Proofpoint Threat Response
- Details
- Content
- Dependencies
- Version History
Use the Proofpoint Threat Response integration to orchestrate and automate incident response.
Proofpoint Threat Response
Overview
Proofpoint Threat Response is a security solution that helps organizations detect, analyze, and respond to threats quickly. It automates threat investigation and incident response to reduce risk and response time. By integrating with other security tools, it streamlines workflows and improves overall security operations.
This pack includes:
- Rest API integration for security incidents
- Modeling rules
Configure Proofpoint Threat Response Event Collector in Cortex XSIAM
| Parameter | Description | Required |
|---|---|---|
| Server URL | (e.g., https://192.168.0.1) | True |
| API key for the authentication | True | |
| Trust any certificate (not secure) | If set to false, trusts any certificate (not secure). | False |
| Use system proxy settings | False | |
| First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | The time range for the initial data fetch. If timeout errors occur, consider changing this value. | False |
| Fetch limit - maximum number of incidents per fetch | False | |
| Fetch delta - The delta time in each batch. e.g. 1 hour, 3 minutes. | The time range between create_after and created_before that is sent to the API when fetching older incidents. If timeout errors occur, consider changing this value. | False |
| Fetch incidents with specific event sources. Can be a list of comma-separated values. | False | |
| Fetch incidents with specific state 'Abuse Disposition' values. (Can be a list of comma-separated values.) | False | |
| Fetch incident with specific states. | False | |
| POST URL of the JSON alert source. | You can find this value by navigating to Sources -> JSON event source -> POST URL. | False |
Commands
You can execute these commands from the CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
proofpoint-trap-get-events
Retrieves all incident metadata from Threat Response by specifying filter criteria such as the state of the incident or time of closure.
Base Command
proofpoint-trap-get-events
Input
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | If true, the command will create events, otherwise it will only display them. Default is false. | Required |
| state | The state of the incidents to retrieve. Possible values are: new, open, assigned, closed, ignored. | Optional |
| created_after | Retrieve incidents that were created after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
| created_before | Retrieve incidents that were created before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
| closed_after | Retrieve incidents that were closed after this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
| closed_before | Retrieve incidents that were closed before this date, in ISO 8601 format (UTC). Example: 2020-02-22 or 2020-02-22T00:00:00Z. | Optional |
| expand_events | If false, will return an array of event IDs instead of full event objects. This will significantly speed up the response time of the API for incidents with a large number of alerts. Possible values are: true, false. | Optional |
| limit | The maximum number of incidents to return. Default is 100. | Required |
Context Output
There is no context output for this command.
Integrations
| Name | Description |
|---|---|
| Proofpoint Threat Response | Use the Proofpoint Threat Response integration to orchestrate and automate incident response. |
Playbooks
| Name | Description |
|---|---|
| Block Domain - Proofpoint Threat Response | This playbook blocks domains using Proofpoint Threat Response. |
Integrations
| Name | Description |
|---|---|
| Proofpoint Threat Response Event Collector | Use the Proofpoint Threat Response integration to orchestrate and automate incident response. |
| Proofpoint Threat Response | Use the Proofpoint Threat Response integration to orchestrate and automate incident response. |
Modeling Rules
| Name | Description |
|---|---|
Proofpoint Threat Response Modeling Rule |
Parsing Rules
| Name | Description |
|---|---|
Proofpoint Threat Response Parsing Rule |
Playbooks
| Name | Description |
|---|---|
| Block Domain - Proofpoint Threat Response | This playbook blocks domains using Proofpoint Threat Response. |
Required Content Packs (1)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
Optional Content Packs (0)
| Pack Name | Pack By |
|---|
All level dependencies (1)
| Pack Name | Pack By |
|---|---|
| Base | By: Cortex XSOAR |
2.0.22 - 2454775 (February 13, 2025)
- 38240
Download
Integrations
Proofpoint Threat Response (Beta)
- Added support for fetch_delta argument in the proofpoint-tr-verify-quarantine command. This should be used when the incident creation time is more than six hours after the alert delivery time.
- Added support for limit_quarantine_occurred_time argument in the proofpoint-tr-verify-quarantine command. This should be used when retrieving all alerts without filtering out those quarantined less than two minutes after alert creation.
- Added support for quarantine_limit argument in the proofpoint-tr-verify-quarantine command. This should be used when retrieving alerts that were quarantined more than two minutes after alert creation.
- 38240
Download
2.0.22 - 2454775 (February 13, 2025)
- 38240
Download
Integrations
Proofpoint Threat Response (Beta)
- Added support for fetch_delta argument in the proofpoint-tr-verify-quarantine command. This should be used when the incident creation time is more than six hours after the alert delivery time.
- Added support for limit_quarantine_occurred_time argument in the proofpoint-tr-verify-quarantine command. This should be used when retrieving all alerts without filtering out those quarantined less than two minutes after alert creation.
- Added support for quarantine_limit argument in the proofpoint-tr-verify-quarantine command. This should be used when retrieving alerts that were quarantined more than two minutes after alert creation.
- 38240
Download
2.0.19 - 1718057 (November 28, 2024)
2.0.18 - R1709192 (November 26, 2024)
2.0.11 - R5801668 (July 18, 2023)
- 27877
Download
Integrations
Proofpoint Threat Response Event Collector
- Updated the Docker image to: demisto/python3:3.10.12.63474.
Proofpoint Threat Response (Beta)
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- Updated the Docker image to: demisto/python3:3.10.12.63474.
- 27877
Download
2.0.9 - R5450895 (June 5, 2023)
- 26225
Download
Integrations
Proofpoint Threat Response Event Collector
- Improved the fetch-events command by ensuring that all events are successfully sent to the XSIAM server prior to setting the details of the last run within the event collector's scope.
- Updated the Docker image to: demisto/python3:3.10.11.56082.
- 26225
Download
2.0.7 - R4718798 (March 1, 2023)
- 23837
Download
Integrations
Proofpoint Threat Response (Beta)
- Note: Organized the the integrations' parameters by sections. Relevant for XSIAM and XSOAR 8.1 and above.
- Updated the Docker image to: demisto/python3:3.10.9.44472.
Proofpoint Threat Response Event Collector
- Note: Organized the the integrations' parameters by sections. Relevant for XSIAM and XSOAR 8.1 and above.
- Updated the Docker image to: demisto/python3:3.10.9.44472.
- 23837
Download
PUBLISHER
PLATFORMS
Cortex XSOARCortex XSIAM
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | September 23, 2020 | |
| Last Release | May 14, 2025 |
WORKS WITH THE FOLLOWING INTEGRATIONS:
