Proofpoint Targeted Attack Protection (TAP)

App Vendor: Proofpoint

App Category: Data Enrichment & Threat Intelligence, Analytics & SIEM

Connector Version: 2.1.1

API Version: API: V2

About App

Proofpoint Targeted Attack Protection (TAP) helps you stay ahead of attackers with an innovative approach that detects, analyzes, and blocks advanced threats before they reach your inbox. This includes ransomware, zero-day threats, polymorphic malware, weaponized documents, phishing attacks, in-cloud apps, connecting email attacks related to credential theft, and other advanced email threats delivered through malicious attachments and URLs. Proofpoint TAP offers unique visibility into these threats so you can optimize your response.

The Proofpoint Targeted Attack Prevention (TAP) app is configured with the Orchestrate application to perform the following actions:

Action Name	Description
Decode URLs	This action decodes URLs that have been rewritten by Proofpoint TAP to their original URLs.
Get List of Very Attacked People	This action identifies the most attacked users in your organization.
Get Campaign Details	This action retrieves details of the specified campaign.
Get Forensic Details by ID	This action retrieves forensic information for the specified threat or campaign.
Get All SIEM Events	This action retrieves all clicks and messages related to known threats within the specified time period.
Get Issues	This action retrieves details of all clicks to malicious URLs permitted and messages delivered containing a known attachment threat within the specified time period.
Get Delivered Messages	This action retrieves all delivered messages that contained a known threat in the specified time period.
Get Blocked Messages	This action retrieves details of all blocked messages that contained a known threat in the specified time period.
Get Permitted Clicks	This action retrieves details of all clicks to malicious URLs (permitted by you) in the specified time period.
Get Blocked Clicks	This action retrieves a list of all clicks to malicious URLs (blocked by you) in the specified time period.
List Campaign IDs	This action retrieves a list of active campaign IDs.
Generic Action	This is a generic action to perform any additional use case on Proofpoint Targeted Attack Prevention (TAP).

Configuration Parameters

The following configuration parameters are required for the Proofpoint Targeted Attack Protection (TAP) app to communicate with the Proofpoint Targeted Attack Protection (TAP) enterprise application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required/Optional	Comments
Cloud Domain	Enter your Proofpoint TAP cloud domain Example: "https://tap-api-v2.proofpoint.com"	Text	Required
Service Principal	Enter the Proofpoint TAP service principal. Example: 34dccdd26c5c99ceb3af22f392b708bf	Text	Required
Service Secret	Enter the Proofpoint TAP service secret. Example: a8c7b7523b02xxxxf5a89bd21883e832	Password	Required
SSL Verification	Specify if you want to verify the server SSL certificate when connecting to the Proofpoint TAP APIs. Example: True	Boolean	Optional	Allowed values: True False Default value: False

Action: Decode URLs

This action decodes URLs that Proofpoint TAP has rewritten to their original, target URLs.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
URLs	Enter the URLs that you want to decode. Example: $LIST[SampleURL1, SampleURL2, SampleURL3]	List	Required

Parameter

Description

Field Type

Required/Optional

Comments

URLs

Enter the URLs that you want to decode.

Example:

$LIST[SampleURL1, SampleURL2, SampleURL3]

List

Required

Example Request

{
    "urls": [
        "https://sample.domain.com/v2/url?u=http-3A__links.mkt3337.com_ctt-3Fkn-3D3-26ms-3DMzQ3OTg3MDQS1-26r-3DMzkxNzk3NDkwMDA0S0-26b-3D0-26j-3DMTMwMjA1ODYzNQS2-26mt-3D1-26rt-3D0&d=DwMFaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=MujLDFBJstxoxZI_GKbsW7wxGM7nnIK__qZvVy6j9Wc&m=QJGhloAyfD0UZ6n8r6y9dF-khNKqvRAIWDRU_K65xPI&s=ew-rOtBFjiX1Hgv71XQJ5BEgl9TPaoWRm_Xp9Nuo8bk&e=",
        "https://sample.domain.com/v1/url?u=http://www.bouncycastle.org/&amp;k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&amp;r=IKM5u8%2B%2F%2Fi8EBhWOS%2BqGbTqCC%2BrMqWI%2FVfEAEsQO%2F0Y%3D%0A&amp;m=Ww6iaHO73mDQpPQwOwfLfN8WMapqHyvtu8jM8SjqmVQ%3D%0A&amp;s=d3583cfa53dade97025bc6274c6c8951dc29fe0f38830cf8e5a447723b9f1c9a",
        "https://sample.domain.com/v3/__https://google.com:443/search?q=a*test&gs=ps__;Kw!-612Flbf0JvQ3kNJkRi5Jg!Ue6tQudNKaShHg93trcdjqDP8se2ySE65jyCIe2K1D_uNjZ1Lnf6YLQERujngZv9UWf66ujQIQ$"
    ]
}

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	Indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.urls	Array	An array containing URL objects.
app_instance.urls.encodedUrl	String	The original, rewritten URL supplied to the endpoint.
app_instance.urls.decodedUrl	String	The target URL embedded inside the rewritten link.
app_instance.urls.messageGuid	String	The PPS GUID of the message which originally contained the URL.
app_instance.urls.clusterName	String	The name of the PPS cluster which rewrote the message.
app_instance.urls.recipientEmail	String	The email address of the message's original recipient.
app_instance.urls.success	Boolean	Indicates whether the URL could successfully be decoded.

Action: Get List of Most Attacked Users

This action fetches the identities and attack index breakdown of Very Attacked People within your organization for a given period.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Window	Enter an integer indicating for how many days the data should be retrieved. Example: 30	Integer	Optional	Allowed values: 14 30 90 Default value: 14
Size	Enter the maximum number of VAPs to be returned in the response. The attackIndex value determines the order of results. Example: 50	Integer	Optional	Default value: 1000
Page	Enter the page of results to return, in multiples of the specified size (or 1000, if no size is explicitly chosen). Example: 5	Integer	Optional	Default value: 1

Parameter

Description

Field Type

Required/Optional

Comments

Window

Enter an integer indicating for how many days the data should be retrieved.

Example:

Integer

Optional

Allowed values:

Default value:

Size

Enter the maximum number of VAPs to be returned in the response. The attackIndex value determines the order of results.

Example:

Integer

Optional

Default value: 1000

Page

Enter the page of results to return, in multiples of the specified size (or 1000, if no size is explicitly chosen).

Example:

Integer

Optional

Default value:

Example Request

[
  {
    "windows": 30,
    "size": 50,
    "page": 5
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.users	Array of Objects	List of users with their identity and threat statistics.
app_instance.users.identity	Object	The identity information of the user.
app_instance.users.identity.guid	String	The unique identifier (GUID) for the user. Example: "dc8766cd-39b2-c5a0-b008-849502c50323"
app_instance.users.identity.customerUserId	String	The customer user ID. Example: "01232336319812225987"
app_instance.users.identity.emails	Array	List of email addresses for the user. Example: ["johndoe@exampledomain.com"]
app_instance.users.identity.name	String	The name of the user. Example: "John Doe"
app_instance.users.identity.department	String	The department of the user. Example: "InfoSec"
app_instance.users.identity.location	String	The location of the user. Example: "San Fransisco"
app_instance.users.identity.title	String	The job title of the user. Example: "Security Analyst"
app_instance.users.identity.vip	Boolean	Indicates if the user is a VIP. Example: true
app_instance.users.threatStatistics	Object	Threat statistics for the user.
app_instance.users.threatStatistics.attackIndex	Integer	The attack index value for the user. Example: 18558
app_instance.users.threatStatistics.families	Array	List of threat families with scores.
app_instance.users.threatStatistics.families.name	String	The name of the threat family. Example: "phishing"
app_instance.users.threatStatistics.families.score	Integer	The score for the threat family. Example: 2619
app_instance.totalVapUsers	Integer	Total number of Very Attacked People (VAP) users. Example: 150
app_instance.interval	String	The time interval for the report. Example: "2019-10-01T00:00:00Z/2019-11-01T00:00:00Z"
app_instance.averageAttackIndex	Integer	The average attack index value. Example: 371
app_instance.vapAttackIndexThreshold	Integer	The threshold value for the VAP attack index. Example: 1520

Action: Get Campaign Details

This action retrieves details of the specified campaign.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Campaign ID	Enter the campaign ID for which you want to retrieve details. Example: 12345	Text	Required

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID

Enter the campaign ID for which you want to retrieve details.

Example:

12345

Text

Required

Example Request

[
  {
    "campaign_id": "12345"
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.id	String	The campaign ID.
app_instance.name	String	The name of the campaign.
app_instance.description	String	A description of the campaign written by one of Proofpoint's threat analysts.
app_instance.startDate	String	An ISO8601-formatted datetime corresponding to the time the campaign's first threat variants were first observed.
app_instance.campaignMembers	Array	An array of CampaignMember objects, containing details about each member of the campaign.
app_instance.campaignMembers.id	String	The threat identifier.
app_instance.campaignMembers.threat	String	The attachment hash or URL fragment of the threat.
app_instance.campaignMembers.type	String	The type of the threat: "attachment" or "url".
app_instance.campaignMembers.subType	String	The sub-type of the threat: "ATTACHMENT", "COMPLETE_URL", "NORMALIZED_URL", "HOSTNAME", or "DOMAIN".
app_instance.campaignMembers.threatTime	String	An ISO8601-formatted datetime corresponding to when the threat variant was first recognized as malicious.
app_instance.actors	Array	An array of Actor objects, containing details about each actor involved in the campaign.
app_instance.actors.name	String	The name of the actor.
app_instance.actors.id	String	The actor identifier.
app_instance.malware	Array	An array of Malware objects, containing details about each malware family associated with the campaign.
app_instance.malware.name	String	The name of the malware family.
app_instance.malware.id	String	The malware family identifier.
app_instance.techniques	Array	An array of Technique objects, containing details about each technique associated with the campaign.
app_instance.techniques.name	String	The name of the technique.
app_instance.techniques.id	String	The technique identifier.
app_instance.notable	Boolean	Returns true when the campaign is marked as notable by Proofpoint's Threat Analyst team.

Action: Get Forensic Details by ID

This action retrieves forensic details for the specified threat or campaign.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Campaign ID or Threat ID	Enter the campaign ID or threat ID for which you want to retrieve forensic details. Example: 12345	Text	Required
Is threat ID	Specify if the ID provided against the Campaign ID or Threat ID parameter is the threat ID or campaign ID. Example: True	Boolean	Optional	Allowed values: True: Threat ID False: Campaign ID Default value: False
Include Campaign Forensics	Specify if you want to retrieve aggregate forensics for the specified thread ID or the entire campaign. This parameter can only be used if you enter a thread ID against the Campaign ID or Threat ID parameter. Example: True	Boolean	Optional	Allowed values: True: Retrieves aggregate forensics for the entire campaign. False: Retrieves aggregate forensics for the specified thread ID. Default value: False

Parameter

Description

Field Type

Required/Optional

Comments

Campaign ID or Threat ID

Enter the campaign ID or threat ID for which you want to retrieve forensic details.

Example:

12345

Text

Required

Is threat ID

Specify if the ID provided against the Campaign ID or Threat ID parameter is the threat ID or campaign ID.

Example:

True

Boolean

Optional

Allowed values:

True: Threat ID
False: Campaign ID

Default value:

False

Include Campaign Forensics

Specify if you want to retrieve aggregate forensics for the specified thread ID or the entire campaign.

This parameter can only be used if you enter a thread ID against the Campaign ID or Threat ID parameter.

Example:

True

Boolean

Optional

Allowed values:

True: Retrieves aggregate forensics for the entire campaign.
False: Retrieves aggregate forensics for the specified thread ID.

Default value: False

Example Request

[
  {
    "id": "12345",
    "is_threat_id": "true",
    "include_campaignforensics": "true"
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.generated	String	An ISO8601-formatted datetime corresponding to the time this report was generated.
app_instance.reports	Array	An array of report objects.
app_instance.reports.name	String	The malicious URL, SHA256 hash of the malicious attachment, or campaign name.
app_instance.reports.scope	String	Whether the report scope covers a campaign or an individual threat.
app_instance.reports.type	String	The threat type: attachment, URL, or hybrid.
app_instance.reports.id	String	The identifier associated with the campaign or individual threat.
app_instance.reports.forensics	Array	An array of forensic evidence objects.
app_instance.reports.forensics.type	String	The evidence type.
app_instance.reports.forensics.display	String	A friendly display string describing the evidence.
app_instance.reports.forensics.malicious	String	Whether the evidence was used to reach a malicious verdict.
app_instance.reports.forensics.time	String	[Unsupported] This field is currently unsupported and it's expected to always return 0.
app_instance.reports.forensics.what	Object	A map of values associated with the specific evidence type.
app_instance.reports.forensics.platforms	Array	An array of platform objects describing the platforms affected by the threat.
app_instance.reports.forensics.platforms.name	String	The name of the affected platform.
app_instance.reports.forensics.platforms.os	String	The operating system of the affected platform.
app_instance.reports.forensics.platforms.version	String	The version of the operating system of the affected platform.

Action: Get All SIEM Events

This action retrieves details of all SIEM events related to known threats within the specified time period.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter the time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

Action: Get Issues

This action fetches events for clicks to malicious URLs permitted and messages delivered containing a known threat within the specified time period.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

Action: Get Delivered Messages

This action retrieves details of delivered messages that contained a known threat in the specified time period.

One of the below parameters must be provided:

Interval
Since Seconds
Since Time

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

Action: Get Blocked Messages

This action retrieves details of all blocked messages containing a known threat in the specified period.

One of the below parameters must be provided:

Interval
Since Time
Since Seconds

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

Action: Get Permitted Clicks

This action retrieves a list of all clicks to malicious URLs (blocked by you) in the specified time period.

One of the below parameters must be provided:

Interval
Since Seconds
Since Time

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

Action: Get Blocked Clicks

This action retrieves events for clicks to malicious URLs blocked in the specified time period.

One of the below parameters must be provided:

Interval
Since Seconds
Since Time

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Interval	Enter the time interval (in ISO 8601 format) for which you want to retrieve information. Example: 2016-05-01T12:00:00Z/2016-05-01T13:00:00Z - an hour interval, beginning at noon UTC on 05-01-2016 PT30M/2016-05-01T12:30:00Z - thirty minutes starting at noon UTC on 05-01-2016 and ending at 12:30 p.m. UTC 2016-05-01T05:00:00-0700/PT30M - the same interval as above, but using -0700 as the time zone	Text	Optional	Enter time in the ISO 8601 format. Minimum interval: 30 seconds Maximum interval: 1 hour
Since Seconds	Enter the time interval in seconds from when you want to retrieve details. Start time: Current API server time, rounded to the nearest minute, less the entered value. End time: Current API server time rounded to the nearest minute. Example: 300	Integer	Optional
Since Time	Enter the date (in ISO 8601 format) from when you want to retrieve details. Start time: Entered value. End time: Current API server time rounded to the nearest minute. Example: 2016-05-01T12:00:00Z	Text	Optional
Extra Parameters	Enter the required parameters as key-value pairs. Example: {"threatStatus": "active"}	Key Value	Optional	Allowed keys: threatstatus: (string) Enter the threat status for which you want to retrieve details. Allowed values: active cleared falsepositive threattype: (string) Enter the threat type for which you want to retrieve details. Allowed values: url attachment messagetext

Example Request

[
  {
    "interval": " 2020-05-01T12:00:00Z/2020-05-01T13:00:00Z",
    "extra_params": {
      "threatStatus": "active"
    }
  }
]

Action Response Parameters

Parameter	Type	Description
{app_instance}	Object	This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.
app_instance.clicksPermitted	Array	An array of objects containing details of all clicks to URL threats that were permitted.
app_instance.clicksPermitted.campaignId	String	An identifier for the campaign of which the threat is a member, if available at the time of the query. Threats can be linked to campaigns even after these events are retrieved. Example: "46e01b8a-c899-404d-bcd9-189bb393d1a7"
app_instance.clicksPermitted.classification	String	The category of threat found in the message. Example: "MALWARE"
app_instance.clicksPermitted.clickIP	String	The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. Example: "192.0.2.1"
app_instance.clicksPermitted.clickTime	String	The timestamp when the user clicked the URL. Example: "2016-06-24T19:17:44.000Z"
app_instance.clicksPermitted.GUID	String	The globally unique identifier for the message. Example: "b27dbea0-87d5-463b-b93c-4e8b708289ce"
app_instance.clicksPermitted.id	String	The unique identifier for the click. Example: "8c8b4895-a277-449f-r797-547e3c89b25a"
app_instance.clicksPermitted.messageID	String	Message ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. Example: "8c6cfedd-3050-4d65-8c09-c5f65c38da81"
app_instance.clicksPermitted.recipient	String	The recipient of the email. Example: "john.doe@exampledomain.com"
app_instance.clicksPermitted.sender	String	The sender of the email. Example: "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz"
app_instance.clicksPermitted.senderIP	String	The IP address of the sender. Example: "192.0.x.255"
app_instance.clicksPermitted.threatID	String	The unique identifier for the threat. Example: "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50"
app_instance.clicksPermitted.threatTime	String	The timestamp when the threat was identified in Proofpoint. Example: "2016-06-24T19:17:46.000Z"
app_instance.clicksPermitted.threatURL	String	A link to the entry on the TAP Dashboard for the particular threat. Example: "https://threatinsight.proofpoint.com/#/threat/..."
app_instance.clicksPermitted.threatStatus	String	The current status of the threat. Example: "active"
app_instance.clicksPermitted.url	String	The URL clicked by the recipient. Example: "http://badguy.zz/"
app_instance.clicksPermitted.userAgent	String	The user agent string of the browser used to click the URL. Example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0)..."
app_instance.messagesBlocked	Array	An array of objects containing details of blocked messages. Example: messagesBlocked: [{...}]
app_instance.messagesBlocked.GUID	String	The globally unique identifier for the blocked message. Example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
app_instance.messagesBlocked.QID	String	The unique identifier for the queued message. Example: "r2FNwRHF004109"
app_instance.messagesBlocked.ccAddresses	Array	The CC addresses for the email. Example: ["janesmith@exampledomain.com"]
app_instance.messagesBlocked.clusterId	String	The identifier for the cluster handling the message. Example: "pharmtech_hosted"
app_instance.messagesBlocked.completelyRewritten	Boolean	Whether the message was completely rewritten. Example: "true"
app_instance.messagesBlocked.fromAddress	String	The sender address of the blocked message. Example: "bad.email@domain.zz"
app_instance.messagesBlocked.headerCC	String	The CC header of the email. Example: “\”Sample Header\" <bruce.wayne@university-of-education.zz>"
app_instance.messagesBlocked.headerReplyTo	String	The reply-to header of the email.
app_instance.messagesBlocked.headerTo	String	The to header of the email. Example: "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>"
app_instance.messagesBlocked.impostorScore	Integer	The impostor score of the message. Higher scores indicate higher certainty. Example: 0
app_instance.messagesBlocked.malwareScore	Integer	The malware score of the email. Example: 100
app_instance.messagesBlocked.messageID	String	The message identifier. Example: "20160624211145.62086.mail@evil.zz"
app_instance.messagesBlocked.messageParts	Array	An array of structures that contain details about parts of the message, including both message bodies and attachments. Example: [{"contentType":"text/plain", "filename":"text.txt", ...}]
app_instance.messagesBlocked.messageTime	String	The timestamp of the message. Example: "2016-06-24T21:18:38.000Z"
app_instance.messagesBlocked.modulesRun	Array	The modules that were run on the message. Example: ["pdr", "sandbox", "spam", "urldefense"]
app_instance.messagesBlocked.phishScore	Integer	The phish score of the message. Higher scores indicate higher certainty. Example: 46
app_instance.messagesBlocked.policyRoutes	Array	The policy routes for the email. Example: ["default_inbound", "executives"]
app_instance.messagesBlocked.quarantineFolder	String	The quarantine folder where the email is stored. Example: "Attachment Defense"
app_instance.messagesBlocked.quarantineRule	String	The quarantine rule applied to the email. Example: "module.sandbox.threat"
app_instance.messagesBlocked.recipient	Array	The recipients of the email. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.replyToAddress	String	The reply-to address of the email.
app_instance.messagesBlocked.sender	String	The sender address of the email. Example: "e99d7ed5580193f36a51f597bc2c0210@evil.zz"
app_instance.messagesBlocked.senderIP	String	The IP address of the sender. Example: "192.0.2.255"
app_instance.messagesBlocked.spamScore	Integer	The spam score of the message. Higher scores indicate higher certainty. Example: 4
app_instance.messagesBlocked.subject	String	The subject of the email. Example: "Please find a totally safe invoice attached."
app_instance.messagesBlocked.threatsInfoMap	Array	An array of structures that contain details about detected threats within the message. There may be more than one threat per message. Example: [{"campaignId": "...", "classification": "...", ...}]
app_instance.messagesBlocked.toAddresses	Array	A list of email addresses contained within the To: header, excluding friendly names. Example: ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"]
app_instance.messagesBlocked.xmailer	String	The xmailer header of the email. Example: "Spambot v2.5"
app_instance.queryEndTime	String	The time at which the period queried for data ended. Example: “2016-06-24T21:36:00Z”

List Campaign IDs

This action retrieves a list of active campaign IDs.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Time From	Enter the time to retrieve the ID of campaigns that are updated after this time. Example: "2020-05-01T12:00:00Z"	Text	Required
Time To	Enter the time to retrieve the ID of campaigns that are updated before this time. Example: "2020-05-01T13:00:00Z"	Text	Required
Page Number	Enter the page number to retrieve campaign IDs. Example: 2	Integer	Optional	Default value: 1
Page Size	Enter the maximum number of campaign IDs to retrieve. Example: 50	Integer	Optional	Default value: 100

Example Request

[
  {
    "time_from": "2020-05-01T12:00:00Z",
    "time_to": "2020-05-01T13:00:00Z",
    "page": 2,
    "size": 50
  }
]

Generic Action

This is a generic action to perform any additional use case on Proofpoint Targeted Attack Prevention (TAP).

Action Input Parameters

Parameter	Description	Field Type	Required/Optional
Endpoint	Enter the endpoint to make the request. Example: "campaign/ids"	Text	Required
Method	Enter the HTTP method. Example: "GET" "POST" "PUT" "DELETE"	Text	Required
Query Params	Enter the query parameters in JSON format to filter the result. Example: $JSON[{"page":1}]	Any	Optional
Payload Data	Enter the payload data to pass with the request. Example: {"data": {'type': type,'id': id}}	Key Value	Optional
Payload JSON	Enter the payload in JSON format to pass with the request. Example: $JSON[{"data": {'type': type,'id': id}}]	Any	Optional

Example Request

[
   {
      "endpoint":"campaign/ids",
      "method":"POST",
      "query_params":[
         {
            "page":1
         }
      ],
      "payload_data":{
         "data":{
            "type":"type",
            "id":"id"
         }
      },
      "payload_json":[
         {
            "data":{
               "type":"type",
               "id":"id"
            }
         }
      ]
   }
]

Cyware Orchestrate

Proofpoint Targeted Attack Protection (TAP)

About App

Configuration Parameters

Action: Decode URLs

Action: Get List of Most Attacked Users

Action: Get Campaign Details

Action: Get Forensic Details by ID

Action: Get All SIEM Events

Action: Get Issues

Action: Get Delivered Messages

Action: Get Blocked Messages

Action: Get Permitted Clicks

Action: Get Blocked Clicks

List Campaign IDs

Generic Action

Search results