Integrate Proofpoint TAP with Google SecOps

This document explains how to integrate Proofpoint TAP with Google Security Operations (Google SecOps).

Integration version: 11.0

Integration parameters

The Proofpoint TAP integration requires the following parameters:

Parameter Description
API Root

Required.

The API root of the Proofpoint Targeted Attack Protection (TAP) instance.

Username

Required.

The username of the Proofpoint TAP instance.

Password

Required.

The API Key of the Proofpoint TAP instance.

Verify SSL

Optional.

If enabled, that action verifies the validity of the SSL certificate.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

DecodeURL

Use the DecodeURL action to decode Proofpoint's encoded URLs.

This action runs on the following Google SecOps entity:

  • URL

Action inputs

Parameter Description
Encoded URLs

Optional.

A comma-separated list of URLs to decode.

Create URL Entities

Optional.

If selected, the action creates a URL entity from the URL after it has been successfully decoded.

The default value is Checked.

Action outputs

The DecodeURL action provides the following outputs.

Entity Enrichment

The DecodeURL action supports the following entity enrichment logic:

Enrichment Field Name Logic - When to apply
Encoded Urls

A comma-separated list of URLs to decode.

Create URL Entities

If selected, the action creates a successfully-decoded URL entity from the URL after it has been successfully decoded.

The default value is Checked.

Script Result

The following table describes the values for the script result output when using the DecodeURL action:

Script Result Name Value Options Example
decoded_urls N/A N/A

GetCampaign

Use the GetCampaign action to get campaign information by the campaign ID.

This action runs on all entities.

Action inputs

The GetCampaign action requires the following parameter:

Parameter Description
Campaign ID

Required.

The ID of the campaign to get information about.

Create Insight

Optional.

If selected, the action creates an insight with the campaign information.

Selected by default

Create Threat Campaign Entity

Optional.

If selected, the action creates a threat campaign entity from the campaign information.

Selected by default

Fetch Forensics Info

Optional.

If selected, the action fetches forensics information from the campaign.

Selected by default

Forensic Evidence Type Filter

Optional.

A comma-separated list of evidence types to return when fetching forensic info.

Possible values:

attachment, cookie, dns, dropper, file, ids, mutex, network, process, registry, screenshot, url, redirect_chain, behavior.

Max Forensics Evidence To Return

Optional.

The amount of evidence to return per campaign.

The default value is 50.

The maximum value is 1000.

Action outputs

The GetCampaign action provides the following outputs.

Script Result

The following table describes the values for the script result output when using the GetCampaign action:

Script Result Name Value Options Example
campaign_info N/A N/A

Ping

Use the Ping action to test ProofPoint TAP connectivity.

This action runs on all entities.

Action inputs

The Ping action doesn't require any parameters.

Action outputs

The Ping action provides the following outputs.

Script Result

The following table describes the values for the script result output when using the Ping action:

Script Result Name Value Options Example
is_success True/False is_success:False

Need more help? Get answers from Community members and Google SecOps professionals.