Proofpoint Connector

overview the proofpoint connector enables automated interactions with proofpoint's security services, facilitating threat detection and response activities proofpoint is a leading cybersecurity and compliance company that protects organizations' people, data, and brand against advanced threats and compliance risks the proofpoint connector for swimlane turbine enables users to automate the decoding of urls, retrieval of forensic data, and extraction of siem events by integrating with proofpoint, swimlane turbine users can enhance their security operations with streamlined threat intelligence and incident response capabilities, leveraging proofpoint's advanced email protection and targeted attack analysis prerequisites to effectively utilize the proofpoint connector with swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the proofpoint api principal your proofpoint account username secret your proofpoint account password capabilities the proofpoint integration provides the following capabilities decode urls decode urls offline (this uses a local script to decode the urls ) forensics campaign lookup forensics threat lookup siem all siem messages blocked siem messages delivered siem clicks blocked siem clicks delivered limitations the urls passed to the decode tasks are case sensitive proofpoint encodes the urls with base64, if you are passing extracted iocs from the swilane utilites plugin with the ioc parser task, please make sure that you have the input to lower marked as false notes in the case of using siem api action, we must have to pass the one of the following fields in query parameters interval since seconds since time interval a string containing an iso8601 formatted interval if this interval overlaps with previous requests for data, records from the previous request may be duplicated the minimum interval is thirty seconds the maximum interval is one hour example 2016 05 01t12 00 00z/2016 05 01t13 00 00z an hour interval, beginning at noon utc on 05 01 2016 pt30m/2016 05 01t12 30 00z the thirty minutes beginning at noon utc on 05 01 2016 and ending at 12 30pm utc 2016 05 01t05 00 00 0700/pt30m the same interval as above, but using 0700 as the time zone sinceseconds an integer representing a time window in seconds from the current api server time the start of the window is the current api server time, rounded to the nearest minute, less the number of seconds provided the end of the window is the current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result sincetime a string containing an iso8601 date it represents the start of the data retrieval period the end of the period is determined by current api server time rounded to the nearest minute if json output is selected, the end time is included in the returned result format a string specifying the format in which response data is returned if no format is specified, syslog will be used as the default the following values are accepted syslog json notes proofpoint api documentation https //help proofpoint com/threat insight dashboard/api documentation