofpoint.MessagesDelivered.threatsInfoMap.threatType | String | Whether the threat was an attachment, URL, or message type. |
| Proofpoint.MessagesDelivered.threatsInfoMap.threatUrl | String | A link to the entry about the threat on the TAP Dashboard. |
| Proofpoint.MessagesDelivered.messageTime | Date | When the message was delivered to the user or quarantined by PPS. |
| Proofpoint.MessagesDelivered.messageTime | String | The list of PPS modules which processed the message. |
| Proofpoint.MessagesDelivered.modulesRun | String | The list of PPS modules which processed the message. |
| Proofpoint.MessagesDelivered.phishScore | Number | The phish score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesDelivered.policyRoutes | String | The policy routes that the message matched during processing by PPS. |
| Proofpoint.MessagesDelivered.quarantineFolder | String | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. |
| Proofpoint.MessagesDelivered.quarantineRule | String | The name of the rule which quarantined the message. This appears only for messagesBlocked events. |
| Proofpoint.MessagesDelivered.recipient | String | A list containing the email addresses of the recipients. |
| Proofpoint.MessagesDelivered.replyToAddress | String | The email address contained in the Reply-To: header, excluding friendly name. |
| Proofpoint.MessagesDelivered.sender | String | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. |
| Proofpoint.MessagesDelivered.senderIP | String | The IP address of the sender. |
| Proofpoint.MessagesDelivered.spamScore | Number | The spam score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesDelivered.subject | String | The subject line of the message, if available. |
| Proofpoint.MessagesBlocked.GUID | String | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. |
| Proofpoint.MessagesBlocked.QID | String | The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique. |
| Proofpoint.MessagesBlocked.ccAddresses | String | A list of email addresses contained within the CC: header, excluding friendly names. |
| Proofpoint.MessagesBlocked.clusterId | String | The name of the PPS cluster which processed the message. |
| Proofpoint.MessagesBlocked.fromAddress | String | The email address contained in the From: header, excluding friendly name. |
| Proofpoint.MessagesBlocked.headerCC | String | headerCC |
| Proofpoint.MessagesBlocked.headerFrom | String | The full content of the From: header, including any friendly name. |
| Proofpoint.MessagesBlocked.headerReplyTo | String | If present, the full content of the Reply-To: header, including any friendly names. |
| Proofpoint.MessagesBlocked.impostorScore | Number | The impostor score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesBlocked.malwareScore | Number | The malware score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesBlocked.messageId | String | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. |
| Proofpoint.MessagesBlocked.threatsInfoMap.threat | String | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. |
| Proofpoint.MessagesBlocked.threatsInfoMap.threatId | String | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. |
| Proofpoint.MessagesBlocked.threatsInfoMap.threatStatus | String | The current state of the threat (active, expired, falsepositive, cleared). |
| Proofpoint.MessagesBlocked.threatsInfoMap.threatTime | Date | Proofpoint assigned the threatStatus at this time (ISO8601 format). |
| Proofpoint.MessagesBlocked.threatsInfoMap.threatType | String | Whether the threat was an attachment, URL, or message type. |
| Proofpoint.MessagesBlocked.threatsInfoMap.threatUrl | String | A link to the entry about the threat on the TAP Dashboard. |
| Proofpoint.MessagesBlocked.messageTime | Date | When the message was Blocked to the user or quarantined by PPS. |
| Proofpoint.MessagesBlocked.messageTime | String | The list of PPS modules which processed the message. |
| Proofpoint.MessagesBlocked.modulesRun | String | The list of PPS modules which processed the message. |
| Proofpoint.MessagesBlocked.phishScore | Number | The phish score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesBlocked.policyRoutes | String | The policy routes that the message matched during processing by PPS. |
| Proofpoint.MessagesBlocked.quarantineFolder | String | The name of the folder which contains the quarantined message. This appears only for messagesBlocked. |
| Proofpoint.MessagesBlocked.quarantineRule | String | The name of the rule which quarantined the message. This appears only for messagesBlocked events. |
| Proofpoint.MessagesBlocked.recipient | String | A list containing the email addresses of the recipients. |
| Proofpoint.MessagesBlocked.replyToAddress | String | The email address contained in the Reply-To: header, excluding friendly name. |
| Proofpoint.MessagesBlocked.sender | String | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. |
| Proofpoint.MessagesBlocked.senderIP | String | The IP address of the sender. |
| Proofpoint.MessagesBlocked.spamScore | Number | The spam score of the message. Higher scores indicate higher certainty. |
| Proofpoint.MessagesBlocked.subject | String | The subject line of the message, if available. |
| Proofpoint.ClicksPermitted.GUID | String | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. |
| Proofpoint.ClicksPermitted.campaignId | String | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. |
| Proofpoint.ClicksPermitted.classification | String | The threat category of the malicious URL. |
| Proofpoint.ClicksPermitted.clickIP | String | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. |
| Proofpoint.ClicksPermitted.clickTime | Date | The time the user clicked on the URL |
| Proofpoint.ClicksPermitted.messageID | String | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. |
| Proofpoint.ClicksPermitted.recipient | String | The email address of the recipient. |
| Proofpoint.ClicksPermitted.sender | String | The email address of the sender. The user-part is hashed. The domain-part is cleartext. |
| Proofpoint.ClicksPermitted.senderIP | String | The IP address of the sender. |
| Proofpoint.ClicksPermitted.threatID | String | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. |
| Proofpoint.ClicksPermitted.threatTime | Date | Proofpoint identified the URL as a threat at this time. |
| Proofpoint.ClicksPermitted.threatURL | String | A link to the entry on the TAP Dashboard for the particular threat. |
| Proofpoint.ClicksPermitted.url | String | The malicious URL which was clicked. |
| Proofpoint.ClicksPermitted.userAgent | String | The User-Agent header from the clicker's HTTP request. |
| Proofpoint.ClicksBlocked.GUID | String | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. |
| Proofpoint.ClicksBlocked.campaignId | String | An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. |
| Proofpoint.ClicksBlocked.classification | String | The threat category of the malicious URL. |
| Proofpoint.ClicksBlocked.clickIP | String | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. |
| Proofpoint.ClicksBlocked.clickTime | Date | The time the user clicked on the URL |
| Proofpoint.ClicksBlocked.messageID | String | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. |
| Proofpoint.ClicksBlocked.recipient | String | The email address of the recipient. |
| Proofpoint.ClicksBlocked.sender | String | The email address of the sender. The user-part is hashed. The domain-part is cleartext. |
| Proofpoint.ClicksBlocked.senderIP | String | The IP address of the sender. |
| Proofpoint.ClicksBlocked.threatID | String | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. |
| Proofpoint.ClicksBlocked.threatTime | Date | Proofpoint identified the URL as a threat at this time. |
| Proofpoint.ClicksBlocked.threatURL | String | A link to the entry on the TAP Dashboard for the particular threat. |
| Proofpoint.ClicksBlocked.url | String | The malicious URL which was clicked. |
| Proofpoint.ClicksBlocked.userAgent | String | The User-Agent header from the clicker's HTTP request. |
Command Example
!proofpoint-get-events eventTypes=All, threatStatus=active interval=05-01-2016 PT30M/2016-05-01T12:30:00Z
Context Example
{
"Proofpoint.ClicksBlocked": [
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.2",
"clickTime": "2010-01-22T00:00:10.000Z",
"messageID": "4444",
"recipient": "bruce.wayne@pharmtech.zz",
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
"senderIP": "192.0.2.255",
"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"threatTime": "2010-01-22T00:00:20.000Z",
"threatURL": "https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
}
],
"Proofpoint.ClicksPermitted": [
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"clickIP": "192.0.2.1",
"clickTime": "2010-01-11T00:00:20.000Z",
"messageID": "3333",
"recipient": "bruce.wayne@pharmtech.zz",
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
"senderIP": "192.0.2.255",
"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"threatTime": "2010-01-11T00:00:10.000Z",
"threatURL": "https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
"url": "http://badguy.zz/",
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
}
],
"Proofpoint.MessagesBlocked": [
{
"GUID": "2222",
"QID": "r2FNwRHF004109",
"ccAddresses": [
"bruce.wayne@university-of-education.zz"
],
"clusterId": "pharmtech_hosted",
"fromAddress": "badguy@evil.zz",
"headerCC": "\"Bruce Wayne\" ",
"headerFrom": "\"A. Badguy\" ",
"headerReplyTo": null,
"headerTo": "\"Clark Kent\" ; \"Diana Prince\" ",
"impostorScore": 0,
"malwareScore": 100,
"messageID": "2222@evil.zz",
"messageTime": "2010-01-25T00:00:10.000Z",
"modulesRun": [
"pdr",
"sandbox",
"spam",
"urldefense"
],
"phishScore": 46,
"policyRoutes": [
"default_inbound",
"executives"
],
"quarantineFolder": "Attachment Defense",
"quarantineRule": "module.sandbox.threat",
"recipient": [
"clark.kent@pharmtech.zz",
"diana.prince@pharmtech.zz"
],
"replyToAddress": null,
"sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz",
"senderIP": "192.0.2.255",
"spamScore": 4,
"subject": "Please find a totally safe invoice attached.",
"threatsInfoMap": [
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
"threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
"threatStatus": "active",
"threatTime": "2010-01-25T00:00:40.000Z",
"threatType": "ATTACHMENT",
"threatUrl": "https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
},
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"threat": "badsite.zz",
"threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
"threatTime": "2010-01-25T00:00:30.000Z",
"threatType": "URL",
"threatUrl": "https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
}
]
}
],
"Proofpoint.MessagesDelivered": [
{
"GUID": "1111",
"QID": "r2FNwRHF004109",
"ccAddresses": [
"bruce.wayne@university-of-education.zz"
],
"clusterId": "pharmtech_hosted",
"fromAddress": "badguy@evil.zz",
"headerCC": "\"Bruce Wayne\" ",
"headerFrom": "\"A. Badguy\" ",
"headerReplyTo": null,
"headerTo": "\"Clark Kent\" ; \"Diana Prince\" ",
"impostorScore": 0,
"malwareScore": 100,
"messageID": "1111@evil.zz",
"messageTime": "2010-01-30T00:00:59.000Z",
"modulesRun": [
"pdr",
"sandbox",
"spam",
"urldefense"
],
"phishScore": 46,
"policyRoutes": [
"default_inbound",
"executives"
],
"quarantineFolder": "Attachment Defense",
"quarantineRule": "module.sandbox.threat",
"recipient": [
"clark.kent@pharmtech.zz",
"diana.prince@pharmtech.zz"
],
"replyToAddress": null,
"sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz",
"senderIP": "192.0.2.255",
"spamScore": 4,
"subject": "Please find a totally safe invoice attached.",
"threatsInfoMap": [
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
"threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
"threatStatus": "active",
"threatTime": "2010-01-30T00:00:40.000Z",
"threatType": "ATTACHMENT",
"threatUrl": "https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
},
{
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
"classification": "MALWARE",
"threat": "badsite.zz",
"threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
"threatTime": "2010-01-30T00:00:30.000Z",
"threatType": "URL",
"threatUrl": "https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
}
]
}
]
}
Human Readable Output
Proofpoint Events
| clicksBlocked | clicksPermitted | messagesBlocked | messagesDelivered |
|---|---|---|---|
| {'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'clickIP': '192.0.2.2', 'clickTime': '2010-01-22T00:00:10.000Z', 'messageID': '4444', 'recipient': 'bruce.wayne@pharmtech.zz', 'sender': '9facbf452def2d7efc5b5c48cdb837fa@badguy.zz', 'senderIP': '192.0.2.255', 'threatID': '61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'threatTime': '2010-01-22T00:00:20.000Z', 'threatURL': 'https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'url': 'http://badguy.zz/', 'userAgent': 'Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0'} | {'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'clickIP': '192.0.2.1', 'clickTime': '2010-01-11T00:00:20.000Z', 'messageID': '3333', 'recipient': 'bruce.wayne@pharmtech.zz', 'sender': '9facbf452def2d7efc5b5c48cdb837fa@badguy.zz', 'senderIP': '192.0.2.255', 'threatID': '61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'threatTime': '2010-01-11T00:00:10.000Z', 'threatURL': 'https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'url': 'http://badguy.zz/', 'userAgent': 'Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0'} |
{'GUID': '2222', 'QID': 'r2FNwRHF004109', 'ccAddresses': ['bruce.wayne@university-of-education.zz'], 'clusterId': 'pharmtech_hosted', 'fromAddress': 'badguy@evil.zz', 'headerCC': '"Bruce Wayne"
|
{'GUID': '1111', 'QID': 'r2FNwRHF004109', 'ccAddresses': ['bruce.wayne@university-of-education.zz'], 'clusterId': 'pharmtech_hosted', 'fromAddress': 'badguy@evil.zz', 'headerCC': '"Bruce Wayne"
|
2. proofpoint-get-forensics
gets forensics evidence
Base Command
proofpoint-get-forensics
Input
| Argument Name | Description | Required |
|---|---|---|
| threatId | ID of threat (must fill threatId or campaignId) | Optional |
| campaignId | ID of campaign (must fill threatId or campaignId) | Optional |
| includeCampaignForensics | Can be provide only with threatId | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Proofpoint.Report.ID | String | ID of report |
| Proofpoint.Report.Type | String | The threat type: attachment, url, or hybrid |
| Proofpoint.Report.Scope | String | Whether the report scope covers a campaign or an individual threat |
| Proofpoint.Report.Attachment.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Attachment.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Attachment.Display | String | A friendly display string. |
| Proofpoint.Report.Attachment.SHA256 | String | The SHA256 hash of the attachment's contents. |
| Proofpoint.Report.Attachment.MD5 | String | The MD5 hash of the attachment's contents. |
| Proofpoint.Report.Attachment.Blacklisted | Number | Optional, whether the file was blacklisted. |
| Proofpoint.Report.Attachment.Offset | Number | Optional, the offset in bytes where the malicious content was found. |
| Proofpoint.Report.Attachment.Size | Number | Optional, the size in bytes of the attachment's contents. |
| Proofpoint.Report.Attachment.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Attachment.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Attachment.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Cookie.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Cookie.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Cookie.Display | String | A friendly display string. |
| Proofpoint.Report.Cookie.Action | String | Whether the cookie was set or deleted |
| Proofpoint.Report.Cookie.Domain | String | Which domain set the cookie. |
| Proofpoint.Report.Cookie.Key | String | The name of the cookie being set or deleted. |
| Proofpoint.Report.Cookie.Value | String | Optional, content of the cookie being set. |
| Proofpoint.Report.Cookie.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Cookie.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Cookie.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.DNS.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.DNS.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.DNS.Display | String | A friendly display string. |
| Proofpoint.Report.DNS.Host | String | The hostname being resolved. |
| Proofpoint.Report.DNS.CNames | String | Optional, an array of cnames which were associated with the hostname. |
| Proofpoint.Report.DNS.IP | String | Optional, an array of IP addresses which were resolved to the hostname. |
| Proofpoint.Report.DNS.NameServers | String | Optional, the nameservers responsible for the hostname's domain. |
| Proofpoint.Report.DNS.NameServersList | String | Optional, the nameservers responsible for the hostname's. |
| Proofpoint.Report.DNS.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.DNS.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.DNS.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Dropper.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Dropper.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Dropper.Display | String | A friendly display string. |
| Proofpoint.Report.Dropper.Path | String | The location of the dropper file. |
| Proofpoint.Report.Dropper.URL | String | Optional, the name of the static rule inside the sandbox which identified the dropper. |
| Proofpoint.Report.Dropper.Rule | String | Optional, the URL the dropper contacted. |
| Proofpoint.Report.Dropper.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Dropper.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Dropper.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.File.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.File.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.File.Display | String | A friendly display string. |
| Proofpoint.Report.File.Path | String | Optional, the location of the file operated on. |
| Proofpoint.Report.File.Action | String | Optional, the filesystem call made create (modify, or delete). |
| Proofpoint.Report.File.Rule | String | Optional, the name of the static rule inside the sandbox which identified the suspicious file. |
| Proofpoint.Report.File.SHA256 | Unknown | Optional, the SH256 sum of the file's contents. |
| Proofpoint.Report.File.MD5 | String | Optional, the MD5 sum of the file's contents. |
| Proofpoint.Report.File.Size | Number | Optional, the size in bytes of the file's contents. |
| Proofpoint.Report.File.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.File.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.File.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.IDS.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.IDS.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.IDS.Display | String | A friendly display string. |
| Proofpoint.Report.IDS.Name | String | The friendly name of the IDS rule which observed the malicious traffic. |
| Proofpoint.Report.IDS.SignatureID | String | The identifier of the IDS rule which observed the malicious traffic. |
| Proofpoint.Report.IDS.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.IDS.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.IDS.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Mutex.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Mutex.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Mutex.Display | String | A friendly display string. |
| Proofpoint.Report.Mutex.Name | String | The name of the mutex. |
| Proofpoint.Report.Mutex.Path | String | Optional, the path to the process which spawned the mutex. |
| Proofpoint.Report.Mutex.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Mutex.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Mutex.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Network.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Network.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Network.Display | String | A friendly display string. |
| Proofpoint.Report.Network.Action | String | The type of network activity being initated (connect or listen). |
| Proofpoint.Report.Network.IP | String | The remote IP address being contacted. |
| Proofpoint.Report.Network.Port | String | The remote IP Port being contacted. |
| Proofpoint.Report.Network.Type | String | The protocol being used (tcp or udp). |
| Proofpoint.Report.Network.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Network.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Network.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Process.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Process.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Process.Display | String | A friendly display string. |
| Proofpoint.Report.Process.Action | String | The action peformed on the process, current only create is produced. |
| Proofpoint.Report.Process.Path | String | The location of the executable which spawned the process. |
| Proofpoint.Report.Process.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Process.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Process.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.Registry.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.Registry.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.Registry.Display | String | A friendly display string. |
| Proofpoint.Report.Registry.Name | String | Optional, the name of the registry entry being created or set. |
| Proofpoint.Report.Registry.Action | String | The registry change made (create or set). |
| Proofpoint.Report.Registry.Key | String | The location of the registry key being modified. |
| Proofpoint.Report.Registry.Value | String | Optional, the contents of the key being created or set. |
| Proofpoint.Report.Registry.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.Registry.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.Registry.Platform.Version | String | Version of the platform. |
| Proofpoint.Report.URL.Time | Date | The relative time at which the evidence was observed during sandboxing. |
| Proofpoint.Report.URL.Malicious | String | whether the evidence was used to reach a malicious verdict. |
| Proofpoint.Report.URL.Display | String | A friendly display string. |
| Proofpoint.Report.URL.URL | String | The URL which was observed. |
| Proofpoint.Report.URL.Blacklisted | Boolean | Optional, whether the URL was listed on a blacklist. |
| Proofpoint.Report.URL.SHA256 | String | Optional, the sha256 value of the file downloaded from the URL. |
| Proofpoint.Report.URL.MD5 | String | Optional, the md5 value of the file downloaded from the URL. |
| Proofpoint.Report.URL.Size | Number | Optional, the size in bytes of the file retrieved from the URL. |
| Proofpoint.Report.URL.HTTPStatus | Number | Optional, the HTTP status code which was produced when our sandbox visited the URL. |
| Proofpoint.Report.URL.IP | String | Optional, the IP address that was resolved to the hostname by the sandbox. |
| Proofpoint.Report.URL.Platform.Name | String | Name of the platform. |
| Proofpoint.Report.URL.Platform.OS | String | OS of the platform. |
| Proofpoint.Report.URL.Platform.Version | String | Version of the platform. |
Command Example
!proofpoint-get-forensics threatId=threatId
Context Example
{
"Proofpoint.Report": [
{
"Attachment": [
{
"Display": "string",
"MD5": "string",
"Malicious": "string",
"Offset": "integer",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"SHA256": "string",
"Size": "integer",
"Time": "string"
}
],
"Cookie": [
{
"Action": "string",
"Display": "string",
"Domain": "string",
"Key": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Time": "string",
"Value": "string"
}
],
"DNS": [
{
"CNames": [
"string1",
"string2"
],
"Display": "string",
"Host": "string",
"IP": [
"string1",
"string2"
],
"Malicious": "string",
"NameServers": [
"string1",
"string2"
],
"NameServersList": [
"string1",
"string2"
],
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Time": "string"
}
],
"Dropper": [
{
"Display": "string",
"Malicious": "string",
"Path": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Rule": "string",
"Time": "string",
"URL": "string"
}
],
"File": [
{
"Action": "string",
"Display": "string",
"MD5": "string",
"Malicious": "string",
"Path": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"SHA256": "string",
"Size": "integer",
"Time": "string"
}
],
"ID": "threatId",
"IDS": [
{
"Display": "string",
"Malicious": "string",
"Name": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"SignatureID": "integer",
"Time": "string"
}
],
"Mutex": [
{
"Display": "string",
"Malicious": "string",
"Name": "string",
"Path": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Time": "string"
}
],
"Network": [
{
"Action": "string",
"Display": "string",
"IP": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Port": "string",
"Protocol": "string",
"Time": "string"
}
],
"Process": [
{
"Action": "string",
"Display": "string",
"Malicious": "string",
"Path": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Time": "string"
}
],
"Registry": [
{
"Action": "string",
"Display": "string",
"Key": "string",
"Malicious": "string",
"Name": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"Time": "string",
"Value": "string"
}
],
"Scope": "string",
"Type": "string",
"URL": [
{
"Blacklisted": "boolean",
"Display": "string",
"HTTPStatus": "string",
"IP": "string",
"MD5": "string",
"Malicious": "string",
"Platform": [
{
"Name": "windows 7 sp1",
"OS": "windows 7",
"Version": "4.5.661"
}
],
"SHA256": "string",
"Size": "integer",
"Time": "string",
"URL": "string"
}
]
}
]
}
Human Readable Output
Forensic results from ProofPoint for ID: threatId
| ID | Scope | Type |
|---|---|---|
| threatId | string | string |