About the connector
Proofpoint Email Protection helps. you secure and control inbound and. outbound email through an easy- to-use cloud-based solution.
This document provides information about the FortiSOAR™ connector, which facilitates automated interactions, with a Proofpoint Email Gateway server using FortiSOAR™ playbooks. Add the Proofpoint Email Gateway connector as a step in FortiSOAR™ playbooks and perform automated operations such as searching for quarantined messages and performing actions on quarantined messages.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-proofpoint-email-gateway
Prerequisites to configuring the connector
- You must have the URL of Proofpoint Email Gateway server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Proofpoint Email Gateway connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Proofpoint Email Gateway server to which you will connect and perform automated operations. |
| Port |
Port number used to access the Proofpoint Email Gateway server to which you will connect and perform automated operations. |
| Username |
Username used to access the Proofpoint Email Gateway server to which you will connect and perform the automated operations. |
| Password |
Password used to access the Proofpoint Email Gateway server to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ version 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Search Quarantine Messages |
Searches for quarantined messages on your Proofpoint Email Gateway server, based on input parameters, such as the email address of the sender of the message, the subject of the message, the query ID of the messager, etc, that you have specified. |
search_quarantine_messages
Investigation |
| Quarantine Message Actions |
Performs actions such as release, forward, move, etc on specified quarantine messages on your Proofpoint Email Gateway server, based on the quarantine folder, local GUID, and action specified. |
quarantine_message_actions
Investigation |
operation: Search Quarantine Messages
Input parameters
| Parameter |
Description |
| Messages |
Select multiple options based on which you want to filter quarantined messages to be retrieved from the Proofpoint Email Gateway server. You can choose from the following options: From, Receipt, or Subject.
If you choose 'From', then you must specify the following parameters:
- From: Specify the envelope address of the sender based on which you want to retrieve quarantined messages from the Proofpoint Email Gateway server.
If you choose 'Receipt', then you must specify the following parameters:
- Receipt: Specify a list of envelope addresses of the recipients based on which you want to retrieve quarantined messages from the Proofpoint Email Gateway server.
If you choose 'Subject', then you must specify the following parameters:
- Subject: Specify the subject text based on which you want to retrieve quarantined messages from the Proofpoint Email Gateway server.
|
| Query ID |
ID of the query based on which you want to retrieve quarantined messages from the Proofpoint Email Gateway server. |
| Start Date |
Start date and time from when you want to retrieve quarantined messages from the Proofpoint Email Gateway server. |
| End Date |
End date and time till when you want to retrieve quarantined messages from the Proofpoint Email Gateway server. |
| Folder |
Name of the folder from which you want to retrieve quarantined messages from the Proofpoint Email Gateway server. If you do not specify any folder name, then by default the "Quarantine" folder is set. |
| Global Unique Identifier |
Global Unique identifier of the message for which you want to retrieve raw data for a quarantined message from the Proofpoint Email Gateway server. If you specify the global unique identifier and its corresponding message is found on the Proofpoint Email Gateway server, then the response body contains the raw data of the message instead of the JSON document. |
| DLP Violation |
Retrieves DLP Violation data for the quarantined messages retrieved from the Proofpoint Email Gateway server. You can choose from the following options: Number of Smart Identifiers or Actual Smart Identifiers. |
| Message Status |
If you select this option then the quarantined messages retrieved from the Proofpoint Email Gateway server also contain the message status and comments. |
Output
The output contains the following populated JSON schema:
{
"count": "",
"records": [
{
"processingserver": "",
"date": "",
"subject": "",
"messageid": "",
"folder": "",
"size": "",
"rcpts": [],
"from": "",
"spamscore": "",
"guid": "",
"host_ip": "",
"localguid": ""
}
],
"meta": {
"fqin": "",
"queryid": "",
"query_params": {
"pretty": "",
"subject": "",
"from": ""
},
"limit": "",
"duration": ""
}
}
operation: Quarantine Message Actions
Input parameters
| Parameter |
Description |
| Action to Process the Message |
Select the action that you want to perform on the specified quarantined message on the Proofpoint Email Gateway server. You can choose from the following options: Release Message, Resubmit Message, Forward Message, Move Message, Forward Message, or Delete Message.
Note: For the 'Resubmit Message' and 'Delete Message', you do not require to provide any additional parameters.
If you choose 'Release Message', then you can specify the following parameters:
- Deleted Folder: (Optional) Folder for deleting the quarantined messages. If specified, the folder for deleted messages must be for quarantined messages of the same type of module. For example, you cannot send deleted 'Spam' messages to a folder for deleted 'DLP Incidents', and vice versa.
- Rescan: Select this option to rescan the message using the DLP and Attachment Defense filtering modules. By default, this is set to 'False'.
If you choose 'Forward Message', then you can specify the following parameters:
- Deleted Folder: (Optional) Folder for deleting the quarantined messages. If specified, the folder for deleted messages must be for quarantined messages of the same type of module. For example, you cannot send deleted 'Spam' messages to a folder for deleted 'DLP Incidents', and vice versa.
- Subject: (Optional) Subject of the message that you want to forward. The subject that you specify here will overwrite the original subject of the message.
- From: (Optional) Envelope address of the sender from whom you want to forward the message.
Note: If this is not specified, the default "From" mailer address is used.
- Header From: (Optional) 'Header From' email address based on which you want to forward the message.
Note: If this is not specified, the default "From" mailer address is used.
- To: (Optional) Comma-separated list of recipient email addresses to whom you want to forward the message.
- Comment: (Optional) Comment that you want to add to the message that you want to forward on the Proofpoint Email Gateway server.
If you choose 'Move Message', then you must specify the following parameter:
- Target Folder: Folder to which you want to move the quarantined messages. The folder for moved messages must be for quarantined messages of the same type of module. For example, you cannot send deleted 'Spam' messages to a folder for deleted 'DLP Incidents', and vice versa.
|
| Quarantine Folder |
Quarantine folder in the Proofpoint Email Gateway server on which you want to perform the specified action. |
| Local GUID |
Local GUID of the message in the Quarantine folder message in the Proofpoint Email Gateway server on which you want to perform the specified action. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Proofpoint Email Gateway - 1.0.0 playbook collection comes bundled with the Proofpoint Email Gateway connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Proofpoint Email Gateway connector.
- Search Quarantine Messages
- Quarantine Message Actions
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
