InsightConnect Marketplace

Proofpoint TAP

Back to Marketplace

Proofpoint TAP

v1.0.6

Parse Proofpoint Targeted Attack Protection (TAP) alerts

Tags: Proofpoint, TAP, parser


Actions
  • Parse Alert

Description

Proofpoint Targeted Attack Protection (TAP) helps you stay ahead of attackers with an innovative approach that detects, analyzes and blocks advanced threats before they reach your inbox. This plugin enables users to parse TAP alerts.

Key Features

  • Parse indicators from TAP alert e-mails

Requirements

This plugin does not contain any requirements.

Documentation

Setup

This plugin does not contain a connection.

Technical Details

Actions

Parse Alert

This action is used to parse a TAP alert. This action supports a TAP alert from a forwarded e-mail as well.

Input
Name Type Default Required Description Enum Example
tap_alert string None True A Proofpoint TAP alert None None
Output
Name Type Required Description
results tap_results False Proofpoint TAP results

Example output:

"results": {
  "threat": {
    "attachment_sha256": "9c22af77f29f5eb007403455b7896906b479995b6444e421d6093e683f593e4",
    "category": "Malware",
    "condemnation_time": "2019-01-10T12:34:05Z",
    "threat_details_url": "https://threatinsight.proofpoint.com/v7l34e70-a2ec-a214-bc4d-acd68a33dba2/threat/email/9c22af77f29f5eb007403455b7896906b479995b6444e421d6093e683f593e4?linkOrigin=notif"
  },
  "message": {
    "time_delivered": "2019-01-10T12:10:21Z",
    "recipients": "user@example.com",
    "subject": "January Invoice",
    "sender": "user@example.com",
    "header_from": "Bob",
    "header_replyto": "user@example.com",
    "message_id": "user@example.com",
    "sender_ip": "198.51.100.100",
    "message_size": "152 KB",
    "message_guid": "-AsyUBf--Yt7cR-tndAo8RaUbk8kBACE",
    "threat_id": "30f800f97aeaa8d62bdf3a6fb2b0681179a360c12e127f07038f8521461e5050"

  },
  "browser": {
      "time": "2020-05-11T11:01:13Z",
      "source_ip": "198.51.100.100",
      "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
   }
}

Triggers

This plugin does not contain any triggers.

Custom Output Types

Custom Output Types

browser

Name Type Required Description
Source IP string False Source IP
Time string False Time
User Agent string False User agent string

message

Name Type Required Description
Header From string False Header from
Header Reply To string False Header reply to
Message GUID string False Message GUID
Message ID string False Message ID
Message Size string False Message size
Recipients string False Recipients
Sender string False Sender
Sender IP string False Sender IP
Subject string False Subject
Time Delivered string False Time Delivered

tap_results

Name Type Required Description
Browser browser False Browser information
Message message False TAP alert meta data
Threat threat False Threat information

threat

Name Type Required Description
Attachment SHA256 Hash string False Attachment SHA256 hash
Category string False Category
Condemnation Time string False Condemnation Time
Threat Details URL string False URL for Details of the Threat
URL string False URL

Troubleshooting

This plugin does not contain any troubleshooting information.

Version History

  • 1.0.6 - Parsing out GUID of the message into the output type
  • 1.0.5 - Parsing out the View Threat Details link from emails to its own value
  • 1.0.4 - New spec and help.md format for the Extension Library
  • 1.0.3 - Fixed issue where headers were occasionally parsed improperly
  • 1.0.2 - Sanitize example output in Parse Alert action documentation
  • 1.0.1 - Fixed issue where TAP alerts with attachments are not parsed correctly
  • 1.0.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: [insightconnect]
name: proofpoint_tap
title: Proofpoint TAP
description: Parse Proofpoint Targeted Attack Protection (TAP) alerts
version: 1.0.6
vendor: rapid7
support: community
status: []
resources:
  source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/proofpoint_tap
  license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
  vendor_url: https://www.proofpoint.com/
tags:
- Proofpoint
- TAP
- parser
hub_tags:
  use_cases: [alerting_and_notifications, threat_detection_and_response]
  keywords: [Proofpoint, TAP, parser]
  features: []
types:
  threat:
    attachment_sha256:
      title: Attachment SHA256 Hash
      description: Attachment SHA256 hash
      type: string
      required: false
    url:
      title: URL
      description: URL
      type: string
      required: false
    category:
      title: Category
      description: Category
      type: string
      required: false
    condemnation_time:
      title: Condemnation Time
      description: Condemnation Time
      type: string
      required: false
    threat_details_url:
      title: Threat Details URL
      description: URL for Details of the Threat
      type: string
      required: false
  message:
    time_delivered:
      title: Time Delivered
      description: Time Delivered
      type: string
      required: false
    recipients:
      title: Recipients
      description: Recipients
      type: string
      required: false
    subject:
      title: Subject
      description: Subject
      type: string
      required: false
    sender:
      title: Sender
      description: Sender
      type: string
      required: false
    header_from:
      title: Header From
      description: Header from
      type: string
      required: false
    header_replyto:
      title: Header Reply To
      description: Header reply to
      type: string
      required: false
    message_guid:
      title: Message GUID
      description: Message GUID
      type: string
      required: false
    message_id:
      title: Message ID
      description: Message ID
      type: string
      required: false
    sender_ip:
      title: Sender IP
      description: Sender IP
      type: string
      required: false
    message_size:
      title: Message Size
      description: Message size
      type: string
      required: false
    threat_id:
      title: Threat ID
      description: Unique identifier for this threat
      type: string
      required: false
  browser:
    time:
      title: Time
      description: Time
      type: string
      required: false
    source_ip:
      title: Source IP
      description: Source IP
      type: string
      required: false
    user_agent:
      title: User Agent
      description: User agent string
      type: string
      required: false
  tap_results:
    threat:
      title: Threat
      description: Threat information
      type: threat
      required: false
    message:
      title: Message
      description: TAP alert meta data
      type: message
      required: false
    browser:
      title: Browser
      description: Browser information
      type: browser
      required: false
actions:
  parse_tap_alert:
    title: Parse Alert
    description: Parses a TAP alert
    input:
      tap_alert:
        title: Proofpoint TAP Alert
        description: A Proofpoint TAP alert
        type: string
        required: true
    output:
      results:
        title: Results
        type: tap_results
        description: Proofpoint TAP results
        required: false
Other plugins
Ivanti Security Controls
Rapid7   |   v1.5.0
Plugin
Get
McAfee ePO
Rapid7   |   v5.0.0
Plugin
Get
BlackBerry CylancePROTECT
Rapid7   |   v1.1.0
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.4
Plugin
Get
Jira
Rapid7   |   v6.0.1
Plugin
Get