Proofpoint Protection Server (Beta)

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Overview


Use the Proofpoint Protection Server integration to manage your email security appliances.

This integration was integrated and tested with version 8.11.12 of Proofpoint Protection Server.

Users must be assigned to the admin role to use this integration.

Use Cases


  1. Manage senders list.
  2. Run operations on emails, such as release and download.
  3. Manage quarantined messages and folder.

Configure Proofpoint Protection Server on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Proofpoint Protection Server.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g., https://192.168.0.1:10000)
    • Username
    • Password
    • Proofpoint Protection Server Version (e.g., 8.14.2)
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. proofpoint-download-email
  2. proofpoint-quarantine-messages
  3. proofpoint-smart-search
  4. proofpoint-quarantine-folders
  5. proofpoint-release-email
  6. proofpoint-add-to-blocked-senders-list
  7. proofpoint-add-to-safe-senders-list
  8. proofpoint-remove-from-blocked-senders-list
  9. proofpoint-remove-from-safe-senders-list

1. proofpoint-download-email


Download email message by ID.

Base Command

proofpoint-download-email

Input
Argument NameDescriptionRequired
message_idEmail message ID to download.Required
Context Output

There is no context output for this command.

Command Example

!proofpoint-download-email message_id=37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com

2. proofpoint-quarantine-messages


Retrieves quarantined email messages.

Base Command

proofpoint-quarantine-messages

Input
Argument NameDescriptionRequired
folderFolder name to quarantine.Optional
senderMessages from sender to quarantine.Optional
subjectMessages subject to quarantine.Optional
recipientMessages to recipient to quarantine.Optional
Context Output
PathTypeDescription
Proofpoint.Quarantine.Message.IDStringMessage ID
Proofpoint.Quarantine.Message.DateDateMessage date
Proofpoint.Quarantine.Message.RecipientStringMessage recipient
Proofpoint.Quarantine.Message.SenderStringMessage sender
Proofpoint.Quarantine.Message.SubjectStringMessage subject
Proofpoint.Quarantine.Message.FolderStringMessage folder
Command Example

!proofpoint-quarantine-messages recipient=user1@demisto.com

Context Example
{
"Proofpoint.Quarantine.Message": {
"ID": "37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com",
"Date": "2020-01-25 11:30:00",
"Recipient": "user1@demisto.com",
"Sender": "bwillis@email.com",
"Subject": "[External] Welcome !"
"Folder": "Inbox
}
}
Human Readable Output

Proofpoint Protection Server Quarantine Search Messages Results

IDDateRecipientSenderSubjectFolder
37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com2020-01-25 11:30:00user1@demisto.combwillis@email.comExternal Welcome !Inbox

3. proofpoint-smart-search


Searches for emails.

Base Command

proofpoint-smart-search

Input
Argument NameDescriptionRequired
processMax resultsOptional
senderEmail sender.Optional
subjectEmail subject.Optional
recipientEmail recipient.Optional
sender_hostnameSender hostname/IP addressOptional
attachmentAttachment nameOptional
qidQIDOptional
timeTime period in which the email was recieved.Optional
message_idEmail message ID.Optional
virus_nameVirus name.Optional
sidSIDOptional
guidGUIDOptional
Context Output
PathTypeDescription
Proofpoint.SmartSearch.SMIMERecipientsStringSearch results SMIME recipients
Proofpoint.SmartSearch.FIDStringSearch results FID
Proofpoint.SmartSearch.MessageIDStringSearch results email message ID
Proofpoint.SmartSearch.SuborgStringSearch results sub organization
Proofpoint.SmartSearch.AgentStringSearch results email agent
Proofpoint.SmartSearch.AttachmentNamesStringSearch results email attachment names
Proofpoint.SmartSearch.MoudleIDStringSearch results module ID
Proofpoint.SmartSearch.MessageSizeStringSearch results email message size
Proofpoint.SmartSearch.SpamScoreStringSearch results email spam score
Proofpoint.SmartSearch.GUIDStringSearch results GUID
Proofpoint.SmartSearch.RecipientsStringSearch results send mail to
Proofpoint.SmartSearch.DateStringSearch results date
Proofpoint.SmartSearch.SenderStringSearch results email sender
Proofpoint.SmartSearch.SubjectStringSearch results email subject
Command Example

!proofpoint-smart-search recipient=user1@demisto.com process=100 time=Last24Hours

Context Example
{
"Proofpoint.SmartSearch": {
"Date": "2020-01-25 11:30:00",
"Recipients": "user1@demisto.com",
"Sender": "bwillis@email.com",
"Subject": "[External] Welcome !",
"MessageSize": "20750"
}
}
Human Readable Output

Proofpoint Protection Server Smart Search Results

IDDateRecipientSenderSubjectMessageSize
37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com2020-01-25 11:30:00user1@demisto.combwillis@email.comExternal Welcome !20750

4. proofpoint-quarantine-folders


Returns a list of quarantined folders.

Base Command

proofpoint-quarantine-folders

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Proofpoint.Quarantine.Folder.NameStringFolder name
Command Example

!proofpoint-quarantine-folders

Context Example
{
"Proofpoint.Quarantine.Folder": [
{
"Name": "Adult",
"Name": "Audit",
"Name": "Blocked",
"Name": "Malware"
}
]
}
Human Readable Output

Proofpoint Protection Server Quarantine Folders

Name
Adult
Audit
Blocked
Malware

5. proofpoint-release-email


Release email with virus scan

Base Command

proofpoint-download-email

Input
Argument NameDescriptionRequired
message_idEmail message ID to release.Required
folderEmail folder to release.Required
Context Output

There is no context output for this command.

Command Example

!proofpoint-download-email message_id=37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com folder=Blocked

Human Readable Output

Released message 37b6d02m-63e0-495e-kk92-7c21511adc7a@SB2APC01FT091.outlook.com successfully

6. proofpoint-add-to-blocked-senders-list


Adds an email address to blocked senders list.

Base Command

proofpoint-add-to-blocked-senders-list

Input
Argument NameDescriptionRequired
emailEmail to add to blocked senders listRequired
Context Output

There is no context output for this command.

Command Example

!proofpoint-add-to-blocked-senders-list email=bwillis@email.com

Human Readable Output

Successfully added bwillis@email.com to the Blocked Senders list

7. proofpoint-add-to-safe-senders-list


Adds an email address to safe senders list.

Base Command

proofpoint-add-to-safe-senders-list

Input
Argument NameDescriptionRequired
emailEmail to add to safe senders listRequired
Context Output

There is no context output for this command.

Command Example

!proofpoint-add-to-safe-senders-list email=bwillis@email.com

Human Readable Output

Successfully added bwillis@email.com to the Safe Senders list

8. proofpoint-remove-from-blocked-senders-list


Removes an email address from blocked senders list.

Base Command

proofpoint-remove-from-blocked-senders-list

Input
Argument NameDescriptionRequired
emailEmail to remove from blocked senders listRequired
Context Output

There is no context output for this command.

Command Example

!proofpoint-remove-from-blocked-senders-list email=bwillis@email.com

Human Readable Output

Successfully removed bwillis@email.com from the Blocked Senders list

8. proofpoint-remove-from-safe-senders-list


Removes an email address from safe senders list.

Base Command

proofpoint-remove-from-safe-senders-list

Input
Argument NameDescriptionRequired
emailEmail to remove from safe senders listRequired
Context Output

There is no context output for this command.

Command Example

!proofpoint-remove-from-safe-senders-list email=bwillis@email.com

Human Readable Output

Successfully removed bwillis@email.com from the Safe Senders list