ProofPoint

the proofpoint connector enables automated interactions with proofpoint's security services, facilitating threat detection and response activities proofpoint is a leading cybersecurity and compliance company that protects organizations' people, data, and brand against advanced threats and compliance risks the proofpoint connector for swimlane turbine enables users to automate the decoding of urls, retrieval of forensic data, and extraction of siem events by integrating with proofpoint, swimlane turbine users can enhance their security operations with streamlined threat intelligence and incident response capabilities, leveraging proofpoint's advanced email protection and targeted attack analysis prerequisites to effectively utilize the proofpoint connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the proofpoint api principal your proofpoint account username secret your proofpoint account password capabilities the proofpoint integration provides the following capabilities decode urls decode urls offline (this uses a local script to decode the urls ) forensics campaign lookup forensics threat lookup siem all siem messages blocked siem messages delivered siem clicks blocked siem clicks delivered limitations the urls passed to the decode tasks are case sensitive proofpoint encodes the urls with base64, if you are passing extracted iocs from the swilane utilites plugin with the ioc parser task, please make sure that you have the input to lower marked as false notes in the case of using siem api action, we must have to pass the one of the following fields in query parameters interval since seconds since time interval a string containing an iso8601 formatted interval if this interval overlaps with previous requests for data, records from the previous request may be duplicated the minimum interval is thirty seconds the maximum interval is one hour example 2016 05 01t12 00 00z /2016 05 01t13 00 00z an hour interval, beginning at noon utc on 05 01 2016 pt30m/2016 05 01t12 30 00z the thirty minutes beginning at noon utc on 05 01 2016 and ending at 12 30pm utc 2016 05 01t05 00 00 0700 /pt30m the same interval as above, but using 0700 as the time zone sinceseconds an integer representing a time window in seconds from the current api server time the start of the window is the current api server time, rounded to the nearest minute, less the number of seconds provided the end of the window is the current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result sincetime a string containing an iso8601 date it represents the start of the data retrieval period the end of the period is determined by current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result format a string specifying the format in which response data is returned if no format is specified, syslog will be used as the default the following values are accepted syslog json notes proofpoint api documentation https //help proofpoint com/threat insight dashboard/api documentation configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username principal string required password secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions decode urls reverts proofpoint tap rewritten urls back to their original form, requiring a list of urls in the json body endpoint url /v2/url/decode method post input argument name type required description urls array optional url endpoint for the request input example {"json body" {"urls" \["https //urldefense proofpoint com/v2/url u=http 3a links mkt3337 com ctt 3fkn 3d3 26ms 3dmzq3otg3mdqs1 26r 3dmzkxnzk3ndkwmda0s0 26b 3d0 26j 3dmtmwmja1odyznqs2 26mt 3d1 26rt 3d0\&d=dwmfaq\&c=vxt5e0osvvt2gflwslsj5dmpgcpvtrkljyp031rxjhg\&r=mujldfbjstxoxzi gkbsw7wxgm7nnik qzvvy6j9wc\&m=qjghloayfd0uz6n8r6y9df khnkqvraiwdru k65xpi\&s=ew rotbfjix1hgv71xqj5begl9tpaowrm xp9nuo8bk\&e=","https //urldefense proofpoint com/v1/url?u=http //www bouncycastle org/\&amp;k=oivrg1%2bdgagoom1billlqw%3d%3d%0a\&amp;r=ikm5u8%2b%2f%2fi8ebhwos%2bqgbtqcc%2brmqwi%2fvfeaesqo%2f0y%3d%0a\&amp;m=ww6iaho73mdqppqwowflfn8wmapqhyvtu8jm8sjqmvq%3d%0a\&amp;s=d3583cfa53dade97025bc6274c6c8951dc29fe0f38830cf8e5a447723b9f1c9a"]}} output parameter type description status code number http status code of the response reason string response reason phrase urls array url endpoint for the request urls encodedurl string url endpoint for the request urls success boolean url endpoint for the request urls decodedurl string url endpoint for the request output example {"status code" 200,"response headers" {"date" "fri, 13 oct 2023 09 06 25 gmt","content type" "application/json","content length" "853","connection" "keep alive","vary" "accept encoding","x content type options" "nosniff","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","json body" {"urls" \[{},{}]}} decode urls offline decode proofpoint encoded urls locally, compatible with v1, v2, and v3 formats requires a list of urls to process input argument name type required description url string optional url endpoint for the request input example {"json body" {"urls" "https //tap api v2 proofpoint com/"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request decoded urls array url endpoint for the request output example {"status code" 200,"reason" "ok","headers" {},"json body" {"decoded urls" \["https //urldefense proofpoint com/v2/url?u=http 3a links mkt3337 com ctt 3fkn 3d3 26ms 3dmzq3otg3mdqs1 26r 3dmzkxnzk3ndkwmda0s0 26b 3d0 26j 3dmtmwmja1odyznqs2 26mt 3d1 26rt 3d0\&d=dwmfaq\&c=vxt5e0osvvt2gflwslsj5dmpgcpvtrkljyp031rxjhg\&r=mujldfbjstxoxzi gkbsw7wxgm7nnik qzvvy6j9wc\&m=qjghloayfd0uz6n8r6y9df khnkqvraiwdru k65xpi\&s=ew rotbfjix1hgv71xqj5begl9tpaowrm xp9nuo8bk\&e=","https //urldefense proofpoint com/v1/url?u=http forensics campaign retrieve aggregate forensics data for a specified campaign in proofpoint using the campaignid parameter endpoint url /v2/forensics method get input argument name type required description parameters campaignid string required parameters for the forensics campaign action input example {"parameters" {"campaignid" "e144426d 7bcd 4695 98a7 c9f6551f3d48"}} output parameter type description status code number http status code of the response reason string response reason phrase generated string output field generated reports array output field reports reports scope string output field reports scope reports id string unique identifier reports name string name of the resource reports forensics array output field reports forensics reports forensics file name string name of the resource reports forensics file string output field reports forensics file output example {"status code" 200,"response headers" {"date" "wed, 18 oct 2023 13 42 53 gmt","content type" "application/json","content length" "188","connection" "keep alive","x content type options" "nosniff","vary" "accept encoding, user agent","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","json body" {"generated" "2023 10 18t13 42 53 056z","reports" \[{}]}} forensics threat retrieve aggregate forensics data for a specified threat in proofpoint using the threatid parameter endpoint url /v2/forensics method get input argument name type required description parameters threatid string required parameters for the forensics threat action parameters includecampaignforensics boolean optional parameters for the forensics threat action input example {"parameters" {"threatid" "fc31eb2b503d8df30b509aa56e3685174071b966a7cbc58c74392c3f87bbcbe8","includecampaignforensics"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase generated string output field generated reports array output field reports reports scope string output field reports scope reports id string unique identifier reports name string name of the resource reports threatstatus string status value reports forensics array output field reports forensics reports forensics type string type of the resource reports forensics display string output field reports forensics display reports forensics engine string output field reports forensics engine reports forensics malicious boolean output field reports forensics malicious reports forensics time number time value reports forensics what object output field reports forensics what reports forensics what url string url endpoint for the request reports forensics platforms array output field reports forensics platforms reports forensics platforms name string name of the resource reports forensics platforms os string output field reports forensics platforms os reports forensics platforms version string output field reports forensics platforms version reports forensics note string output field reports forensics note output example {"status code" 200,"response headers" {"date" "wed, 18 oct 2023 13 44 40 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","x content type options" "nosniff","vary" "accept encoding, user agent","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","json body" {"generated" "2023 10 18t13 44 39 664z","reports" \[{}]}} siem all retrieve all click and message events related to identified threats within a defined time frame from proofpoint endpoint url /v2/siem/all method get input argument name type required description parameters sinceseconds string optional an integer representing a time window in seconds from the current api server time the start of the window is the current api server time, rounded to the nearest minute, less the number of seconds provided the end of the window is the current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result parameters sincetime string optional a string containing an iso8601 date it represents the start of the data retrieval period the end of the period is determined by current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result parameters interval string optional a string containing an iso8601 formatted interval if this interval overlaps with previous requests for data, records from the previous request may be duplicated the minimum interval is thirty seconds the maximum interval is one hour parameters format string optional a string specifying the format in which data is returned if no format is specified, syslog will be used as the default parameters threattype string optional a string specifying which threat type will be returned in the data if no value is specified, all threat types are returned parameters threatstatus string optional a string specifying which threat statuses will be returned in the data if no value is specified, active and cleared threats are returned input example {"parameters" {"sinceseconds" "100","sincetime" "2024 04 26t5 42 45z","interval" "pt30m/2024 04 26t10 12 45z","format" "syslog","threattype" "url","threatstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"date" "fri, 26 apr 2024 04 59 00 gmt","content type" "text/plain","content length" "1286","connection" "keep alive","server timing" "traceparent;desc=\\"00 f0905c6c701404804fdd783e49829bd3 504a48747fd43b4f 01\\"","access control expose headers" "server timing","vary" "accept encoding, user agent","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","response text" "<38>1 2024 04 26t04 32 51z proofpointt siem clicks blocked fetch events for clicks to malicious urls that were blocked by proofpoint within a specified time period endpoint url /v2/siem/clicks/blocked method get input argument name type required description parameters interval string optional parameters for the siem clicks blocked action parameters sinceseconds number optional parameters for the siem clicks blocked action parameters sincetime string optional parameters for the siem clicks blocked action parameters format string optional parameters for the siem clicks blocked action parameters threattype string optional parameters for the siem clicks blocked action parameters threatstatus string optional parameters for the siem clicks blocked action input example {"parameters" {"interval" "pt30m/2023 10 11t12 30 00z","sinceseconds" 5,"sincetime" "3","format" "json","threattype" "url","threatstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {"date" "mon, 16 oct 2023 09 02 15 gmt","connection" "keep alive","strict transport security" "max age=15724800; includesubdomains"},"reason" "no content","response text" ""} siem clicks permitted fetch events for clicks to malicious urls that were permitted within a specified time period in proofpoint endpoint url /v2/siem/clicks/permitted method get input argument name type required description parameters interval string optional parameters for the siem clicks permitted action parameters sinceseconds number optional parameters for the siem clicks permitted action parameters sincetime string optional parameters for the siem clicks permitted action parameters format string optional parameters for the siem clicks permitted action parameters threattype string optional parameters for the siem clicks permitted action parameters threatstatus string optional parameters for the siem clicks permitted action input example {"parameters" {"interval" "pt30m/2023 10 11t12 30 00z","sinceseconds" 5,"sincetime" "3","format" "json","threattype" "url","threatstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 204,"response headers" {"date" "mon, 16 oct 2023 09 27 36 gmt","connection" "keep alive","strict transport security" "max age=15724800; includesubdomains"},"reason" "no content","response text" ""} siem messages blocked retrieve events for messages that were blocked within a specified time frame due to recognized threats in proofpoint endpoint url /v2/siem/messages/blocked method get input argument name type required description parameters interval string optional parameters for the siem messages blocked action parameters sinceseconds number optional parameters for the siem messages blocked action parameters sincetime string optional parameters for the siem messages blocked action parameters format string optional parameters for the siem messages blocked action parameters threattype string optional parameters for the siem messages blocked action parameters threatstatus string optional parameters for the siem messages blocked action input example {"parameters" {"interval" "pt30m/2023 10 10t12 30 00z","sinceseconds" 30,"sincetime" "1","format" "json","threattype" "url","threatstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"date" "mon, 16 oct 2023 09 05 21 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "accept encoding, user agent","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","response text" "<38>1 2023 10 10t12 07 34z proofpointtap msgblk \[tapmsg\@21139 messagetime=\\"2 "} siem messages delivered fetch events for messages delivered within a specified time frame that contained a known threat, requiring specific parameters endpoint url /v2/siem/messages/delivered method get input argument name type required description parameters interval string optional parameters for the siem messages delivered action parameters sinceseconds number optional parameters for the siem messages delivered action parameters sincetime string optional parameters for the siem messages delivered action parameters format string optional parameters for the siem messages delivered action parameters threattype string optional parameters for the siem messages delivered action parameters threatstatus string optional parameters for the siem messages delivered action input example {"parameters" {"interval" "pt30m/2023 10 15t02 30 00z","sinceseconds" 30,"sincetime" "1","format" "json","threattype" "url","threatstatus" "active"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"date" "mon, 16 oct 2023 09 34 21 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","vary" "accept encoding, user agent","content encoding" "gzip","strict transport security" "max age=15724800; includesubdomains"},"reason" "ok","response text" ""} response headers header description example access control expose headers http response header access control expose headers server timing connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 188 content type the media type of the resource text/plain date the date and time at which the message was originated wed, 18 oct 2023 13 44 40 gmt server timing http response header server timing traceparent;desc="00 f0905c6c701404804fdd783e49829bd3 504a48747fd43b4f 01" strict transport security http response header strict transport security max age=15724800; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff