Details
Content
Dependencies
Version History

Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.

Proofpoint TAP

Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
Proofpoint TAP detects, analyzes and blocks advanced threats before they reach your inbox. This includes ransomware and other advanced email threats delivered through malicious attachments and URLs.

Collect Events from Vendor

To configure the collector for Proofpoint TAP, follow the XDR documentation here.

What does this pack do?

Fetches events for all clicks and messages relating to known threats within a specified time period.
Returns forensics evidence.
Fetches events for clicks to malicious URLs in a specified time period.
Fetches events for messages in a specified time period.
Fetches events for clicks to malicious URLs permitted and messages delivered containing a known attachment threat within a specified time period.
Fetches a list of IDs of campaigns active in a specified time period.
Fetches details for a given campaign.
Fetches a list of the most attacked users in the organization.
Fetches a list of the top clickers in the organization for a specified time period.
Decodes URLs that have been rewritten by TAP to their original, target URL.

The playbook in this pack enriches information about the event forensics.

Proofpoint TAP

Collect Events from Vendor

To configure the collector for Proofpoint TAP, follow the XDR documentation here.

What does this pack do?

Fetches events for all clicks and messages relating to known threats within a specified time period.
Returns forensics evidence.
Fetches events for clicks to malicious URLs in a specified time period.
Fetches events for messages in a specified time period.
Fetches events for clicks to malicious URLs permitted and messages delivered containing a known attachment threat within a specified time period.
Fetches a list of IDs of campaigns active in a specified time period.
Fetches details for a given campaign.
Fetches a list of the most attacked users in the organization.
Fetches a list of the top clickers in the organization for a specified time period.
Decodes URLs that have been rewritten by TAP to their original, target URL.

The playbook in this pack enriches information about the event forensics.

Automations

Name	Description
ProofpointTAPMostAttackedUsers	Exports a list of Proofpoint TAP most attacked users to the Cortex XSOAR widget.
ProofpointTapTopClickers	Exports a list of Proofpoint TAP top clickers to the Cortex XSOAR widget.

Classifiers

Name	Description
Proofpoint TAP Classifier
Proofpoint TAP Mapper

Dashboards

Name	Description
Proofpoint TAP

Incident Fields

Name	Description
Proofpoint TAP Message ID
Proofpoint TAP Click IP
Proofpoint TAP Threat Time
Proofpoint TAP Header To
Proofpoint TAP Long Subject
Proofpoint TAP Headers From
Proofpoint TAP Spam Score
Proofpoint TAP Cluster
Proofpoint TAP Classification
Proofpoint TAP Threat ID
Proofpoint TAP User Agent
Proofpoint TAP Sender Address
Proofpoint TAP SMTP Sender
Proofpoint TAP Threat URL
Proofpoint TAP SMTP Recipient
Proofpoint TAP Phishing Score
Proofpoint TAP Message Parts
Proofpoint TAP ID
Proofpoint TAP Type
Proofpoint TAP Sender IP
Proofpoint TAP Headers Reply To
Proofpoint TAP GUID
Proofpoint TAP Threat Status
Proofpoint TAP Quarantine Folder
Proofpoint TAP Malware Score
Proofpoint TAP Suspicious URL
Proofpoint TAP Reply To Address
Proofpoint TAP Examined By
Proofpoint TAP Xmailer
Proofpoint TAP Imposter Score
Proofpoint TAP Message Size
Proofpoint TAP Policies
Proofpoint TAP Subject
Proofpoint TAP Quarantine Rule
Proofpoint TAP Campaign ID
Proofpoint TAP Threat Info Map
Proofpoint TAP Click Time
Proofpoint TAP Header CC

Incident Types

Name	Description
Proofpoint TAP - Click Blocked
Proofpoint TAP - Message Delivered
Proofpoint TAP - Click Permitted
Proofpoint TAP - Message Blocked

Integrations

Name	Description
Proofpoint TAP v2	Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.

Layouts

Name	Description
Proofpoint TAP Message Layout
Proofpoint TAP Clicks Layout

Playbooks

Name	Description
Proofpoint TAP - Event Enrichment	This playbook enriches Proofpoint Targeted Attack Protection (TAP) incidents with forensic evidence. By utilizing the 'proofpoint-get-forensics' command, the playbook retrieves forensic evidence based on the campaign ID and threat ID detected in the Proofpoint TAP incidents.

Report

Name	Description
Proofpoint TAP Weekly Report

Automations

Name	Description
ProofpointTapTopClickers	Exports a list of Proofpoint TAP top clickers to the Cortex XSIAM widget.
ProofpointTAPMostAttackedUsers	Exports a list of Proofpoint TAP most attacked users to the Cortex XSIAM widget.

Classifiers

Name	Description
Proofpoint TAP Classifier
Proofpoint TAP Mapper

Incident Fields

Name	Description
Proofpoint TAP SMTP Sender
Proofpoint TAP Xmailer
Proofpoint TAP Spam Score
Proofpoint TAP Malware Score
Proofpoint TAP Sender IP
Proofpoint TAP Header To
Proofpoint TAP GUID
Proofpoint TAP Header CC
Proofpoint TAP Type
Proofpoint TAP Threat ID
Proofpoint TAP Threat Time
Proofpoint TAP Headers Reply To
Proofpoint TAP Suspicious URL
Proofpoint TAP Policies
Proofpoint TAP Quarantine Rule
Proofpoint TAP Message Size
Proofpoint TAP Phishing Score
Proofpoint TAP ID
Proofpoint TAP Message ID
Proofpoint TAP Headers From
Proofpoint TAP Campaign ID
Proofpoint TAP Threat URL
Proofpoint TAP Classification
Proofpoint TAP Subject
Proofpoint TAP Imposter Score
Proofpoint TAP Examined By
Proofpoint TAP Message Parts
Proofpoint TAP Reply To Address
Proofpoint TAP Click Time
Proofpoint TAP Long Subject
Proofpoint TAP Threat Status
Proofpoint TAP Quarantine Folder
Proofpoint TAP Click IP
Proofpoint TAP Threat Info Map

Incident Types

Name	Description
Proofpoint TAP - Click Blocked
Proofpoint TAP - Message Blocked
Proofpoint TAP - Click Permitted
Proofpoint TAP - Message Delivered

Integrations

Name	Description
Proofpoint TAP v2	Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.

Modeling Rules

Name	Description
ProofpointTAP Modeling Rule

Parsing Rules

Name	Description
ProofpointTAP Parsing Rule

Playbooks

Name	Description
Proofpoint TAP - Event Enrichment	This playbook enriches Proofpoint Targeted Attack Protection (TAP) alerts with forensic evidence. By utilizing the 'proofpoint-get-forensics' command, the playbook retrieves forensic evidence based on the campaign ID and threat ID detected in the Proofpoint TAP alerts.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Phishing	By: Cortex XSOAR
PhishingAlerts	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

1.2.13 - 1112736 (June 23, 2024)

Scripts

ProofpointTAPMostAttackedUsers

Fixed an issue where Most Attacked Mailboxed based on Proofpoint TAP AttackIndex widget would not render in Proofpoint Tap dashboard with empty values.
Updated the Docker image to: demisto/python3:3.10.14.98471.

ProofpointTapTopClickers

Fixed an issue where Proofpoint TAP Top Clickers widget would not render in Proofpoint Tap dashboard with empty values.
Updated the Docker image to: demisto/python3:3.10.14.98471.

Related pull requests:
- 34983

Download

1.2.12 - 1025939 (May 19, 2024)

Integrations

Proofpoint TAP v2

Added a validation that the value of First fetch time range parameter is less than 7 days.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 34338

Download

1.2.11 - 836299 (February 18, 2024)

Scripts

ProofpointTapTopClickers

Updated the Docker image to: demisto/python3:3.10.13.86272.

ProofpointTAPMostAttackedUsers

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

1.2.10 - R828628 (February 14, 2024)

Integrations

Proofpoint TAP v2

Updated the Docker image to: demisto/python3:3.10.13.75921.
Fixed an issue in clearing integration context in fetch-incidents.

Related pull requests:
- 30113

Download

1.2.9 - R6592021 (October 13, 2023)

Integrations

Proofpoint TAP v2

Fixed an issue where setting new instance of the integration result in an error "'<' is not supported".

Related pull requests:
- 28867

Download

1.2.8 - 5987442 (August 8, 2023)

Integrations

Proofpoint TAP v2

Added the limit parameter.
Updated docker image from 3.10.12.63474 to 3.10.12.67728.

Related pull requests:
- 28786

Download

1.2.7 - R5866730 (July 25, 2023)

Scripts

ProofpointTAPMostAttackedUsers

Updated the Docker image to: demisto/python3:3.10.12.63474.

ProofpointTapTopClickers

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 28221

Download

1.2.6 - 5760561 (July 13, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 28112

Download

1.2.5 - 5723074 (July 9, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 27751

Download

1.2.4 - 5692327 (July 5, 2023)

Integrations

Proofpoint TAP v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27905

Download

1.2.3 - R5422508 (June 1, 2023)

Integrations

Proofpoint TAP v2

Improved logging when running with the debug-mode argument.
Updated Docker image to demisto/python3:3.10.11.54132

Related pull requests:
- 26035

Download

1.2.2 - R4954430 (April 2, 2023)

Playbooks

Proofpoint TAP - Event Enrichment

Documentation and metadata improvements.

Related pull requests:
- 23716

Download

1.2.1 - 4727595 (March 2, 2023)

Integrations

Proofpoint TAP v2

Updated the pack category to Email.
Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24719

Download

1.2.0 - R4718798 (March 1, 2023)

Playbooks

Proofpoint TAP - Event Enrichment

Fixed an issue where conditional tasks incorrectly recognized 'null' as a value for the 'CampaignID' and 'ThreatID' incident fields.
Updated the playbook outputs to include all the output paths.
Deprecated 'SetContext' automation is now replaced with 'SetAndHandleEmpty' automation within tasks that extract incident fields and store their values in the context.
Improved implementation of tasks hierarchy to streamline the playbook flow.
Updated the playbook description and the descriptions of the playbook tasks.

Related pull requests:
- 24642

Download

1.1.27 - 4621433 (February 16, 2023)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 24581

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 30, 2020
Last Release	June 23, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.