Publisher: Splunk Community
Connector Version: 2.1.0
Product Vendor: Proofpoint
Product Name: Targeted Attack Protection
Product Version Supported (regex): ".*"
Minimum Product Version: 5.5.0
This App integrates with Proofpoint to implement ingestion and investigative actions
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Targeted Attack Protection asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| username | required | string | Service Principal |
| password | required | password | Secret |
| initial_ingestion_window | required | numeric | How far back to search (in minutes) for first poll (maximum 60) |
| ingest_permitted_clicks | optional | boolean | Ingest Permitted Clicks |
| ingest_blocked_clicks | optional | boolean | Ingest Blocked Clicks |
| ingest_delivered_messages | optional | boolean | Ingest Delivered Messages |
| ingest_blocked_messages | optional | boolean | Ingest Blocked Messages |
test connectivity - This action runs a quick query on the server to check the connection and credentials
on poll - Callback action for the On Poll ingest functionality
get campaign data - Fetch detailed information for a given campaign (deprecated)
get campaign - Fetch detailed information for a given campaign
get forensic data - Fetch forensic information for a given threat or campaign (deprecated)
get forensic - Fetch forensic information for a given threat or campaign
decode url - Decode Proofpoint rewritten URL(s)
This action runs a quick query on the server to check the connection and credentials
Type: test
Read only: True
No parameters are required for this action
No Output
Callback action for the On Poll ingest functionality
Type: ingest
Read only: True
For the 'start_time' parameter, the default is the past 10 days and for the 'end_time' parameter, the default is now.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| start_time | optional | Start of time range, in epoch time (milliseconds) (default is past 10 days) | numeric | |
| end_time | optional | End of time range, in epoch time (milliseconds) (default is now) | numeric | |
| container_id | optional | Matching email subject. Wildcards supported | string | |
| container_count | required | Maximum number of container records to query for | numeric | |
| artifact_count | required | Maximum number of artifact records to query for | numeric |
No Output
Fetch detailed information for a given campaign (deprecated)
Type: investigate
Read only: True
This action is deprecated due to action name change. Please use get campaign instead.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| campaign_id | required | Proofpoint campaign ID from other Proofpoint events | string | proofpoint campaign id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.campaign_id | string | proofpoint campaign id |
|
| action_result.data.*.actors.*.id | string | ||
| action_result.data.*.actors.*.name | string | ||
| action_result.data.*.campaignMembers.*.id | string | proofpoint threat id |
|
| action_result.data.*.campaignMembers.*.subType | string | ||
| action_result.data.*.campaignMembers.*.threat | string | ||
| action_result.data.*.campaignMembers.*.threatTime | string | ||
| action_result.data.*.campaignMembers.*.type | string | ||
| action_result.data.*.description | string | ||
| action_result.data.*.families.*.id | string | ||
| action_result.data.*.families.*.name | string | ||
| action_result.data.*.malware.*.id | string | ||
| action_result.data.*.malware.*.name | string | ||
| action_result.data.*.name | string | ||
| action_result.data.*.startDate | string | ||
| action_result.data.*.techniques.*.id | string | ||
| action_result.data.*.techniques.*.name | string | ||
| action_result.status | string | success failed | |
| action_result.message | string | ||
| action_result.summary | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Fetch detailed information for a given campaign
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| campaign_id | required | Proofpoint campaign ID from other Proofpoint events | string | proofpoint campaign id |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.campaign_id | string | proofpoint campaign id |
|
| action_result.data.*.actors.*.id | string | ||
| action_result.data.*.actors.*.name | string | ||
| action_result.data.*.campaignMembers.*.id | string | proofpoint threat id |
|
| action_result.data.*.campaignMembers.*.subType | string | ||
| action_result.data.*.campaignMembers.*.threat | string | ||
| action_result.data.*.campaignMembers.*.threatTime | string | ||
| action_result.data.*.campaignMembers.*.type | string | ||
| action_result.data.*.description | string | ||
| action_result.data.*.families.*.id | string | ||
| action_result.data.*.families.*.name | string | ||
| action_result.data.*.malware.*.id | string | ||
| action_result.data.*.malware.*.name | string | ||
| action_result.data.*.name | string | ||
| action_result.data.*.startDate | string | ||
| action_result.data.*.techniques.*.id | string | ||
| action_result.data.*.techniques.*.name | string | ||
| action_result.status | string | success failed | |
| action_result.message | string | ||
| action_result.summary | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Fetch forensic information for a given threat or campaign (deprecated)
Type: investigate
Read only: True
This action is deprecated due to action name change. Please use get forensic instead.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| campaign_id | optional | Proofpoint campaign ID from other Proofpoint events | string | proofpoint campaign id |
| threat_id | optional | Proofpoint threat ID from other Proofpoint events | string | proofpoint threat id |
| include_campaign_forensics | optional | Include full campaign forensic data for a threat. This value is ignored for campaign queries | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.campaign_id | string | proofpoint campaign id |
|
| action_result.parameter.include_campaign_forensics | boolean | ||
| action_result.parameter.threat_id | string | proofpoint threat id |
|
| action_result.data.*.generated | string | ||
| action_result.data.*.reports.*.forensics.*.display | string | ||
| action_result.data.*.reports.*.forensics.*.malicious | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.name | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.os | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.version | string | ||
| action_result.data.*.reports.*.forensics.*.time | string | ||
| action_result.data.*.reports.*.forensics.*.type | string | ||
| action_result.data.*.reports.*.forensics.*.what.action | string | ||
| action_result.data.*.reports.*.forensics.*.what.blacklisted | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.cnames.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.domain | string | domain |
|
| action_result.data.*.reports.*.forensics.*.what.host | string | host name |
|
| action_result.data.*.reports.*.forensics.*.what.httpStatus | string | ||
| action_result.data.*.reports.*.forensics.*.what.ip | string | ip |
|
| action_result.data.*.reports.*.forensics.*.what.ips.* | string | ip |
|
| action_result.data.*.reports.*.forensics.*.what.key | string | ||
| action_result.data.*.reports.*.forensics.*.what.md5 | string | md5 |
|
| action_result.data.*.reports.*.forensics.*.what.name | string | ||
| action_result.data.*.reports.*.forensics.*.what.nameservers.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.nameserversList.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.offset | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.path | string | ||
| action_result.data.*.reports.*.forensics.*.what.port | string | ||
| action_result.data.*.reports.*.forensics.*.what.rule | string | ||
| action_result.data.*.reports.*.forensics.*.what.sha256 | string | sha256 |
|
| action_result.data.*.reports.*.forensics.*.what.signatureId | string | ||
| action_result.data.*.reports.*.forensics.*.what.size | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.type | string | ||
| action_result.data.*.reports.*.forensics.*.what.url | string | url |
|
| action_result.data.*.reports.*.forensics.*.what.value | string | ||
| action_result.data.*.reports.*.id | string | ||
| action_result.data.*.reports.*.name | string | ||
| action_result.data.*.reports.*.scope | string | ||
| action_result.data.*.reports.*.type | string | ||
| action_result.status | string | success failed | |
| action_result.message | string | ||
| action_result.summary | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Fetch forensic information for a given threat or campaign
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| campaign_id | optional | Proofpoint campaign ID from other Proofpoint events | string | proofpoint campaign id |
| threat_id | optional | Proofpoint threat ID from other Proofpoint events | string | proofpoint threat id |
| include_campaign_forensics | optional | Include full campaign forensic data for a threat. This value is ignored for campaign queries | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.campaign_id | string | proofpoint campaign id |
|
| action_result.parameter.include_campaign_forensics | boolean | ||
| action_result.parameter.threat_id | string | proofpoint threat id |
|
| action_result.data.*.generated | string | ||
| action_result.data.*.reports.*.forensics.*.display | string | ||
| action_result.data.*.reports.*.forensics.*.malicious | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.name | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.os | string | ||
| action_result.data.*.reports.*.forensics.*.platforms.*.version | string | ||
| action_result.data.*.reports.*.forensics.*.time | string | ||
| action_result.data.*.reports.*.forensics.*.type | string | ||
| action_result.data.*.reports.*.forensics.*.what.action | string | ||
| action_result.data.*.reports.*.forensics.*.what.blacklisted | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.cnames.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.domain | string | domain |
|
| action_result.data.*.reports.*.forensics.*.what.host | string | host name |
|
| action_result.data.*.reports.*.forensics.*.what.httpStatus | string | ||
| action_result.data.*.reports.*.forensics.*.what.ip | string | ip |
|
| action_result.data.*.reports.*.forensics.*.what.ips.* | string | ip |
|
| action_result.data.*.reports.*.forensics.*.what.key | string | ||
| action_result.data.*.reports.*.forensics.*.what.md5 | string | md5 |
|
| action_result.data.*.reports.*.forensics.*.what.name | string | ||
| action_result.data.*.reports.*.forensics.*.what.nameservers.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.nameserversList.* | string | ||
| action_result.data.*.reports.*.forensics.*.what.offset | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.path | string | ||
| action_result.data.*.reports.*.forensics.*.what.port | string | ||
| action_result.data.*.reports.*.forensics.*.what.rule | string | ||
| action_result.data.*.reports.*.forensics.*.what.sha256 | string | sha256 |
|
| action_result.data.*.reports.*.forensics.*.what.signatureId | string | ||
| action_result.data.*.reports.*.forensics.*.what.size | numeric | ||
| action_result.data.*.reports.*.forensics.*.what.type | string | ||
| action_result.data.*.reports.*.forensics.*.what.url | string | url |
|
| action_result.data.*.reports.*.forensics.*.what.value | string | ||
| action_result.data.*.reports.*.id | string | ||
| action_result.data.*.reports.*.name | string | ||
| action_result.data.*.reports.*.scope | string | ||
| action_result.data.*.reports.*.type | string | ||
| action_result.status | string | success failed | |
| action_result.message | string | ||
| action_result.summary | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Decode Proofpoint rewritten URL(s)
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | List of URL(s) to decode, comma separated | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.url | string | ||
| action_result.data.*.urls.*.clusterName | string | ||
| action_result.data.*.urls.*.decodedUrl | string | url |
|
| action_result.data.*.urls.*.encodedUrl | string | url |
|
| action_result.data.*.urls.*.error | string | ||
| action_result.data.*.urls.*.messageGuid | string | ||
| action_result.data.*.urls.*.recipientEmail | string | ||
| action_result.data.*.urls.*.success | boolean | ||
| action_result.status | string | success failed | |
| action_result.message | string | ||
| action_result.summary | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |