Proofpoint TAP v2

Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks. This integration was integrated and tested with version xx of Proofpoint TAP v2

Detailed Description

  • ## Configure an API account
  • To configure an instance of the integration in Demisto, you need to supply your Service Principal and Service Secret. When you configure the integration instance, enter the Service Principal in the Service Principal field, and the Service Secret in the Password field.
  • 1. Log in to your Proofpoint TAP environment.
  • 2. Navigate to **Connect Applications > Service Credentials**.

Fetch Incidents

Populate this section with Fetch incidents data

Configure Proofpoint TAP v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Proofpoint TAP v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://tap-api-v2.proofpoint.com)
    • Service Principal (the Password refers to Secret)
    • API Version
    • Trust any certificate (not secure)
    • Use system proxy settings
    • A string specifying which threat type to return. If empty, all threat types are returned. Can be "url", "attachment", or "messageText".
    • A string specifying which threat statuses to return. If empty, will return "active" and "cleared" threats.
    • Events to fetch
    • First fetch time range (
    • Fetch incidents
    • Incident type
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. proofpoint-get-events: proofpoint-get-events
  2. proofpoint-get-forensics: proofpoint-get-forensics

1. proofpoint-get-events


Fetches events for all clicks and messages relating to known threats within the specified time period. Details as per clicks/blocked.

Base Command

proofpoint-get-events

Input
Argument Name Description Required
interval A string containing an ISO8601-formatted interval. If this interval overlaps with previous requests for data, records from the previous request might be duplicated. The minimum interval is thirty seconds. The maximum interval is one hour. Examples: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - the thirty minutes beginning at noon UTC on 05-01-2016 and ending at 12:30pm UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone Optional
threatType A string specifying which threat type to return. If empty, all threat types are returned. The following values are accepted: url,attachment, messageText Optional
threatStatus A string specifying which threat statuses to return. If empty, active and cleared threats are returned. Can be "active", "cleared", "falsePositive". Optional
sinceTime A string containing an ISO8601 date. It represents the start of the data retrieval period. The end of the period is determined by the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result. Example: 2016-05-01T12:00:00Z Optional
sinceSeconds An integer representing a time window (in seconds) from the current API server time. The start of the window is the current API server time, rounded to the nearest minute, less the number of seconds provided. The end of the window is the current API server time rounded to the nearest minute. If JSON output is selected, the end time is included in the returned result. Optional
eventTypes Event types to return. Optional

Context Output
Path Type Description
Proofpoint.MessagesDelivered.GUID String The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.MessagesDelivered.QID String The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique.
Proofpoint.MessagesDelivered.ccAddresses String A list of email addresses contained within the CC: header, excluding friendly names.
Proofpoint.MessagesDelivered.clusterId String The name of the PPS cluster which processed the message.
Proofpoint.MessagesDelivered.fromAddress String The email address contained in the From: header, excluding friendly name.
Proofpoint.MessagesDelivered.headerCC String headerCC
Proofpoint.MessagesDelivered.headerFrom String The full content of the From: header, including any friendly name.
Proofpoint.MessagesDelivered.headerReplyTo String If present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesDelivered.impostorScore Number The impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.malwareScore Number The malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.messageId String Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.MessagesDelivered.threatsInfoMap.threat String The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
Proofpoint.MessagesDelivered.threatsInfoMap.threatId String The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.MessagesDelivered.threatsInfoMap.threatStatus String The current state of the threat (active, expired, falsepositive, cleared).
Proofpoint.MessagesDelivered.threatsInfoMap.threatTime Date Proofpoint assigned the threatStatus at this time (ISO8601 format).
Proofpoint.MessagesDelivered.threatsInfoMap.threatType String Whether the threat was an attachment, URL, or message type.
Proofpoint.MessagesDelivered.threatsInfoMap.threatUrl String A link to the entry about the threat on the TAP Dashboard.
Proofpoint.MessagesDelivered.messageTime Date When the message was delivered to the user or quarantined by PPS.
Proofpoint.MessagesDelivered.messageTime String The list of PPS modules which processed the message.
Proofpoint.MessagesDelivered.modulesRun String The list of PPS modules which processed the message.
Proofpoint.MessagesDelivered.phishScore Number The phish score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.policyRoutes String The policy routes that the message matched during processing by PPS.
Proofpoint.MessagesDelivered.quarantineFolder String The name of the folder which contains the quarantined message. This appears only for messagesBlocked.
Proofpoint.MessagesDelivered.quarantineRule String The name of the rule which quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesDelivered.recipient String A list containing the email addresses of the recipients.
Proofpoint.MessagesDelivered.replyToAddress String The email address contained in the Reply-To: header, excluding friendly name.
Proofpoint.MessagesDelivered.sender String The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesDelivered.senderIP String The IP address of the sender.
Proofpoint.MessagesDelivered.spamScore Number The spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesDelivered.subject String The subject line of the message, if available.
Proofpoint.MessagesBlocked.GUID String The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.MessagesBlocked.QID String The queue ID of the message within PPS. It can be used to identify the message in PPS and is not unique.
Proofpoint.MessagesBlocked.ccAddresses String A list of email addresses contained within the CC: header, excluding friendly names.
Proofpoint.MessagesBlocked.clusterId String The name of the PPS cluster which processed the message.
Proofpoint.MessagesBlocked.fromAddress String The email address contained in the From: header, excluding friendly name.
Proofpoint.MessagesBlocked.headerCC String headerCC
Proofpoint.MessagesBlocked.headerFrom String The full content of the From: header, including any friendly name.
Proofpoint.MessagesBlocked.headerReplyTo String If present, the full content of the Reply-To: header, including any friendly names.
Proofpoint.MessagesBlocked.impostorScore Number The impostor score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.malwareScore Number The malware score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.messageId String Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.MessagesBlocked.threatsInfoMap.threat String The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
Proofpoint.MessagesBlocked.threatsInfoMap.threatId String The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.MessagesBlocked.threatsInfoMap.threatStatus String The current state of the threat (active, expired, falsepositive, cleared).
Proofpoint.MessagesBlocked.threatsInfoMap.threatTime Date Proofpoint assigned the threatStatus at this time (ISO8601 format).
Proofpoint.MessagesBlocked.threatsInfoMap.threatType String Whether the threat was an attachment, URL, or message type.
Proofpoint.MessagesBlocked.threatsInfoMap.threatUrl String A link to the entry about the threat on the TAP Dashboard.
Proofpoint.MessagesBlocked.messageTime Date When the message was Blocked to the user or quarantined by PPS.
Proofpoint.MessagesBlocked.messageTime String The list of PPS modules which processed the message.
Proofpoint.MessagesBlocked.modulesRun String The list of PPS modules which processed the message.
Proofpoint.MessagesBlocked.phishScore Number The phish score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.policyRoutes String The policy routes that the message matched during processing by PPS.
Proofpoint.MessagesBlocked.quarantineFolder String The name of the folder which contains the quarantined message. This appears only for messagesBlocked.
Proofpoint.MessagesBlocked.quarantineRule String The name of the rule which quarantined the message. This appears only for messagesBlocked events.
Proofpoint.MessagesBlocked.recipient String A list containing the email addresses of the recipients.
Proofpoint.MessagesBlocked.replyToAddress String The email address contained in the Reply-To: header, excluding friendly name.
Proofpoint.MessagesBlocked.sender String The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.MessagesBlocked.senderIP String The IP address of the sender.
Proofpoint.MessagesBlocked.spamScore Number The spam score of the message. Higher scores indicate higher certainty.
Proofpoint.MessagesBlocked.subject String The subject line of the message, if available.
Proofpoint.ClicksPermitted.GUID String The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.ClicksPermitted.campaignId String An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved.
Proofpoint.ClicksPermitted.classification String The threat category of the malicious URL.
Proofpoint.ClicksPermitted.clickIP String The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
Proofpoint.ClicksPermitted.clickTime Date The time the user clicked on the URL
Proofpoint.ClicksPermitted.messageID String Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.ClicksPermitted.recipient String The email address of the recipient.
Proofpoint.ClicksPermitted.sender String The email address of the sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.ClicksPermitted.senderIP String The IP address of the sender.
Proofpoint.ClicksPermitted.threatID String The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.ClicksPermitted.threatTime Date Proofpoint identified the URL as a threat at this time.
Proofpoint.ClicksPermitted.threatURL String A link to the entry on the TAP Dashboard for the particular threat.
Proofpoint.ClicksPermitted.url String The malicious URL which was clicked.
Proofpoint.ClicksPermitted.userAgent String The User-Agent header from the clicker's HTTP request.
Proofpoint.ClicksBlocked.GUID String The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
Proofpoint.ClicksBlocked.campaignId String An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved.
Proofpoint.ClicksBlocked.classification String The threat category of the malicious URL.
Proofpoint.ClicksBlocked.clickIP String The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
Proofpoint.ClicksBlocked.clickTime Date The time the user clicked on the URL
Proofpoint.ClicksBlocked.messageID String Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
Proofpoint.ClicksBlocked.recipient String The email address of the recipient.
Proofpoint.ClicksBlocked.sender String The email address of the sender. The user-part is hashed. The domain-part is cleartext.
Proofpoint.ClicksBlocked.senderIP String The IP address of the sender.
Proofpoint.ClicksBlocked.threatID String The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
Proofpoint.ClicksBlocked.threatTime Date Proofpoint identified the URL as a threat at this time.
Proofpoint.ClicksBlocked.threatURL String A link to the entry on the TAP Dashboard for the particular threat.
Proofpoint.ClicksBlocked.url String The malicious URL which was clicked.
Proofpoint.ClicksBlocked.userAgent String The User-Agent header from the clicker's HTTP request.

Command Example

!proofpoint-get-events eventTypes=All, threatStatus=active interval=05-01-2016 PT30M/2016-05-01T12:30:00Z

Context Example
{
    "Proofpoint.ClicksBlocked": [
        {
            "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
            "classification": "MALWARE",
            "clickIP": "192.0.2.2",
            "clickTime": "2010-01-22T00:00:10.000Z",
            "messageID": "4444",
            "recipient": "bruce.wayne@pharmtech.zz",
            "sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
            "senderIP": "192.0.2.255",
            "threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
            "threatTime": "2010-01-22T00:00:20.000Z",
            "threatURL": "https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
            "url": "http://badguy.zz/",
            "userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
        }
    ],
    "Proofpoint.ClicksPermitted": [
        {
            "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
            "classification": "MALWARE",
            "clickIP": "192.0.2.1",
            "clickTime": "2010-01-11T00:00:20.000Z",
            "messageID": "3333",
            "recipient": "bruce.wayne@pharmtech.zz",
            "sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
            "senderIP": "192.0.2.255",
            "threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
            "threatTime": "2010-01-11T00:00:10.000Z",
            "threatURL": "https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
            "url": "http://badguy.zz/",
            "userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"
        }
    ],
    "Proofpoint.MessagesBlocked": [
        {
            "GUID": "2222",
            "QID": "r2FNwRHF004109",
            "ccAddresses": [
                "bruce.wayne@university-of-education.zz"
            ],
            "clusterId": "pharmtech_hosted",
            "fromAddress": "badguy@evil.zz",
            "headerCC": "\"Bruce Wayne\" ",
            "headerFrom": "\"A. Badguy\" ",
            "headerReplyTo": null,
            "headerTo": "\"Clark Kent\" ; \"Diana Prince\" ",
            "impostorScore": 0,
            "malwareScore": 100,
            "messageID": "2222@evil.zz",
            "messageTime": "2010-01-25T00:00:10.000Z",
            "modulesRun": [
                "pdr",
                "sandbox",
                "spam",
                "urldefense"
            ],
            "phishScore": 46,
            "policyRoutes": [
                "default_inbound",
                "executives"
            ],
            "quarantineFolder": "Attachment Defense",
            "quarantineRule": "module.sandbox.threat",
            "recipient": [
                "clark.kent@pharmtech.zz",
                "diana.prince@pharmtech.zz"
            ],
            "replyToAddress": null,
            "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz",
            "senderIP": "192.0.2.255",
            "spamScore": 4,
            "subject": "Please find a totally safe invoice attached.",
            "threatsInfoMap": [
                {
                    "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
                    "classification": "MALWARE",
                    "threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
                    "threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
                    "threatStatus": "active",
                    "threatTime": "2010-01-25T00:00:40.000Z",
                    "threatType": "ATTACHMENT",
                    "threatUrl": "https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
                },
                {
                    "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
                    "classification": "MALWARE",
                    "threat": "badsite.zz",
                    "threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
                    "threatTime": "2010-01-25T00:00:30.000Z",
                    "threatType": "URL",
                    "threatUrl": "https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
                }
            ]
        }
    ],
    "Proofpoint.MessagesDelivered": [
        {
            "GUID": "1111",
            "QID": "r2FNwRHF004109",
            "ccAddresses": [
                "bruce.wayne@university-of-education.zz"
            ],
            "clusterId": "pharmtech_hosted",
            "fromAddress": "badguy@evil.zz",
            "headerCC": "\"Bruce Wayne\" ",
            "headerFrom": "\"A. Badguy\" ",
            "headerReplyTo": null,
            "headerTo": "\"Clark Kent\" ; \"Diana Prince\" ",
            "impostorScore": 0,
            "malwareScore": 100,
            "messageID": "1111@evil.zz",
            "messageTime": "2010-01-30T00:00:59.000Z",
            "modulesRun": [
                "pdr",
                "sandbox",
                "spam",
                "urldefense"
            ],
            "phishScore": 46,
            "policyRoutes": [
                "default_inbound",
                "executives"
            ],
            "quarantineFolder": "Attachment Defense",
            "quarantineRule": "module.sandbox.threat",
            "recipient": [
                "clark.kent@pharmtech.zz",
                "diana.prince@pharmtech.zz"
            ],
            "replyToAddress": null,
            "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz",
            "senderIP": "192.0.2.255",
            "spamScore": 4,
            "subject": "Please find a totally safe invoice attached.",
            "threatsInfoMap": [
                {
                    "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
                    "classification": "MALWARE",
                    "threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
                    "threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
                    "threatStatus": "active",
                    "threatTime": "2010-01-30T00:00:40.000Z",
                    "threatType": "ATTACHMENT",
                    "threatUrl": "https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
                },
                {
                    "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
                    "classification": "MALWARE",
                    "threat": "badsite.zz",
                    "threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
                    "threatTime": "2010-01-30T00:00:30.000Z",
                    "threatType": "URL",
                    "threatUrl": "https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
                }
            ]
        }
    ]
}
Human Readable Output

Proofpoint Events

clicksBlocked clicksPermitted messagesBlocked messagesDelivered
{'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'clickIP': '192.0.2.2', 'clickTime': '2010-01-22T00:00:10.000Z', 'messageID': '4444', 'recipient': 'bruce.wayne@pharmtech.zz', 'sender': '9facbf452def2d7efc5b5c48cdb837fa@badguy.zz', 'senderIP': '192.0.2.255', 'threatID': '61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'threatTime': '2010-01-22T00:00:20.000Z', 'threatURL': 'https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'url': 'http://badguy.zz/', 'userAgent': 'Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0'} {'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'clickIP': '192.0.2.1', 'clickTime': '2010-01-11T00:00:20.000Z', 'messageID': '3333', 'recipient': 'bruce.wayne@pharmtech.zz', 'sender': '9facbf452def2d7efc5b5c48cdb837fa@badguy.zz', 'senderIP': '192.0.2.255', 'threatID': '61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'threatTime': '2010-01-11T00:00:10.000Z', 'threatURL': 'https://threatinsight.proofpoint.com/#/f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50', 'url': 'http://badguy.zz/', 'userAgent': 'Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0'} {'GUID': '2222', 'QID': 'r2FNwRHF004109', 'ccAddresses': ['bruce.wayne@university-of-education.zz'], 'clusterId': 'pharmtech_hosted', 'fromAddress': 'badguy@evil.zz', 'headerCC': '"Bruce Wayne" ', 'headerFrom': '"A. Badguy" ', 'headerReplyTo': None, 'headerTo': '"Clark Kent" ; "Diana Prince" ', 'impostorScore': 0, 'malwareScore': 100, 'messageID': '2222@evil.zz', 'threatsInfoMap': [{'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'threat': '2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca', 'threatId': '2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca', 'threatStatus': 'active', 'threatTime': '2010-01-25T00:00:40.000Z', 'threatType': 'ATTACHMENT', 'threatUrl': 'https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca'}, {'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'threat': 'badsite.zz', 'threatId': '3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa', 'threatTime': '2010-01-25T00:00:30.000Z', 'threatType': 'URL', 'threatUrl': 'https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa'}], 'messageTime': '2010-01-25T00:00:10.000Z', 'modulesRun': ['pdr', 'sandbox', 'spam', 'urldefense'], 'phishScore': 46, 'policyRoutes': ['default_inbound', 'executives'], 'quarantineFolder': 'Attachment Defense', 'quarantineRule': 'module.sandbox.threat', 'recipient': ['clark.kent@pharmtech.zz', 'diana.prince@pharmtech.zz'], 'replyToAddress': None, 'sender': 'e99d7ed5580193f36a51f597bc2c0210@evil.zz', 'senderIP': '192.0.2.255', 'spamScore': 4, 'subject': 'Please find a totally safe invoice attached.'} {'GUID': '1111', 'QID': 'r2FNwRHF004109', 'ccAddresses': ['bruce.wayne@university-of-education.zz'], 'clusterId': 'pharmtech_hosted', 'fromAddress': 'badguy@evil.zz', 'headerCC': '"Bruce Wayne" ', 'headerFrom': '"A. Badguy" ', 'headerReplyTo': None, 'headerTo': '"Clark Kent" ; "Diana Prince" ', 'impostorScore': 0, 'malwareScore': 100, 'messageID': '1111@evil.zz', 'threatsInfoMap': [{'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'threat': '2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca', 'threatId': '2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca', 'threatStatus': 'active', 'threatTime': '2010-01-30T00:00:40.000Z', 'threatType': 'ATTACHMENT', 'threatUrl': 'https://threatinsight.proofpoint.com/43fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca'}, {'campaignId': '46e01b8a-c899-404d-bcd9-189bb393d1a7', 'classification': 'MALWARE', 'threat': 'badsite.zz', 'threatId': '3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa', 'threatTime': '2010-01-30T00:00:30.000Z', 'threatType': 'URL', 'threatUrl': 'https://threatinsight.proofpoint.com/a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa'}], 'messageTime': '2010-01-30T00:00:59.000Z', 'modulesRun': ['pdr', 'sandbox', 'spam', 'urldefense'], 'phishScore': 46, 'policyRoutes': ['default_inbound', 'executives'], 'quarantineFolder': 'Attachment Defense', 'quarantineRule': 'module.sandbox.threat', 'recipient': ['clark.kent@pharmtech.zz', 'diana.prince@pharmtech.zz'], 'replyToAddress': None, 'sender': 'e99d7ed5580193f36a51f597bc2c0210@evil.zz', 'senderIP': '192.0.2.255', 'spamScore': 4, 'subject': 'Please find a totally safe invoice attached.'}

2. proofpoint-get-forensics


gets forensics evidence

Base Command

proofpoint-get-forensics

Input
Argument Name Description Required
threatId ID of threat (must fill threatId or campaignId) Optional
campaignId ID of campaign (must fill threatId or campaignId) Optional
includeCampaignForensics Can be provide only with threatId Optional

Context Output
Path Type Description
Proofpoint.Report.ID String ID of report
Proofpoint.Report.Type String The threat type: attachment, url, or hybrid
Proofpoint.Report.Scope String Whether the report scope covers a campaign or an individual threat
Proofpoint.Report.Attachment.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Attachment.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Attachment.Display String A friendly display string.
Proofpoint.Report.Attachment.SHA256 String The SHA256 hash of the attachment's contents.
Proofpoint.Report.Attachment.MD5 String The MD5 hash of the attachment's contents.
Proofpoint.Report.Attachment.Blacklisted Number Optional, whether the file was blacklisted.
Proofpoint.Report.Attachment.Offset Number Optional, the offset in bytes where the malicious content was found.
Proofpoint.Report.Attachment.Size Number Optional, the size in bytes of the attachment's contents.
Proofpoint.Report.Attachment.Platform.Name String Name of the platform.
Proofpoint.Report.Attachment.Platform.OS String OS of the platform.
Proofpoint.Report.Attachment.Platform.Version String Version of the platform.
Proofpoint.Report.Cookie.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Cookie.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Cookie.Display String A friendly display string.
Proofpoint.Report.Cookie.Action String Whether the cookie was set or deleted
Proofpoint.Report.Cookie.Domain String Which domain set the cookie.
Proofpoint.Report.Cookie.Key String The name of the cookie being set or deleted.
Proofpoint.Report.Cookie.Value String Optional, content of the cookie being set.
Proofpoint.Report.Cookie.Platform.Name String Name of the platform.
Proofpoint.Report.Cookie.Platform.OS String OS of the platform.
Proofpoint.Report.Cookie.Platform.Version String Version of the platform.
Proofpoint.Report.DNS.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.DNS.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.DNS.Display String A friendly display string.
Proofpoint.Report.DNS.Host String The hostname being resolved.
Proofpoint.Report.DNS.CNames String Optional, an array of cnames which were associated with the hostname.
Proofpoint.Report.DNS.IP String Optional, an array of IP addresses which were resolved to the hostname.
Proofpoint.Report.DNS.NameServers String Optional, the nameservers responsible for the hostname's domain.
Proofpoint.Report.DNS.NameServersList String Optional, the nameservers responsible for the hostname's.
Proofpoint.Report.DNS.Platform.Name String Name of the platform.
Proofpoint.Report.DNS.Platform.OS String OS of the platform.
Proofpoint.Report.DNS.Platform.Version String Version of the platform.
Proofpoint.Report.Dropper.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Dropper.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Dropper.Display String A friendly display string.
Proofpoint.Report.Dropper.Path String The location of the dropper file.
Proofpoint.Report.Dropper.URL String Optional, the name of the static rule inside the sandbox which identified the dropper.
Proofpoint.Report.Dropper.Rule String Optional, the URL the dropper contacted.
Proofpoint.Report.Dropper.Platform.Name String Name of the platform.
Proofpoint.Report.Dropper.Platform.OS String OS of the platform.
Proofpoint.Report.Dropper.Platform.Version String Version of the platform.
Proofpoint.Report.File.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.File.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.File.Display String A friendly display string.
Proofpoint.Report.File.Path String Optional, the location of the file operated on.
Proofpoint.Report.File.Action String Optional, the filesystem call made create (modify, or delete).
Proofpoint.Report.File.Rule String Optional, the name of the static rule inside the sandbox which identified the suspicious file.
Proofpoint.Report.File.SHA256 Unknown Optional, the SH256 sum of the file's contents.
Proofpoint.Report.File.MD5 String Optional, the MD5 sum of the file's contents.
Proofpoint.Report.File.Size Number Optional, the size in bytes of the file's contents.
Proofpoint.Report.File.Platform.Name String Name of the platform.
Proofpoint.Report.File.Platform.OS String OS of the platform.
Proofpoint.Report.File.Platform.Version String Version of the platform.
Proofpoint.Report.IDS.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.IDS.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.IDS.Display String A friendly display string.
Proofpoint.Report.IDS.Name String The friendly name of the IDS rule which observed the malicious traffic.
Proofpoint.Report.IDS.SignatureID String The identifier of the IDS rule which observed the malicious traffic.
Proofpoint.Report.IDS.Platform.Name String Name of the platform.
Proofpoint.Report.IDS.Platform.OS String OS of the platform.
Proofpoint.Report.IDS.Platform.Version String Version of the platform.
Proofpoint.Report.Mutex.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Mutex.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Mutex.Display String A friendly display string.
Proofpoint.Report.Mutex.Name String The name of the mutex.
Proofpoint.Report.Mutex.Path String Optional, the path to the process which spawned the mutex.
Proofpoint.Report.Mutex.Platform.Name String Name of the platform.
Proofpoint.Report.Mutex.Platform.OS String OS of the platform.
Proofpoint.Report.Mutex.Platform.Version String Version of the platform.
Proofpoint.Report.Network.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Network.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Network.Display String A friendly display string.
Proofpoint.Report.Network.Action String The type of network activity being initated (connect or listen).
Proofpoint.Report.Network.IP String The remote IP address being contacted.
Proofpoint.Report.Network.Port String The remote IP Port being contacted.
Proofpoint.Report.Network.Type String The protocol being used (tcp or udp).
Proofpoint.Report.Network.Platform.Name String Name of the platform.
Proofpoint.Report.Network.Platform.OS String OS of the platform.
Proofpoint.Report.Network.Platform.Version String Version of the platform.
Proofpoint.Report.Process.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Process.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Process.Display String A friendly display string.
Proofpoint.Report.Process.Action String The action peformed on the process, current only create is produced.
Proofpoint.Report.Process.Path String The location of the executable which spawned the process.
Proofpoint.Report.Process.Platform.Name String Name of the platform.
Proofpoint.Report.Process.Platform.OS String OS of the platform.
Proofpoint.Report.Process.Platform.Version String Version of the platform.
Proofpoint.Report.Registry.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.Registry.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.Registry.Display String A friendly display string.
Proofpoint.Report.Registry.Name String Optional, the name of the registry entry being created or set.
Proofpoint.Report.Registry.Action String The registry change made (create or set).
Proofpoint.Report.Registry.Key String The location of the registry key being modified.
Proofpoint.Report.Registry.Value String Optional, the contents of the key being created or set.
Proofpoint.Report.Registry.Platform.Name String Name of the platform.
Proofpoint.Report.Registry.Platform.OS String OS of the platform.
Proofpoint.Report.Registry.Platform.Version String Version of the platform.
Proofpoint.Report.URL.Time Date The relative time at which the evidence was observed during sandboxing.
Proofpoint.Report.URL.Malicious String whether the evidence was used to reach a malicious verdict.
Proofpoint.Report.URL.Display String A friendly display string.
Proofpoint.Report.URL.URL String The URL which was observed.
Proofpoint.Report.URL.Blacklisted Boolean Optional, whether the URL was listed on a blacklist.
Proofpoint.Report.URL.SHA256 String Optional, the sha256 value of the file downloaded from the URL.
Proofpoint.Report.URL.MD5 String Optional, the md5 value of the file downloaded from the URL.
Proofpoint.Report.URL.Size Number Optional, the size in bytes of the file retrieved from the URL.
Proofpoint.Report.URL.HTTPStatus Number Optional, the HTTP status code which was produced when our sandbox visited the URL.
Proofpoint.Report.URL.IP String Optional, the IP address that was resolved to the hostname by the sandbox.
Proofpoint.Report.URL.Platform.Name String Name of the platform.
Proofpoint.Report.URL.Platform.OS String OS of the platform.
Proofpoint.Report.URL.Platform.Version String Version of the platform.

Command Example

!proofpoint-get-forensics threatId=threatId

Context Example
{
    "Proofpoint.Report": [
        {
            "Attachment": [
                {
                    "Display": "string",
                    "MD5": "string",
                    "Malicious": "string",
                    "Offset": "integer",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "SHA256": "string",
                    "Size": "integer",
                    "Time": "string"
                }
            ],
            "Cookie": [
                {
                    "Action": "string",
                    "Display": "string",
                    "Domain": "string",
                    "Key": "string",
                    "Malicious": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Time": "string",
                    "Value": "string"
                }
            ],
            "DNS": [
                {
                    "CNames": [
                        "string1",
                        "string2"
                    ],
                    "Display": "string",
                    "Host": "string",
                    "IP": [
                        "string1",
                        "string2"
                    ],
                    "Malicious": "string",
                    "NameServers": [
                        "string1",
                        "string2"
                    ],
                    "NameServersList": [
                        "string1",
                        "string2"
                    ],
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Time": "string"
                }
            ],
            "Dropper": [
                {
                    "Display": "string",
                    "Malicious": "string",
                    "Path": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Rule": "string",
                    "Time": "string",
                    "URL": "string"
                }
            ],
            "File": [
                {
                    "Action": "string",
                    "Display": "string",
                    "MD5": "string",
                    "Malicious": "string",
                    "Path": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "SHA256": "string",
                    "Size": "integer",
                    "Time": "string"
                }
            ],
            "ID": "threatId",
            "IDS": [
                {
                    "Display": "string",
                    "Malicious": "string",
                    "Name": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "SignatureID": "integer",
                    "Time": "string"
                }
            ],
            "Mutex": [
                {
                    "Display": "string",
                    "Malicious": "string",
                    "Name": "string",
                    "Path": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Time": "string"
                }
            ],
            "Network": [
                {
                    "Action": "string",
                    "Display": "string",
                    "IP": "string",
                    "Malicious": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Port": "string",
                    "Protocol": "string",
                    "Time": "string"
                }
            ],
            "Process": [
                {
                    "Action": "string",
                    "Display": "string",
                    "Malicious": "string",
                    "Path": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Time": "string"
                }
            ],
            "Registry": [
                {
                    "Action": "string",
                    "Display": "string",
                    "Key": "string",
                    "Malicious": "string",
                    "Name": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "Time": "string",
                    "Value": "string"
                }
            ],
            "Scope": "string",
            "Type": "string",
            "URL": [
                {
                    "Blacklisted": "boolean",
                    "Display": "string",
                    "HTTPStatus": "string",
                    "IP": "string",
                    "MD5": "string",
                    "Malicious": "string",
                    "Platform": [
                        {
                            "Name": "windows 7 sp1",
                            "OS": "windows 7",
                            "Version": "4.5.661"
                        }
                    ],
                    "SHA256": "string",
                    "Size": "integer",
                    "Time": "string",
                    "URL": "string"
                }
            ]
        }
    ]
}
Human Readable Output

Forensic results from ProofPoint for ID: threatId

ID Scope Type
threatId string string

Additional Information

Known Limitations

Troubleshooting