Skip to main content

Proofpoint Threat Response (Beta)

This Integration is part of the Proofpoint Threat Response Pack.#

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Use the Proofpoint Threat Response integration to orchestrate and automate incident response.

Configure Proofpoint Threat Response in Cortex#

ParameterDescriptionRequired
Server URL (e.g. https://192.168.0.1)True
API KeyTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse
First fetch timestamp ("number" "time unit", e.g., 12 hours, 7 days)The time range for the initial data fetch. If timeout errors occur, consider changing this value.False
Fetch limit - maximum number of incidents per fetchFalse
Fetch delta - The delta time in each batch. e.g. 1 hour, 3 minutes.The time range between create_after and created_before that is sent to the API when fetching older incidents. If timeout errors occur, consider changing this value.False
Fetch incidents with specific event sources. Can be a list of comma separated values.False
Fetch incidents with specific 'Abuse Disposition' values. Can be a list of comma separated values.False
Fetch incident with specific states.False
POST URL of the JSON alert source.You can find this value by navigating to Sources -> JSON event source -> POST URL.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

proofpoint-tr-get-list#


Gets items for the specified list.

Base Command#

proofpoint-tr-get-list

Input#

Argument NameDescriptionRequired
list-idThe ID of the list.Required

Context Output#

There is no context output for this command.

proofpoint-tr-add-to-list#


Adds a member to the specified list.

Base Command#

proofpoint-tr-add-to-list

Input#

Argument NameDescriptionRequired
list-idThe list to add a member to.Required
indicatorA comma-separated list of indicator values. Can be IP addresses, URLs, domains, or file hashes.
For example: "192.168.1.1,192.168.1.2".
Required
commentA comment about the member.Optional
expirationThe expiration of the member.Optional

Context Output#

There is no context output for this command.

proofpoint-tr-block-ip#


Adds the supplied IP addresses to the specified IP block list.

Base Command#

proofpoint-tr-block-ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IP addresses to block list.Required
expirationThe date and time the supplied IP addresses should be removed from the block list, in the format YYYY-MM-DDTHH:MM:SSZ.
For example: 2020-02-02T19:00:00Z.
Optional
blacklist_ipThe ID of the IP block list.Required

Context Output#

There is no context output for this command.

proofpoint-tr-block-domain#


Adds the supplied domains to the specified block list.

Base Command#

proofpoint-tr-block-domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of domains to add to the block list.Required
expirationThe date and time the supplied IP addresses should be removed from the block list, in the format YYYY-MM-DDTHH:MM:SSZ.
For example: 2020-02-02T19:00:00Z.
Optional
blacklist_domainThe ID of the domain block list.Required

Context Output#

There is no context output for this command.

proofpoint-tr-search-indicator#


Returns indicators from the specified list, according to the defined filter.

Base Command#

proofpoint-tr-search-indicator

Input#

Argument NameDescriptionRequired
list-idThe ID of the list in which to search.Required
filterThe filter for the indicator search.
For example, "1.1" will return [1.1.1.1, 22.22.1.1, 1.1.22.22].
Required

Context Output#

There is no context output for this command.

proofpoint-tr-delete-indicator#


Deletes an indicator from the specified list.

Base Command#

proofpoint-tr-delete-indicator

Input#

Argument NameDescriptionRequired
list-idID of the list from which to delete indicators.Required
indicatorThe indicator value to delete from the list. Can be an IP address, URL, domain, or file hash.
For example: "demisto.com".
Required

Context Output#

There is no context output for this command.

proofpoint-tr-block-url#


Adds the supplied URLs to the specified URL block list.

Base Command#

proofpoint-tr-block-url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs to add to the URL block list.Required
expirationThe date and time the supplied URLs should be removed from the block list, in the format YYYY-MM-DDTHH:MM:SSZ.
For example: 2020-02-02T19:00:00Z.
Optional
blacklist_urlThe ID of the URL block list.Required

Context Output#

There is no context output for this command.

proofpoint-tr-block-hash#


Adds the supplied file hashes to the specified file hash block list.

Base Command#

proofpoint-tr-block-hash

Input#

Argument NameDescriptionRequired
hashA comma-separated list of file hashes to add to the file hash block list.Required
expirationThe date and time the supplied file hashes should be removed from the block list, in the format YYYY-MM-DDTHH:MM:SSZ.
For example: 2020-02-02T19:00:00Z.
Optional
blacklist_hashThe ID of the hash block list.Required

Context Output#

There is no context output for this command.

proofpoint-tr-list-incidents#


Retrieves all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure.

Base Command#

proofpoint-tr-list-incidents

Input#

Argument NameDescriptionRequired
stateState of the incidents to retrieve. Possible values are: new, open, assigned, closed, ignored.Optional
created_afterRetrieve incidents that were created after this date, in ISO 8601 format (UTC).
Example: 2020-02-22 or 2020-02-22T00:00:00Z. Possible values are: .
Optional
created_beforeRetrieve incidents that were created before this date, in ISO 8601 format (UTC).
Example: 2020-02-22 or 2020-02-22T00:00:00Z.
Optional
closed_afterRetrieve incidents that were closed after this date, in ISO 8601 format (UTC).
Example: 2020-02-22 or 2020-02-22T00:00:00Z.
Optional
closed_beforeRetrieve incidents that were closed before this date, in ISO 8601 format (UTC).
Example: 2020-02-22 or 2020-02-22T00:00:00Z.
Optional
expand_eventsIf false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with large numbers of alerts.Optional
limitThe maximum number of incidents to return. The default value is 50.Required

Context Output#

PathTypeDescription
ProofPointTRAP.Incident.idNumberThe incident ID.
ProofPointTRAP.Incident.summaryStringThe summary of the incident.
ProofPointTRAP.Incident.scoreNumberThe score of the incident from Proofpoint.
ProofPointTRAP.Incident.stateStringThe state of the incident. Can be - Open, Closed, New, Assigned, Ignored.
ProofPointTRAP.Incident.created_atDateThe date the incident was created.
ProofPointTRAP.Incident.updated_atDateThe date the incident was last updated.
ProofPointTRAP.Incident.event_countNumberThe number of events attached to the incident.
ProofPointTRAP.Incident.false_positive_countNumberThe number of false positive events in the incident.
ProofPointTRAP.Incident.event_sourcesStringThe sources of the events.
ProofPointTRAP.Incident.assigneeStringThe user assigned to the incident.
ProofPointTRAP.Incident.teamStringThe team assigned to the incident.
ProofPointTRAP.Incident.hosts.attackerStringThe host attacker.
ProofPointTRAP.Incident.hosts.forensicsStringThe host forensics.
ProofPointTRAP.Incident.incident_field_values.SeverityStringThe severity of the incident.
ProofPointTRAP.Incident.incident_field_values.Abuse_dispositionStringThe abuse disposition of the incident.
ProofPointTRAP.Incident.incident_field_values.Attack_vectorStringThe attack vector of the incident.
ProofPointTRAP.Incident.incident_field_values.ClassificationStringThe classification of the incident.
ProofPointTRAP.Incident.events.idNumberThe event ID.
ProofPointTRAP.Incident.events.categoryStringThe event category.
ProofPointTRAP.Incident.events.alertTypeStringThe alert type of the event.
ProofPointTRAP.Incident.events.severityStringThe severity of the event.
ProofPointTRAP.Incident.events.sourceStringThe source of the event.
ProofPointTRAP.Incident.events.stateStringThe state of the event.
ProofPointTRAP.Incident.events.attackDirectionStringThe attack direction of the event.
ProofPointTRAP.Incident.events.receivedDateThe time the incident was received.
ProofPointTRAP.Incident.events.emails.senderStringThe sender of the email.
ProofPointTRAP.Incident.events.emails.recipientStringThe recipient of the email.
ProofPointTRAP.Incident.events.emails.message_IdStringThe message ID of the email.
ProofPointTRAP.Incident.events.emails.message_delivery_timeNumberThe delivery time of the message.
ProofPointTRAP.Incident.events.attackers.locationStringThe location of the attacker.
ProofPointTRAP.Incident.events.falsePositiveBooleanWhether this incident is a false positive.
ProofPointTRAP.Incident.events.threatnameStringThe threat name.
ProofPointTRAP.Incident.events.descriptionStringThe description of the event.
ProofPointTRAP.Incident.events.malwareNameStringThe malware name.
ProofPointTRAP.Incident.quarantine_results.alertSourceStringThe alert source.
ProofPointTRAP.Incident.quarantine_results.startTimeDateThe start time of the result.
ProofPointTRAP.Incident.quarantine_results.endTimeDateThe end time of the result.
ProofPointTRAP.Incident.quarantine_results.statusStringThe status of the result.
ProofPointTRAP.Incident.quarantine_results.recipientTypeStringThe recipient type.
ProofPointTRAP.Incident.quarantine_results.recipientStringThe recipient email address.
ProofPointTRAP.Incident.quarantine_results.messageIdStringThe message ID.
ProofPointTRAP.Incident.quarantine_results.isReadBooleanWhether the message has been read.
ProofPointTRAP.Incident.quarantine_results.wasUndoneStringWhether the message was undone.
ProofPointTRAP.Incident.quarantine_results.detailsStringThe details about the result.
ProofPointTRAP.Incident.successful_quarantinesNumberThe number of successful quarantines.
ProofPointTRAP.Incident.failed_quarantinesNumberThe number of failed quarantines.
ProofPointTRAP.Incident.pending_quarantinesNumberThe number of pending quarantines.
ProofPointTRAP.Incident.events.emails.bodyStringThe body of the email.
ProofPointTRAP.Incident.events.emails.body_typeStringThe format of the body.
ProofPointTRAP.Incident.events.emails.headersUnknownThe email headers.
ProofPointTRAP.Incident.events.emails.urlsUnknownThe list of URLs from the email.
ProofPoint.Incident.event_idsUnknownThe list of IDs attached to the incident.

proofpoint-tr-get-incident#


Retrieves incident metadata from Threat Response.

Base Command#

proofpoint-tr-get-incident

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to retrieve (e.g. for incident INC-4000, the input for this argument should be 4000).Required
expand_eventsIf false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with large numbers of alerts.Optional

Context Output#

PathTypeDescription
ProofPointTRAP.Incident.idNumberThe incident ID.
ProofPointTRAP.Incident.summaryStringThe summary of the incident.
ProofPointTRAP.Incident.scoreNumberThe score of the incident from Proofpoint.
ProofPointTRAP.Incident.stateStringThe state of the incident. Can be - Open, Closed, New, Assigned, Ignored.
ProofPointTRAP.Incident.created_atDateThe date the incident was created.
ProofPointTRAP.Incident.updated_atDateThe date the incident was last updated.
ProofPointTRAP.Incident.event_countNumberThe number of events attached to the incident.
ProofPointTRAP.Incident.false_positive_countNumberThe number of false positive events in the incident.
ProofPointTRAP.Incident.event_sourcesStringThe sources of the events.
ProofPointTRAP.Incident.assigneeStringThe user assigned to the incident.
ProofPointTRAP.Incident.teamStringThe team assigned to the incident.
ProofPointTRAP.Incident.hosts.attackerStringThe host attacker.
ProofPointTRAP.Incident.hosts.forensicsStringThe host forensics.
ProofPointTRAP.Incident.incident_field_values.SeverityStringThe severity of the incident.
ProofPointTRAP.Incident.incident_field_values.Abuse_dispositionStringThe abuse disposition of the incident.
ProofPointTRAP.Incident.incident_field_values.Attack_vectorStringThe attack vector of the incident.
ProofPointTRAP.Incident.incident_field_values.ClassificationStringThe classification of the incident.
ProofPointTRAP.Incident.events.idNumberThe event ID.
ProofPointTRAP.Incident.events.categoryStringThe event category.
ProofPointTRAP.Incident.events.alertTypeStringThe alert type of the event.
ProofPointTRAP.Incident.events.severityStringThe severity of the event.
ProofPointTRAP.Incident.events.sourceStringThe source of the event.
ProofPointTRAP.Incident.events.stateStringThe state of the event.
ProofPointTRAP.Incident.events.attackDirectionStringThe attack direction of the event
ProofPointTRAP.Incident.events.receivedDateThe date the incident was received.
ProofPointTRAP.Incident.events.emails.senderStringThe sender of the email.
ProofPointTRAP.Incident.events.emails.recipientStringThe recipient of the email.
ProofPointTRAP.Incident.events.emails.message_IdStringThe message ID of the email.
ProofPointTRAP.Incident.events.emails.message_delivery_timeNumberThe time the message was delivered.
ProofPointTRAP.Incident.events.attackers.locationStringThe location of the attacker.
ProofPointTRAP.Incident.events.falsePositiveBooleanWhether this incident is a false positive.
ProofPointTRAP.Incident.events.threatnameStringThe threat name.
ProofPointTRAP.Incident.events.descriptionStringThe description of the event.
ProofPointTRAP.Incident.events.malwareNameStringThe malware name.
ProofPointTRAP.Incident.quarantine_results.alertSourceStringThe alert source.
ProofPointTRAP.Incident.quarantine_results.startTimeDateThe start time of the result.
ProofPointTRAP.Incident.quarantine_results.endTimeDateThe end time of the result.
ProofPointTRAP.Incident.quarantine_results.statusStringThe status of the result.
ProofPointTRAP.Incident.quarantine_results.recipientTypeStringThe recipient type.
ProofPointTRAP.Incident.quarantine_results.recipientStringThe recipient email address.
ProofPointTRAP.Incident.quarantine_results.messageIdStringThe message ID.
ProofPointTRAP.Incident.quarantine_results.isReadBooleanWhether the message has been read.
ProofPointTRAP.Incident.quarantine_results.wasUndoneStringWhether the message was undone.
ProofPointTRAP.Incident.quarantine_results.detailsStringThe details about the result.
ProofPointTRAP.Incident.successful_quarantinesNumberThe number of successful quarantines.
ProofPointTRAP.Incident.failed_quarantinesNumberThe number of failed quarantines.
ProofPointTRAP.Incident.pending_quarantinesNumberThe number of pending quarantines.
ProofPointTRAP.Incident.events.emails.bodyStringThe body of the email.
ProofPointTRAP.Incident.events.emails.body_typeStringThe format of the body.
ProofPointTRAP.Incident.events.emails.headersUnknownThe email headers.
ProofPointTRAP.Incident.events.emails.urlsUnknownThe list of URLs from the email.
ProofPoint.Incident.event_idsUnknownThe list of IDs attached to the incident.

proofpoint-tr-update-incident-comment#


Adds comments to an existing Threat Response incident, by incident ID.

Base Command#

proofpoint-tr-update-incident-comment

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to add the comment to (e.g. for incident INC-4000, the input for this argument should be 4000).Required
detailsThe details of the comments.Required
commentsThe summary of the comments.Required

Context Output#

PathTypeDescription
ProofPointTRAP.IncidentComment.idNumberThe ID of the comment.
ProofPointTRAP.IncidentComment.incident_idNumberThe ID of the incident.
ProofPointTRAP.IncidentComment.response_idNumberThe ID of the response.
ProofPointTRAP.IncidentComment.user_idStringThe ID of the user.
ProofPointTRAP.IncidentComment.history_typeStringThe history type.
ProofPointTRAP.IncidentComment.state_fromStringThe state from of the incident.
ProofPointTRAP.IncidentComment.state_toStringThe state to of the incident.
ProofPointTRAP.IncidentComment.summaryStringThe summary of the comments.
ProofPointTRAP.IncidentComment.detailStringThe details of the comment.
ProofPointTRAP.IncidentComment.created_atDateThe date the incident was created.
ProofPointTRAP.IncidentComment.updated_atDateThe date the incident was last updated.

proofpoint-tr-add-user-to-incident#


Assigns a user to an incident as a target or attacker.

Base Command#

proofpoint-tr-add-user-to-incident

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to add the user to (e.g. for incident INC-4000, the input for this argument should be 4000).Required
targetsThe list of targets to add to the incident.Required
attackersThe list of attackers to add to the incident.Required

Context Output#

There is no context output for this command.

proofpoint-tr-ingest-alert#


Ingest an alert into Threat Response.

Base Command#

proofpoint-tr-ingest-alert

Input#

Argument NameDescriptionRequired
post_url_idThe POST URL of the JSON alert source. You can find it by navigating to Sources -> JSON event source -> POST URL.Optional
json_versionThe Threat Response JSON version.
Possible values are: 2.0, 1.0. Default is 2.0.
Required
attackerAn attacker object in JSON format : "{"attacker" : {...}}". The attacker object must contain one of ["ip_address", mac_address", "host_name", "url", "user"] keys. You can also add the "port" key to the object. For more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
classificationThe alert classification shown as "Alert Type" in the TRAP UI.
Possible values are: malware, policy-violation, vulnerability, network, spam, phish, command-and-control, data-match, authentication, system-behavior, impostor, reported-abuse, unknown.
Optional
cnc_hostsThe Command and Control host information in JSON format : "{"cnc_hosts": [{"host" : "-", "port": "-"}, ...]}".
Note: Every item of the "cnc_hosts" list is in JSON format. For more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".
Optional
detectorThe threat detection tool such as Firewall and IPS/IDS systems (in the format: "{"detector" : {...}}"), which generated the original alert. To see all relevant JSON fields and for more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
emailThe email metadata related to the alert, in JSON format: "{"email": {...}}". To see all relevant JSON fields and for more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
forensics_hostsThe forensics host information in JSON format : "{"forensics_hosts": [{"host" : "-", "port": "-"}...]}".
Note: Every item of the "forensics_hosts" list is in JSON format. For more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".
Optional
link_attributeThe attribute to link alerts to.
Possible values are: target_ip_address, target_hostname, target_machine_name, target_user, target_mac_address, attacker_ip_address, attacker_hostname, attacker_machine_name, attacker_user, attacker_mac_address, email_recipient, email_sender, email_subject, message_id, threat_filename, threat_filehash.
Optional
severityThe severity of the alert.
Possible values are: info, minor, moderate, major, critical, Informational, Low, Medium, High, Critical.
Optional
summaryThe alert summary. This argument will populate the Alert Details field.Optional
targetThe target host information in JSON format : "{"target": {...}}". To see all relevant JSON fields and for more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
threat_infoThe threat information in JSON format: "{"threat_info": {...}}". To see all relevant JSON fields and for more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
custom_fieldsA JSON object for collecting custom name-value pairs as part of the JSON alert sent to Threat Response, in the format: "{"custom_fields": {..}}". Although there is no limit to the number of custom fields, Proofpoint recommends keeping it to 10 or fewer fields. To see all relevant JSON fields and for more information, see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional

Context Output#

There is no context output for this command.

proofpoint-tr-close-incident#


Close an incident

Base Command#

proofpoint-tr-close-incident

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to close.Required
detailsThe details for the closure notes.Required
summaryThe summary for the closure notes.Required

Context Output#

There is no context output for this command.

proofpoint-tr-verify-quarantine#


Verify if an email has been quarantined.

Base Command#

proofpoint-tr-verify-quarantine

Input#

Argument NameDescriptionRequired
message_idThe ID value of an email.Required
timeThe email delivery time (ISO8601 format).Required
recipientThe email recipient.Required

Context Output#

PathTypeDescription
ProofPointTRAP.QuarantineStringThe result of the quarantine.

Command Example#

!proofpoint-tr-verify-quarantine messageid=<message_id_example> time="2022-06-02T17:22:45Z" recipient=example@example.com

Context Example#

{
"ProofPointTRAP": {
"Quarantine": [
{
"alert": {
"id": 1030,
"time": "2022-06-02T17:33:18Z"
},
"incident": {
"id": 265,
"time": "2022-06-02T17:33:18Z"
},
"quarantine": {
"alertSource": "Admin Portal",
"details": "Success",
"endTime": "2022-06-02T17:33:37.926Z",
"isRead": "false",
"messageId": "message_id_example",
"recipient": "example@example.com",
"recipientType": "Original Recipient",
"startTime": "2022-06-02T17:33:20.352Z",
"status": "successful",
"wasUndone": "false"
}
},
{
"alert": {
"id": 1030,
"time": "2022-06-02T17:33:18Z"
},
"incident": {
"id": 265,
"time": "2022-06-02T17:33:18Z"
},
"quarantine": {
"alertSource": "Admin Portal",
"details": "Success",
"endTime": "2022-06-02T17:33:37.321Z",
"isRead": "false",
"messageId": "message_id_example",
"recipient": "example@example.com",
"recipientType": "Original Recipient",
"startTime": "2022-06-02T17:33:20.283Z",
"status": "successful",
"wasUndone": "false"
}
}
]
}
}