Skip to main content

Proofpoint Threat Response (Beta)

This Integration is part of the Proofpoint Threat Response (Beta) Pack.#

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Use the Proofpoint Threat Response integration to orchestrate and automate incident response.

Configure Proofpoint Threat Response on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Proofpoint Threat Response.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g. https://192.168.0.1)True
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp ("number" "time unit", e.g., 12 hours, 7 days)The time range to consider for the initial data fetch. If timeout errors occur consider changing this value.False
    Fetch limit - maximum number of incidents per fetchFalse
    Fetch delta - The delta time in each batch. e.g. 1 hour, 3 minutes.The time range between create_after and created_before that is sent to the api when fetching
    older incidents. If timeout errors occur consider changing this value.False
    Fetch incidents with specific event sources. Can be a list of comma separated values.False
    Fetch incidents with specific 'Abuse Disposition' values. Can be a list of comma separated values.False
    Fetch incident with specific states.False
    POST URL of the JSON alert source.You can find this value by navigating to Sources -> JSON event source -> POST URL.False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

proofpoint-tr-get-list#


Gets items for the specified list.

Base Command#

proofpoint-tr-get-list

Input#

Argument NameDescriptionRequired
list-idID of the list.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-add-to-list#


Adds a member to the specified list.

Base Command#

proofpoint-tr-add-to-list

Input#

Argument NameDescriptionRequired
list-idThe list to add a member to.Required
indicatorA comma-separated list of indicator values. Can be IP addresses, URLs, domains, or file hashes. For example: "192.168.1.1,192.168.1.2".Required
commentA comment about the member.Optional
expirationExpiration of the member.Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-block-ip#


Adds the supplied IP addresses to the specified IP blacklist.

Base Command#

proofpoint-tr-block-ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IP addresses to blacklist.Required
expirationDate and time when the supplied IP addresses should be removed from the blacklist, in the format YYYY-MM-DDTHH:MM:SSZ. For example: 2020-02-02T19:00:00Z.Optional
blacklist_ipThe ID of the IP blacklist.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-block-domain#


Adds the supplied domains to the specified blacklist.

Base Command#

proofpoint-tr-block-domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of domains to add to the blacklist.Required
expirationDate and time when the supplied IP addresses should be removed from the blacklist, in the format YYYY-MM-DDTHH:MM:SSZ. For example: 2020-02-02T19:00:00Z.Optional
blacklist_domainThe ID of the domain blacklist.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-search-indicator#


Returns indicators from the specified list, according to the defined filter.

Base Command#

proofpoint-tr-search-indicator

Input#

Argument NameDescriptionRequired
list-idThe ID of the list in which to search.Required
filterThe filter for the indicator search. For example, "1.1" will return [1.1.1.1, 22.22.1.1, 1.1.22.22].Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-delete-indicator#


Deletes an indicator from the specified list.

Base Command#

proofpoint-tr-delete-indicator

Input#

Argument NameDescriptionRequired
list-idID of the list from which to delete indicators.Required
indicatorThe indicator value to delete from the list. Can be an IP address, URL, domain, or file hash. For example: "demisto.com".Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-block-url#


Adds the supplied URLs to the specified URL blacklist.

Base Command#

proofpoint-tr-block-url

Input#

Argument NameDescriptionRequired
urlA comma-separated list of URLs to add to the URL blacklist.Required
expirationDate and time when the supplied URLs should be removed from the blacklist, in the format YYYY-MM-DDTHH:MM:SSZ. For example: 2020-02-02T19:00:00Z.Optional
blacklist_urlThe ID of the URL blacklist.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-block-hash#


Adds the supplied file hashes to the specified file hash blacklist.

Base Command#

proofpoint-tr-block-hash

Input#

Argument NameDescriptionRequired
hashA comma-separated list of file hashes to add to the file hash blacklist.Required
expirationDate and time when the supplied file hashes should be removed from the blacklist, in the format YYYY-MM-DDTHH:MM:SSZ. For example: 2020-02-02T19:00:00Z.Optional
blacklist_hashThe ID of the hash blacklist.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-list-incidents#


Retrieves all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure.

Base Command#

proofpoint-tr-list-incidents

Input#

Argument NameDescriptionRequired
stateState of the incidents to retrieve. Possible values are: new, open, assigned, closed, ignored.Optional
created_afterRetrieve incidents that were created after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. Possible values are: .Optional
created_beforeRetrieve incidents that were created before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z.Optional
closed_afterRetrieve incidents that were closed after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z.Optional
closed_beforeRetrieve incidents that were closed before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z.Optional
expand_eventsIf false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with large numbers of alerts. Possible values are: true, false.Optional
limitThe maximum number of incidents to return. The default value is 50. Default is 50.Required

Context Output#

PathTypeDescription
ProofPointTRAP.Incident.idNumberThe incident ID.
ProofPointTRAP.Incident.summaryStringThe summary of the incident.
ProofPointTRAP.Incident.scoreNumberThe score of the incident from ProofPoint.
ProofPointTRAP.Incident.stateStringThe state of the incident. Can be - Open, Closed, New, Assigned, Ignored.
ProofPointTRAP.Incident.created_atDateThe date that the incident was created.
ProofPointTRAP.Incident.updated_atDateThe date that the incident was last updated.
ProofPointTRAP.Incident.event_countNumberThe number of events attached to the incident.
ProofPointTRAP.Incident.false_positive_countNumberThe number of false positive events in the incident.
ProofPointTRAP.Incident.event_sourcesStringThe sources of the events.
ProofPointTRAP.Incident.assigneeStringThe user assigned to the incident.
ProofPointTRAP.Incident.teamStringThe team assigned to the incident.
ProofPointTRAP.Incident.hosts.attackerStringThe host attacker.
ProofPointTRAP.Incident.hosts.forensicsStringThe host forensics.
ProofPointTRAP.Incident.incident_field_values.SeverityStringThe severity of the incident.
ProofPointTRAP.Incident.incident_field_values.Abuse_dispositionStringThe abuse disposition of the incident.
ProofPointTRAP.Incident.incident_field_values.Attack_vectorStringThe attack vector of the incident.
ProofPointTRAP.Incident.incident_field_values.ClassificationStringThe classification of the incident.
ProofPointTRAP.Incident.events.idNumberThe event ID.
ProofPointTRAP.Incident.events.categoryStringThe event category.
ProofPointTRAP.Incident.events.alertTypeStringThe alert type of the event.
ProofPointTRAP.Incident.events.severityStringThe severity of the event.
ProofPointTRAP.Incident.events.sourceStringThe source of the event.
ProofPointTRAP.Incident.events.stateStringThe state of the event.
ProofPointTRAP.Incident.events.attackDirectionStringThe attack direction of the event.
ProofPointTRAP.Incident.events.receivedDateThe time the incident was received.
ProofPointTRAP.Incident.events.emails.senderStringThe sender of the email.
ProofPointTRAP.Incident.events.emails.recipientStringThe recipient of the email.
ProofPointTRAP.Incident.events.emails.message_IdStringThe message ID of the email.
ProofPointTRAP.Incident.events.emails.message_delivery_timeNumberThe delivery time of the message.
ProofPointTRAP.Incident.events.attackers.locationStringThe location of the attacker.
ProofPointTRAP.Incident.events.falsePositiveBooleanWhether this incident is a false positive.
ProofPointTRAP.Incident.events.threatnameStringThe threat name.
ProofPointTRAP.Incident.events.descriptionStringThe description of the event.
ProofPointTRAP.Incident.events.malwareNameStringThe malware name.
ProofPointTRAP.Incident.quarantine_results.alertSourceStringThe alert source.
ProofPointTRAP.Incident.quarantine_results.startTimeDateThe start time of the result.
ProofPointTRAP.Incident.quarantine_results.endTimeDateThe end time of the result.
ProofPointTRAP.Incident.quarantine_results.statusStringThe status of the result.
ProofPointTRAP.Incident.quarantine_results.recipientTypeStringThe recipient type.
ProofPointTRAP.Incident.quarantine_results.recipientStringThe recipient email address.
ProofPointTRAP.Incident.quarantine_results.messageIdStringThe message ID
ProofPointTRAP.Incident.quarantine_results.isReadBooleanWhether the message has been read.
ProofPointTRAP.Incident.quarantine_results.wasUndoneStringWhether the message was undone.
ProofPointTRAP.Incident.quarantine_results.detailsStringThe details about the result.
ProofPointTRAP.Incident.successful_quarantinesNumberThe number of successful quarantines.
ProofPointTRAP.Incident.failed_quarantinesNumberThe number of failed quarantines.
ProofPointTRAP.Incident.pending_quarantinesNumberThe number of pending quarantines.
ProofPointTRAP.Incident.events.emails.bodyStringThe body of the email.
ProofPointTRAP.Incident.events.emails.body_typeStringThe format of the body.
ProofPointTRAP.Incident.events.emails.headersUnknownThe email headers.
ProofPointTRAP.Incident.events.emails.urlsUnknownThe list of URLs from the email.
ProofPoint.Incident.event_idsUnknownThe list of IDs attached to the incident.

Command Example#

Human Readable Output#

proofpoint-tr-get-incident#


Retrieves incident metadata from Threat Response.

Base Command#

proofpoint-tr-get-incident

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to retrieve (e.g. for incident INC-4000, the input for this argument should be 4000).Required
expand_eventsIf false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with large numbers of alerts. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
ProofPointTRAP.Incident.idNumberThe incident ID.
ProofPointTRAP.Incident.summaryStringThe summary of the incident.
ProofPointTRAP.Incident.scoreNumberThe score of the incident from ProofPoint.
ProofPointTRAP.Incident.stateStringThe state of the incident. Can be - Open, Closed, New, Assigned, Ignored.
ProofPointTRAP.Incident.created_atDateThe date that the incident was created.
ProofPointTRAP.Incident.updated_atDateThe date that the incident was last updated.
ProofPointTRAP.Incident.event_countNumberThe number of events attached to the incident.
ProofPointTRAP.Incident.false_positive_countNumberThe number of false positive events in the incident.
ProofPointTRAP.Incident.event_sourcesStringThe sources of the events.
ProofPointTRAP.Incident.assigneeStringThe user assigned to the incident.
ProofPointTRAP.Incident.teamStringThe team assigned to the incident.
ProofPointTRAP.Incident.hosts.attackerStringThe host attacker.
ProofPointTRAP.Incident.hosts.forensicsStringThe host forensics.
ProofPointTRAP.Incident.incident_field_values.SeverityStringThe severity of the incident.
ProofPointTRAP.Incident.incident_field_values.Abuse_dispositionStringThe abuse disposition of the incident.
ProofPointTRAP.Incident.incident_field_values.Attack_vectorStringThe attack vector of the incident.
ProofPointTRAP.Incident.incident_field_values.ClassificationStringThe classification of the incident.
ProofPointTRAP.Incident.events.idNumberThe event ID.
ProofPointTRAP.Incident.events.categoryStringThe event category.
ProofPointTRAP.Incident.events.alertTypeStringThe alert type of the event.
ProofPointTRAP.Incident.events.severityStringThe severity of the event.
ProofPointTRAP.Incident.events.sourceStringThe source of the event.
ProofPointTRAP.Incident.events.stateStringThe state of the event.
ProofPointTRAP.Incident.events.attackDirectionStringThe attack direction of the event
ProofPointTRAP.Incident.events.receivedDateThe date that the incident was received.
ProofPointTRAP.Incident.events.emails.senderStringThe sender of the email.
ProofPointTRAP.Incident.events.emails.recipientStringThe recipient of the email.
ProofPointTRAP.Incident.events.emails.message_IdStringThe message ID of the email.
ProofPointTRAP.Incident.events.emails.message_delivery_timeNumberThe time that the message was delivered.
ProofPointTRAP.Incident.events.attackers.locationStringThe location of the attacker.
ProofPointTRAP.Incident.events.falsePositiveBooleanWhether this incident is a false positive.
ProofPointTRAP.Incident.events.threatnameStringThe threat name.
ProofPointTRAP.Incident.events.descriptionStringThe description of the event.
ProofPointTRAP.Incident.events.malwareNameStringThe malware name.
ProofPointTRAP.Incident.quarantine_results.alertSourceStringThe alert source.
ProofPointTRAP.Incident.quarantine_results.startTimeDateThe start time of the result.
ProofPointTRAP.Incident.quarantine_results.endTimeDateThe end time of the result.
ProofPointTRAP.Incident.quarantine_results.statusStringThe status of the result.
ProofPointTRAP.Incident.quarantine_results.recipientTypeStringThe recipient type.
ProofPointTRAP.Incident.quarantine_results.recipientStringThe recipient email address.
ProofPointTRAP.Incident.quarantine_results.messageIdStringThe message ID.
ProofPointTRAP.Incident.quarantine_results.isReadBooleanWhether the message has been read.
ProofPointTRAP.Incident.quarantine_results.wasUndoneStringWhether the message was undone.
ProofPointTRAP.Incident.quarantine_results.detailsStringThe details about the result.
ProofPointTRAP.Incident.successful_quarantinesNumberThe number of successful quarantines.
ProofPointTRAP.Incident.failed_quarantinesNumberThe number of failed quarantines.
ProofPointTRAP.Incident.pending_quarantinesNumberThe number of pending quarantines.
ProofPointTRAP.Incident.events.emails.bodyStringThe body of the email.
ProofPointTRAP.Incident.events.emails.body_typeStringThe format of the body.
ProofPointTRAP.Incident.events.emails.headersUnknownThe email headers.
ProofPointTRAP.Incident.events.emails.urlsUnknownThe list of URLs from the email.
ProofPoint.Incident.event_idsUnknownThe list of IDs attached to the incident.

Command Example#

Human Readable Output#

proofpoint-tr-update-incident-comment#


Adds comments to an existing Threat Response incident, by incident ID.

Base Command#

proofpoint-tr-update-incident-comment

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to add the comment to (e.g. for incident INC-4000, the input for this argument should be 4000).Required
detailsThe details of the comments. .Required
commentsThe summary of the comments.Required

Context Output#

PathTypeDescription
ProofPointTRAP.IncidentComment.idNumberThe ID of the comment.
ProofPointTRAP.IncidentComment.incident_idNumberThe ID of the incident.
ProofPointTRAP.IncidentComment.response_idNumberThe ID of the response.
ProofPointTRAP.IncidentComment.user_idStringThe ID of the user.
ProofPointTRAP.IncidentComment.history_typeStringThe history type.
ProofPointTRAP.IncidentComment.state_fromStringThe state from of the incident.
ProofPointTRAP.IncidentComment.state_toStringThe state to of the incident.
ProofPointTRAP.IncidentComment.summaryStringThe summary of the comments.
ProofPointTRAP.IncidentComment.detailStringThe details of the comment.
ProofPointTRAP.IncidentComment.created_atDateThe date that the incident was created.
ProofPointTRAP.IncidentComment.updated_atDateThe date that the incident was last udpated.

Command Example#

Human Readable Output#

proofpoint-tr-add-user-to-incident#


Assigns a user to an incident as a target or attacker.

Base Command#

proofpoint-tr-add-user-to-incident

Input#

Argument NameDescriptionRequired
incident_idThe ID value of the incident to add the user to (e.g. for incident INC-4000, the input for this argument should be 4000).Required
targetsThe list of targets to add to the incident.Required
attackersThe list of attackers to add to the incident.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

proofpoint-tr-ingest-alert#


Ingest an alert into Threat Response.

Base Command#

proofpoint-tr-ingest-alert

Input#

Argument NameDescriptionRequired
post_url_idPOST URL of the JSON alert source. You can find it by navigating to Sources -> JSON event source -> POST URL.Optional
json_versionThe Threat Response JSON version. Default is :"2.0". Possible values are: 2.0, 1.0. Default is 2.0.Required
attackerAn attacker object in a json format : "{"attacker" : {...}}". The attacker object must contain one of ["ip_address", mac_address", "host_name", "url", "user"] keys. You can also add the "port" key to the object. For more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
classificationThe alert classification shown as "Alert Type" in the TRAP UI. Possible values are: malware, policy-violation, vulnerability, network, spam, phish, command-and-control, data-match, authentication, system-behavior, impostor, reported-abuse, unknown.Optional
cnc_hostsThe Command and Control host information in a JSON format : "{"cnc_hosts": [{"host" : "-", "port": "-"}, ...]}". Note: Every item of the "cnc_hosts" list is in JSON format. For more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
detectorThe threat detection tool such as Firewall and IPS/IDS systems (in the format: "{"detector" : {...}}"), which generated the original alert. To see all relevant JSON fields and for more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
emailThe email metadata related to the alert, in a JSON format: "{"email": {...}}". To see all relevant JSON fields and for more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
forensics_hostsThe forensics host information in a JSON format : "{"forensics_hosts": [{"host" : "-", "port": "-"}...]}". Note: Every item of the "forensics_hosts" list is in JSON format. For more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
link_attributeThe attribute to link alerts to. Possible values are: target_ip_address, target_hostname, target_machine_name, target_user, target_mac_address, attacker_ip_address, attacker_hostname, attacker_machine_name, attacker_user, attacker_mac_address, email_recipient, email_sender, email_subject, message_id, threat_filename, threat_filehash.Optional
severityThe severity of the alert. Possible values are: info, minor, moderate, major, critical, Informational, Low, Medium, High, Critical.Optional
summaryThe alert summary. This argument will populate the Alert Details field.Optional
targetThe target host information in the JSON format : "{"target": {...}}". To see all relevant JSON fields and for more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
threat_infoThe threat information in a JSON format: "{"threat_info": {...}}". To see all relevant JSON fields and for more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional
custom_fieldsA JSON object for collecting custom name-value pairs as part of the JSON alert sent to Threat Response, in the format: "{"custom_fields": {..}}". Although there is no limit to the number of custom fields, Proofpoint recommends keeping it to 10 or fewer fields. To see all relevant JSON fields and for more information, please see Proofpoint TRAP documentation under "JSON Alert Source 2.0".Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#