Proofpoint Targeted Attack Protection (TAP) stays ahead of today's attackers with an innovative approach that detects, analyzes, and blocks advanced threats before they reach your inbox.
This document provides information about the Proofpoint TAP connector, which facilitates automated interactions with a Proofpoint TAP server using FortiSOAR™ playbooks. Add the Proofpoint TAP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events for clicks to malicious URLs blocked in the specified time period and retrieving details of a campaign based on the specified campaign ID.
Connector Version: 1.0.2
Authored By: Community
Certified: No
Following enhancements have been made to the Proofpoint TAP connector in version 1.0.2:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-proofpoint-tap
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Proofpoint TAP connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Proofpoint TAP server to which you will connect and perform automated operations. |
Username | Username to access the Proofpoint TAP server to which you will connect and perform automated operations. |
Password | Password to access the Proofpoint TAP server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Blocked Malicious URL Events | Retrieves events associated with clicks to malicious URLs that were blocked on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Permitted Malicious URL Events | Retrieves events associated with clicks to malicious URLs that were permitted on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type etc. | get_events Investigation |
Get Blocked Threat Message Events | Retrieves events associated with messages that contained a known threat, and were blocked on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Delivered Threat Message Events | Retrieves events associated with messages that contained a known threat, and which were delivered within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get All Events | Retrieves events associated with all clicks and all messages related to known threats within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Events for All Issues | Retrieves events associated with all clicks to malicious URLs and all messages delivered that contained a known threat within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Campaign Details | Retrieves details of a campaign from Proofpoint TAP based on the campaign ID specified. | get_campaign_details Investigation |
Get Forensic Details | Retrieves forensic details of a campaign from Proofpoint TAP based on the threat or campaign ID specified. | get_forensic Investigation |
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains the following populated JSON schema:
{
"clicksPermitted": [
{
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
}
]
}
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains the following populated JSON schema:
{
"messagesBlocked": [
{
"ccAddresses": [],
"fromAddress": "",
"headerCC": "",
"headerFrom": "",
"headerReplyTo": "",
"headerTo": "",
"impostorScore": "",
"malwareScore": "",
"messageID": "",
"messageParts": [
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
}
],
"threatsInfoMap": [
{
"campaignId": "",
"classification": "",
"threat": "",
"threatId": "",
"threatTime": "",
"threatType": "",
"threatUrl": ""
}
],
"messageTime": "",
"phishScore": "",
"recipient": [],
"replyToAddress": "",
"sender": "",
"senderIP": "",
"spamScore": "",
"subject": ""
}
],
"queryEndTime": ""
}
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with delivered messages that contained known threats. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with delivered messages that contained known threats. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with delivered messages that contained known threats. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with delivered messages that contained known threats. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Campaign ID | ID of the campaign whose details you want to retrieve from Proofpoint TAP. |
The output contains the following populated JSON schema:
{
"name": "",
"description": "",
"startDate": "",
"campaignMembers": [
{
"subType": "",
"id": "",
"type": "",
"threat": "",
"threatTime": ""
}
],
"actors": [
{
"id": "",
"name": ""
}
],
"malware": [
{
"id": "",
"name": ""
}
],
"techniques": [
{
"id": "",
"name": ""
}
]
}
Parameter | Description |
---|---|
ID Type | Type of ID whose forensic details you want to retrieve from Proofpoint TAP. You can choose between Campaign ID or Threat ID. |
Value | Value of the campaign ID or threat ID whose forensic details you want to retrieve from Proofpoint TAP. |
Include Campaign Forensics | Select this option to include campaign forensics in the details that you want to retrieve from Proofpoint TAP. |
The output contains the following populated JSON schema:
{
"generated": "",
"reports": [
{
"name": "",
"scope": "",
"type": "",
"id": "",
"forensics": [
{
"type": "",
"display": "",
"malicious": "",
"time": "",
"what": {},
"platforms": [
{
"name": "",
"os": "",
"version": ""
}
]
}
]
}
]
}
The Sample - Proofpoint TAP - 1.0.2
playbook collection comes bundled with the Proofpoint TAP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Proofpoint TAP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Proofpoint Targeted Attack Protection (TAP) stays ahead of today's attackers with an innovative approach that detects, analyzes, and blocks advanced threats before they reach your inbox.
This document provides information about the Proofpoint TAP connector, which facilitates automated interactions with a Proofpoint TAP server using FortiSOAR™ playbooks. Add the Proofpoint TAP connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving events for clicks to malicious URLs blocked in the specified time period and retrieving details of a campaign based on the specified campaign ID.
Connector Version: 1.0.2
Authored By: Community
Certified: No
Following enhancements have been made to the Proofpoint TAP connector in version 1.0.2:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-proofpoint-tap
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Proofpoint TAP connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Proofpoint TAP server to which you will connect and perform automated operations. |
Username | Username to access the Proofpoint TAP server to which you will connect and perform automated operations. |
Password | Password to access the Proofpoint TAP server to which you will connect and perform automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Blocked Malicious URL Events | Retrieves events associated with clicks to malicious URLs that were blocked on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Permitted Malicious URL Events | Retrieves events associated with clicks to malicious URLs that were permitted on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type etc. | get_events Investigation |
Get Blocked Threat Message Events | Retrieves events associated with messages that contained a known threat, and were blocked on Proofpoint TAP within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Delivered Threat Message Events | Retrieves events associated with messages that contained a known threat, and which were delivered within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get All Events | Retrieves events associated with all clicks and all messages related to known threats within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Events for All Issues | Retrieves events associated with all clicks to malicious URLs and all messages delivered that contained a known threat within the specified time period and other input parameters such as threat status, threat type, etc. | get_events Investigation |
Get Campaign Details | Retrieves details of a campaign from Proofpoint TAP based on the campaign ID specified. | get_campaign_details Investigation |
Get Forensic Details | Retrieves forensic details of a campaign from Proofpoint TAP based on the threat or campaign ID specified. | get_forensic Investigation |
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with clicks to malicious URLs that were blocked on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with clicks to malicious URLs that were permitted on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains the following populated JSON schema:
{
"clicksPermitted": [
{
"campaignId": "",
"classification": "",
"clickIP": "",
"clickTime": "",
"messageID": "",
"recipient": "",
"sender": "",
"senderIP": "",
"threatID": "",
"threatTime": "",
"threatURL": "",
"url": "",
"userAgent": ""
}
]
}
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with messages that contain known threats and which were blocked on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains the following populated JSON schema:
{
"messagesBlocked": [
{
"ccAddresses": [],
"fromAddress": "",
"headerCC": "",
"headerFrom": "",
"headerReplyTo": "",
"headerTo": "",
"impostorScore": "",
"malwareScore": "",
"messageID": "",
"messageParts": [
{
"contentType": "",
"disposition": "",
"filename": "",
"md5": "",
"oContentType": "",
"sandboxStatus": "",
"sha256": ""
}
],
"threatsInfoMap": [
{
"campaignId": "",
"classification": "",
"threat": "",
"threatId": "",
"threatTime": "",
"threatType": "",
"threatUrl": ""
}
],
"messageTime": "",
"phishScore": "",
"recipient": [],
"replyToAddress": "",
"sender": "",
"senderIP": "",
"spamScore": "",
"subject": ""
}
],
"queryEndTime": ""
}
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with delivered messages that contained known threats. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with delivered messages that contained known threats. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with delivered messages that contained known threats. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with delivered messages that contained known threats. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with all clicks and all messages related to known threats on Proofpoint TAP. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Time Interval |
Time period for which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose between Seconds or Time.
|
Format | (Optional) Format in which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose between JSON or Syslog. |
Threat Type | (Optional) Type of threats based on which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose URL, Attachments, Message Text, or a combination of these threat types. |
Threat Status | (Optional) Status of threats based on which you want to fetch events associated with all clicks to malicious URLs and all messages delivered that contained a known threat. You can choose Active, Cleared, False Positive, or a combination of these threat types. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Campaign ID | ID of the campaign whose details you want to retrieve from Proofpoint TAP. |
The output contains the following populated JSON schema:
{
"name": "",
"description": "",
"startDate": "",
"campaignMembers": [
{
"subType": "",
"id": "",
"type": "",
"threat": "",
"threatTime": ""
}
],
"actors": [
{
"id": "",
"name": ""
}
],
"malware": [
{
"id": "",
"name": ""
}
],
"techniques": [
{
"id": "",
"name": ""
}
]
}
Parameter | Description |
---|---|
ID Type | Type of ID whose forensic details you want to retrieve from Proofpoint TAP. You can choose between Campaign ID or Threat ID. |
Value | Value of the campaign ID or threat ID whose forensic details you want to retrieve from Proofpoint TAP. |
Include Campaign Forensics | Select this option to include campaign forensics in the details that you want to retrieve from Proofpoint TAP. |
The output contains the following populated JSON schema:
{
"generated": "",
"reports": [
{
"name": "",
"scope": "",
"type": "",
"id": "",
"forensics": [
{
"type": "",
"display": "",
"malicious": "",
"time": "",
"what": {},
"platforms": [
{
"name": "",
"os": "",
"version": ""
}
]
}
]
}
]
}
The Sample - Proofpoint TAP - 1.0.2
playbook collection comes bundled with the Proofpoint TAP connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Proofpoint TAP connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.