Proofpoint TAP

Integration version: 8.0

Configure Proofpoint TAP integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://tap-api-v2.proofpoint.com Yes API root of the Proofpoint Targeted Attack Protection (TAP) instance.
Username String N/A Yes

Username of the Proofpoint TAP instance.

Password Password N/A Yes

API Key of the Proofpoint TAP instance.

Verify SSL Checkbox Checked No If enabled, verify that the SSL certificate for the connection to the Proofpoint TAP server is valid.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Decode URL

Use the Decode URL action action to decode Proofpoint's encoded URLs.

This action runs on the following entity:

  • URL

Action inputs

The Decode URL action has no parameters.

Action outputs

The Enrich Domain action provides the following outputs.

Entity Enrichment

The Decode URL action supports the following entity enrichment logic:

Enrichment Field Name Logic - When to apply
encodedUrl The URL will be marked as encoded, if the encoding process from decoded URL is successful.
decodedUrl The URL will be marked as decoded, if the decoding process from encoded URL is successful.
Script Result

The following table describes the values for the script result output when using the Decode URL action:

Script Result Name Value Options Example
decoded_urls N/A N/A

Get Campaign

Use the Get Campaign action to get campaign information by the campaign ID.

This action runs on all entities.

Action inputs

The Get Campaign action requires the following parameter:

Parameter Description
Campaign ID The ID of the campaign to get info about.

Action outputs

The Get Campaign action provides the following outputs.

Script Result

The following table describes the values for the script result output when using the Get Campaign action:

Script Result Name Value Options Example
campaign_info N/A N/A

Get Threat Forensics

Use the Get Threat Forensics action to return forensics associated with a threat in Proofpoint TAP.

This action doesn't run on any entities.

Parameters

The Get Threat Forensics action requires the following parameters:

Parameter Type Default Value Description
Threat ID CSV

Required.

A comma-separated list of threat IDs for which forensics need to be returned.

Include Campaign Forensics Bool False

Optional.

If enabled, the action will also return campaign forensics related to the provided threat.

Max Results To Return int 50

Required.

The number of results to return.

Default: 50. Maximum: 1000.

Action outputs

The Get Threat Forensics action provides the following outputs:

Type Available
Script Result True
JSON Result True
Enrichment Table False
Case Wall Table False
Case Wall Link False
Case Wall Attachment False
Script Result

The following table describes the values for the script result output when using the Get Threat Forensics action:

Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

The following example describes the JSON result output received when using the Get Threat Forensics action:

[
   {
       "scope": "THREAT",
       "id": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
       "name": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
       "threatStatus": "active",
       "forensics": [
           {
               "type": "attachment",
               "display": "Attachment with SHA-256: ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
               "engine": "iee",
               "malicious": false,
               "note": "Detected by rule 4b20e2c1-43b6-11e8-8d2e-1210ed9df0ae",
               "time": 0,
               "what": {
                   "rule": "4b20e2c1-43b6-11e8-8d2e-1210ed9df0ae"
               },
               "platforms": [
                   {
                       "name": "static",
                       "os": "static",
                       "version": "0"
                   }
               ]
           }
       ]
   }
]
Output messages

The Get Threat Forensics action provides the following output messages:

Output message Message description

Successfully returned forensics for the following threats in Proofpoint TAP: {threat id}.

No forensics were found for the following threats in Proofpoint TAP: {threat id}.

No forensics were found for the provided threats in Proofpoint TAP.

Action succeeded.

Error executing action "Get Threat Forensics". Reason: {0}''.format(error.Stacktrace)

Error executing action "Get Threat Forensics". Reason: {0}''.format(message)

Error executing action "Get Threat Forensics". Reason: the following threat IDs are invalid: {invalid threat id}. Please check the spelling

Action failed.

List Campaigns

Use the List Campaign action to return a list of active campaigns in Proofpoint TAP.

This action doesn't run on any entities.

Action inputs

The List Campaigns action requires the following parameters:

Parameter Description
Time Frame

Optional.

The timeframe for the results. If "Custom" is selected, you also need to provide "Start Time".

The Last Hour possible values are as follows:

  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Custom
Start Time

Optional.

The start time for the results. If "Custom" is selected for the "Time Frame" parameter, this parameter is required. Format: ISO 8601.

End Time

Optional.

The end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter, this parameter will use current time.

Max Results To Return

Required.

The number of results to return.

Default: 50. Maximum: 1000.

Action outputs

The List Campaigns action provides the following outputs:

Action output type Availability
Script Result Available
JSON Result Available
Enrichment Table Not available
Case Wall Table Not available
Case Wall Link Not available
Case Wall Attachment Not available
Script Result

The following table describes the values for the script result output when using the List Campaigns action:

Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

The following example describes the JSON result output received when using the List Campaigns action:

{
   "campaigns": [
       {
           "id": "d3e257dc-6d63-4693-8bcf-afcba66fea01",
           "lastUpdatedAt": "2025-01-20T00:00:17.000Z",
           "notable": false,
           "verticallyTargeted": false
       },
       {
           "id": "c1c97431-d0ec-4e46-8a55-5102ba27f0b0",
           "lastUpdatedAt": "2025-01-16T02:34:16.000Z",
           "notable": false,
           "verticallyTargeted": false
       },
       {
           "id": "751833f2-b21f-43f6-99ae-2d41e7caf6c3",
           "lastUpdatedAt": "2025-01-12T11:25:20.000Z",
           "notable": false,
           "verticallyTargeted": false
       },
       {
           "id": "d8f2dfce-b98f-412c-be79-e2d447250527",
           "lastUpdatedAt": "2025-01-12T00:00:07.000Z",
           "notable": false,
           "verticallyTargeted": false
       },
       {
           "id": "c0b16640-738c-46b5-9297-18574d7d26c2",
           "lastUpdatedAt": "2024-12-31T08:17:58.000Z",
           "notable": false,
           "verticallyTargeted": false
       }
   ]
}
Output messages

The List Campaigns action provides the following output messages:

Output message Message description

Successfully returned campaigns from Proofpoint TAP.

No campaigns were found in Proofpoint TAP for the provided criteria.

Action succeeded.

Error executing action "List Campaigns". Reason: {0}''.format(error.Stacktrace)

Error executing action "List Campaigns". Reason: {0}''.format(message)

Action failed.

Ping

Use the Ping action to test ProofPoint TAP connectivity.

This action runs on all entities.

Action inputs

The Ping action doesn't require any parameters.

Action outputs

The Ping action provides the following outputs.

Script Result

The following table describes the values for the script result output when using the Ping action:

Script Result Name Value Options Example
is_success True/False is_success:False

Search Events

Use the Search Events action to search events in Proofpoint TAP.

This action doesn't run on any entities.

Action inputs

The Search Events action requires the following parameters:

Parameter Description
Event Type

Optional.

The type of the event being returned.

The possible values are as follows:

  • All Issues
  • Clicks Blocked
  • Clicks Permitted
  • Messages Delivered
  • Messages Blocked
Threat Status

Optional.

The status of the threat being returned. If "Select One" is provided, then the action will return "Active" and "Cleared" threats.

The possible values are as follows:

  • Active
  • Clear
  • False
  • Positive
Time Frame

Optional.

The timeframe for the results. If "Custom" is selected, you also need to provide "Start Time".

The Last Hour possible values are as follows:

  • Last Hour
  • Last 6 Hours
  • Last 24 Hours
  • Last Week
  • Custom
Start Time

Optional.

The start time for the results. If "Custom" is selected for the "Time Frame" parameter, this parameter is mandatory. Format: ISO 8601.

End Time

Optional.

The end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter, this parameter will use current time.

Max Results To Return

Required.

The number of results to return.

Default: 50. Maximum: 1000.

Action outputs

The Search Events action provides the following outputs:

Type Available
Script Result True
JSON Result True
Enrichment Table False
Case Wall Table False
Case Wall Link False
Case Wall Attachment False
Script Result

The following table describes the values for the script result output when using the Search events action:

Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result

The following example describes the JSON result output received when using the Search Events action:

{
   "events": [
       {
           "eventType": "messagesBlocked",
           "spamScore": 100,
           "phishScore": 0,
           "threatsInfoMap": [
               {
                   "threatID": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
                   "threatStatus": "active",
                   "classification": "phish",
                   "detectionType": "NONE",
                   "threatUrl": "https://threatinsight.proofpoint.com/e65934ff-e650-9cbe-56b5-e9cf2cc5ac2e/threat/email/ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
                   "threatTime": "2018-04-17T21:40:16.000Z",
                   "threat": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
                   "campaignID": null,
                   "actors": [
                       {
                           "id": "f426d241-59ee-4b85-abaa-33a4171048dd",
                           "name": "TA204",
                           "type": "ACTOR"
                       }
                   ],
                   "threatType": "attachment"
               }
           ],
           "messageTime": "2025-04-10T11:00:32.000Z",
           "impostorScore": 0.0,
           "malwareScore": 0,
           "cluster": "proofpointdemo_cloudadminuidemo_hosted",
           "subject": "Aufmerksamkeit ! Ihr Konto PayPal wurde begrenzt !",
           "quarantineFolder": "Attachment Defense",
           "quarantineRule": "threat",
           "policyRoutes": [
               "default_inbound",
               "allow_relay",
               "firewallsafe",
               "internalnet"
           ],
           "modulesRun": [
               "av",
               "spf",
               "sandbox",
               "spam",
               "dmarc",
               "urldefense"
           ],
           "messageSize": 36485,
           "headerFrom": "PayPal <paypal@service.fr>",
           "headerReplyTo": null,
           "fromAddress": [
               "paypal@service.fr"
           ],
           "ccAddresses": [],
           "replyToAddress": [],
           "toAddresses": [
               "abuse@company.com"
           ],
           "xmailer": null,
           "messageParts": [
               {
                   "disposition": "inline",
                   "sha256": "ca68d1b4ecd8b644e5776ff6a5aafbe32a238bd86d35bc66c42e1526437a3aba",
                   "md5": "fb5850356f812816a26eaec02716283d",
                   "filename": "text.html",
                   "sandboxStatus": "NOT_SUPPORTED",
                   "oContentType": "text/html",
                   "contentType": "text/html"
               },
               {
                   "disposition": "attached",
                   "sha256": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
                   "md5": "5b3eabc04003e63e55215c236ecf7ff4",
                   "filename": "paypal account-informationen.html",
                   "sandboxStatus": "THREAT",
                   "oContentType": "text/html",
                   "contentType": "text/html"
               }
           ],
           "completelyRewritten": false,
           "id": "b2d78e78-30d3-634a-d1b7-4392edd82cf9",
           "QID": "45u1c497pb-1",
           "GUID": "jj-QiPipJEgQip8E1J66-qWvd5dtGRW6",
           "sender": "mgalvan@example.com",
           "recipient": [
               "dbutler@proofpointdemo.com"
           ],
           "senderIP": "127.0.0.1",
           "messageID": "<20110725194025.05E0C2BF9475@270493-ww1.securesyte.com>"
       }
   ]
}
Output messages

The Search Events action provides the following output messages:

Output message Message description

Successfully connected to the Proofpoint TAP server with the provided connection parameters!

No events were found in Proofpoint TAP for the provided criteria.

Action succeeded.

Error executing action "Search Events". Reason: {0}''.format(error.Stacktrace)

Error executing action "Search Events". Reason: {0}''.format(message)

Action failed.

Need more help? Get answers from Community members and Google SecOps professionals.