Proofpoint TAP
Integration version: 8.0
Configure Proofpoint TAP integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://tap-api-v2.proofpoint.com | Yes | API root of the Proofpoint Targeted Attack Protection (TAP) instance. |
| Username | String | N/A | Yes | Username of the Proofpoint TAP instance. |
| Password | Password | N/A | Yes | API Key of the Proofpoint TAP instance. |
| Verify SSL | Checkbox | Checked | No | If enabled, verify that the SSL certificate for the connection to the Proofpoint TAP server is valid. |
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Decode URL
Use the Decode URL action action to decode Proofpoint's encoded URLs.
This action runs on the following entity:
URL
Action inputs
The Decode URL action has no parameters.
Action outputs
The Enrich Domain action provides the following outputs.
Entity Enrichment
The Decode URL action supports the following entity enrichment logic:
| Enrichment Field Name | Logic - When to apply |
|---|---|
| encodedUrl | The URL will be marked as encoded, if the encoding process from decoded URL is successful. |
| decodedUrl | The URL will be marked as decoded, if the decoding process from encoded URL is successful. |
Script Result
The following table describes the values for the script result output when using the Decode URL action:
| Script Result Name | Value Options | Example |
|---|---|---|
| decoded_urls | N/A | N/A |
Get Campaign
Use the Get Campaign action to get campaign information by the campaign ID.
This action runs on all entities.
Action inputs
The Get Campaign action requires the following parameter:
| Parameter | Description |
|---|---|
| Campaign ID | The ID of the campaign to get info about. |
Action outputs
The Get Campaign action provides the following outputs.
Script Result
The following table describes the values for the script result output when using the Get Campaign action:
| Script Result Name | Value Options | Example |
|---|---|---|
| campaign_info | N/A | N/A |
Get Threat Forensics
Use the Get Threat Forensics action to return forensics associated with a threat in Proofpoint TAP.
This action doesn't run on any entities.
Parameters
The Get Threat Forensics action requires the following parameters:
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Threat ID | CSV | Required. A comma-separated list of threat IDs for which forensics need to be returned. |
|
| Include Campaign Forensics | Bool | False | Optional. If enabled, the action will also return campaign forensics related to the provided threat. |
| Max Results To Return | int | 50 | Required. The number of results to return. Default: 50. Maximum: 1000. |
Action outputs
The Get Threat Forensics action provides the following outputs:
| Type | Available |
|---|---|
| Script Result | True |
| JSON Result | True |
| Enrichment Table | False |
| Case Wall Table | False |
| Case Wall Link | False |
| Case Wall Attachment | False |
Script Result
The following table describes the values for the script result output when using the Get Threat Forensics action:
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
The following example describes the JSON result output received when using the Get Threat Forensics action:
[
{
"scope": "THREAT",
"id": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"name": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"threatStatus": "active",
"forensics": [
{
"type": "attachment",
"display": "Attachment with SHA-256: ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"engine": "iee",
"malicious": false,
"note": "Detected by rule 4b20e2c1-43b6-11e8-8d2e-1210ed9df0ae",
"time": 0,
"what": {
"rule": "4b20e2c1-43b6-11e8-8d2e-1210ed9df0ae"
},
"platforms": [
{
"name": "static",
"os": "static",
"version": "0"
}
]
}
]
}
]
Output messages
The Get Threat Forensics action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
|
Action failed. |
List Campaigns
Use the List Campaign action to return a list of active campaigns in Proofpoint TAP.
This action doesn't run on any entities.
Action inputs
The List Campaigns action requires the following parameters:
| Parameter | Description |
|---|---|
| Time Frame | Optional. The timeframe for the results. If "Custom" is selected, you also need to provide "Start Time". The Last Hour possible values are as follows:
|
| Start Time | Optional. The start time for the results. If "Custom" is selected for the "Time Frame" parameter, this parameter is required. Format: ISO 8601. |
| End Time | Optional. The end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter, this parameter will use current time. |
| Max Results To Return | Required. The number of results to return. Default: 50. Maximum: 1000. |
Action outputs
The List Campaigns action provides the following outputs:
| Action output type | Availability |
|---|---|
| Script Result | Available |
| JSON Result | Available |
| Enrichment Table | Not available |
| Case Wall Table | Not available |
| Case Wall Link | Not available |
| Case Wall Attachment | Not available |
Script Result
The following table describes the values for the script result output when using the List Campaigns action:
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
The following example describes the JSON result output received when using the List Campaigns action:
{
"campaigns": [
{
"id": "d3e257dc-6d63-4693-8bcf-afcba66fea01",
"lastUpdatedAt": "2025-01-20T00:00:17.000Z",
"notable": false,
"verticallyTargeted": false
},
{
"id": "c1c97431-d0ec-4e46-8a55-5102ba27f0b0",
"lastUpdatedAt": "2025-01-16T02:34:16.000Z",
"notable": false,
"verticallyTargeted": false
},
{
"id": "751833f2-b21f-43f6-99ae-2d41e7caf6c3",
"lastUpdatedAt": "2025-01-12T11:25:20.000Z",
"notable": false,
"verticallyTargeted": false
},
{
"id": "d8f2dfce-b98f-412c-be79-e2d447250527",
"lastUpdatedAt": "2025-01-12T00:00:07.000Z",
"notable": false,
"verticallyTargeted": false
},
{
"id": "c0b16640-738c-46b5-9297-18574d7d26c2",
"lastUpdatedAt": "2024-12-31T08:17:58.000Z",
"notable": false,
"verticallyTargeted": false
}
]
}
Output messages
The List Campaigns action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
|
Action failed. |
Ping
Use the Ping action to test ProofPoint TAP connectivity.
This action runs on all entities.
Action inputs
The Ping action doesn't require any parameters.
Action outputs
The Ping action provides the following outputs.
Script Result
The following table describes the values for the script result output when using the Ping action:
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Search Events
Use the Search Events action to search events in Proofpoint TAP.
This action doesn't run on any entities.
Action inputs
The Search Events action requires the following parameters:
| Parameter | Description |
|---|---|
| Event Type | Optional. The type of the event being returned. The possible values are as follows:
|
| Threat Status | Optional. The status of the threat being returned. If "Select One" is provided, then the action will return "Active" and "Cleared" threats. The possible values are as follows:
|
| Time Frame | Optional. The timeframe for the results. If "Custom" is selected, you also need to provide "Start Time". The Last Hour possible values are as follows:
|
| Start Time | Optional. The start time for the results. If "Custom" is selected for the "Time Frame" parameter, this parameter is mandatory. Format: ISO 8601. |
| End Time | Optional. The end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter, this parameter will use current time. |
| Max Results To Return | Required. The number of results to return. Default: 50. Maximum: 1000. |
Action outputs
The Search Events action provides the following outputs:
| Type | Available |
|---|---|
| Script Result | True |
| JSON Result | True |
| Enrichment Table | False |
| Case Wall Table | False |
| Case Wall Link | False |
| Case Wall Attachment | False |
Script Result
The following table describes the values for the script result output when using the Search events action:
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
The following example describes the JSON result output received when using the Search Events action:
{
"events": [
{
"eventType": "messagesBlocked",
"spamScore": 100,
"phishScore": 0,
"threatsInfoMap": [
{
"threatID": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"threatStatus": "active",
"classification": "phish",
"detectionType": "NONE",
"threatUrl": "https://threatinsight.proofpoint.com/e65934ff-e650-9cbe-56b5-e9cf2cc5ac2e/threat/email/ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"threatTime": "2018-04-17T21:40:16.000Z",
"threat": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"campaignID": null,
"actors": [
{
"id": "f426d241-59ee-4b85-abaa-33a4171048dd",
"name": "TA204",
"type": "ACTOR"
}
],
"threatType": "attachment"
}
],
"messageTime": "2025-04-10T11:00:32.000Z",
"impostorScore": 0.0,
"malwareScore": 0,
"cluster": "proofpointdemo_cloudadminuidemo_hosted",
"subject": "Aufmerksamkeit ! Ihr Konto PayPal wurde begrenzt !",
"quarantineFolder": "Attachment Defense",
"quarantineRule": "threat",
"policyRoutes": [
"default_inbound",
"allow_relay",
"firewallsafe",
"internalnet"
],
"modulesRun": [
"av",
"spf",
"sandbox",
"spam",
"dmarc",
"urldefense"
],
"messageSize": 36485,
"headerFrom": "PayPal <paypal@service.fr>",
"headerReplyTo": null,
"fromAddress": [
"paypal@service.fr"
],
"ccAddresses": [],
"replyToAddress": [],
"toAddresses": [
"abuse@company.com"
],
"xmailer": null,
"messageParts": [
{
"disposition": "inline",
"sha256": "ca68d1b4ecd8b644e5776ff6a5aafbe32a238bd86d35bc66c42e1526437a3aba",
"md5": "fb5850356f812816a26eaec02716283d",
"filename": "text.html",
"sandboxStatus": "NOT_SUPPORTED",
"oContentType": "text/html",
"contentType": "text/html"
},
{
"disposition": "attached",
"sha256": "ec112c7f66f006578b57a3898a1917d8a0ff85d68e9e4a6780b3d8ebcc9d5e7d",
"md5": "5b3eabc04003e63e55215c236ecf7ff4",
"filename": "paypal account-informationen.html",
"sandboxStatus": "THREAT",
"oContentType": "text/html",
"contentType": "text/html"
}
],
"completelyRewritten": false,
"id": "b2d78e78-30d3-634a-d1b7-4392edd82cf9",
"QID": "45u1c497pb-1",
"GUID": "jj-QiPipJEgQip8E1J66-qWvd5dtGRW6",
"sender": "mgalvan@example.com",
"recipient": [
"dbutler@proofpointdemo.com"
],
"senderIP": "127.0.0.1",
"messageID": "<20110725194025.05E0C2BF9475@270493-ww1.securesyte.com>"
}
]
}
Output messages
The Search Events action provides the following output messages:
| Output message | Message description |
|---|---|
|
Action succeeded. |
|
Action failed. |
Need more help? Get answers from Community members and Google SecOps professionals.