Proofpoint Threat Response Event Collector
#
This Integration is part of the Proofpoint Threat Response Pack.Supported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
Use the Proofpoint Threat Response integration to orchestrate and automate incident response.
#
Configure Proofpoint Threat Response Event Collector on Cortex XSIAMNavigate to Settings > Integrations > Servers & Services.
Search for Proofpoint Threat Response Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g., https://192.168.0.1) True API Key for the authentication. True Trust any certificate (not secure) False Use system proxy settings False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) The time range for the initial data fetch. If timeout errors occur, consider changing this value. False Fetch limit - maximum number of incidents per fetch False Fetch delta - The delta time in each batch. e.g. 1 hour, 3 minutes. The time range between create_after and created_before that is sent to the API when fetching older incidents. If timeout errors occur, consider changing this value. False Fetch incidents with specific event sources. Can be a list of comma-separated values. False Fetch incidents with specific 'Abuse Disposition' values. Can be a list of comma-separated values. False Fetch incident with specific states. False POST URL of the JSON alert source. You can find this value by navigating to Sources -> JSON event source -> POST URL. False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
proofpoint-trap-get-eventsRetrieves all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure.
#
Base Commandproofpoint-trap-get-events
#
InputArgument Name | Description | Required |
---|---|---|
should_push_events | If true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false. | Required |
state | The state of the incidents to retrieve. Possible values are: new, open, assigned, closed, ignored. | Optional |
created_after | Retrieve incidents that were created after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
created_before | Retrieve incidents that were created before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
closed_after | Retrieve incidents that were closed after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
closed_before | Retrieve incidents that were closed before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
expand_events | If false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with a large number of alerts. Possible values are: true, false. | Optional |
limit | The maximum number of incidents to return. Default is 100. | Required |
#
Context OutputThere is no context output for this command.