Proofpoint Threat Protection
This Integration is part of the Proofpoint Threat Protection Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
Threat Protection APIs are REST APIs that allow Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations.
Configure Proofpoint Threat Protection on Cortex XSOAR#
Navigate to Settings > Integrations > Instances.
Search for Proofpoint Threat Protection.
Click Add instance to create and configure a new integration instance.
Parameter Required URL True Client ID True Client Secret True Trust any certificate (not secure) False Use system proxy settings False Cluster ID True Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
proofpoint-tp-blocklist-get#
Get all entries in the Organizational Block List.
Base Command#
proofpoint-tp-blocklist-get
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| ProofpointThreatProtection.Blocklist | unknown | A list of entries in the blocklist. |
proofpoint-tp-blocklist-add-or-delete-entry#
Add/Delete entry from the Organizational Block List.
Base Command#
proofpoint-tp-blocklist-add-or-delete-entry
Input#
| Argument Name | Description | Required |
|---|---|---|
| action | The action to perform. Possible values are: add, delete. | Required |
| attribute | Supported attributes for the Organizational Block List. Possible values are: \$from, \$hfrom, \$ip, \$host, \$helo, \$rcpt. | Required |
| operator | Supported operators for the Organizational Block List. Possible values are: equal, not_equal, contain, not_contain. | Required |
| value | The entry that the action is to be performed upon in the Organizational Block List. | Required |
| comment | A short comment about the entry (max 150 chars). "comment" is ignored for the "delete" action. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ProofpointThreatProtection.Blocklist | unknown | Standard HTTP response with status code 200. |
proofpoint-tp-safelist-get#
Get all entries in the Organizational Safe List.
Base Command#
proofpoint-tp-safelist-get
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| ProofpointThreatProtection.Safelist | unknown | A list of entries in the Organizational Safe List. |
proofpoint-tp-safelist-add-or-delete-entry#
Add To/Delete From the Organizational Safe List.
Base Command#
proofpoint-tp-safelist-add-or-delete-entry
Input#
| Argument Name | Description | Required |
|---|---|---|
| action | The action to perform. Possible values are: add, delete. | Required |
| attribute | Supported attributes for the Organizational Safe List. Possible values are: \$from, \$hfrom, \$ip, \$host, \$helo, \$rcpt. | Required |
| operator | Supported operators for the Organizational Safe List. Possible values are: equal, not_equal, contain, not_contain. | Required |
| value | The entry that the action is to be performed upon in the Organizational Safe List. | Required |
| comment | A short comment about the entry (max 150 chars). "comment" is optional for "add" action and ignored for the "delete" action. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ProofpointThreatProtection.Safelist | unknown | Standard HTTP response with status code 200. |