Proofpoint TAP v1.3.0
Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
Classifiers (2)
Dashboards (1)
- Proofpoint TAP
Incident fields (38)
- Proofpoint TAP Campaign ID
- Proofpoint TAP Classification
- Proofpoint TAP Click IP
- Proofpoint TAP Click Time
- Proofpoint TAP Cluster
- Proofpoint TAP Examined By
- Proofpoint TAP GUID
- Proofpoint TAP Header CC
- Proofpoint TAP Header To
- Proofpoint TAP Headers From
- Proofpoint TAP Headers Reply To
- Proofpoint TAP ID
- Proofpoint TAP Imposter Score
- Proofpoint TAP Long Subject
- Proofpoint TAP Malware Score
- Proofpoint TAP Message ID
- Proofpoint TAP Message Parts
- Proofpoint TAP Message Size
- Proofpoint TAP Phishing Score
- Proofpoint TAP Policies
- Proofpoint TAP Quarantine Folder
- Proofpoint TAP Quarantine Rule
- Proofpoint TAP Reply To Address
- Proofpoint TAP SMTP Recipient
- Proofpoint TAP SMTP Sender
- Proofpoint TAP Sender Address
- Proofpoint TAP Sender IP
- Proofpoint TAP Spam Score
- Proofpoint TAP Subject
- Proofpoint TAP Suspicious URL
- Proofpoint TAP Threat ID
- Proofpoint TAP Threat Info Map
- Proofpoint TAP Threat Status
- Proofpoint TAP Threat Time
- Proofpoint TAP Threat URL
- Proofpoint TAP Type
- Proofpoint TAP User Agent
- Proofpoint TAP Xmailer
Incident types (4)
Integrations (1)
Modeling rules (2)
Parsing rules (1)
Playbooks (1)
Reports (1)
- Proofpoint TAP Weekly Report
README
Proofpoint TAP
Use the Proofpoint Targeted Attack Protection (TAP) integration to protect against and provide additional visibility into phishing and other malicious email attacks.
Proofpoint TAP detects, analyzes and blocks advanced threats before they reach your inbox. This includes ransomware and other advanced email threats delivered through malicious attachments and URLs.
What does this pack do?
- Fetches events for all clicks and messages relating to known threats within a specified time period.
- Returns forensics evidence.
- Fetches events for clicks to malicious URLs in a specified time period.
- Fetches events for messages in a specified time period.
- Fetches events for clicks to malicious URLs permitted and messages delivered containing a known attachment threat within a specified time period.
- Fetches a list of IDs of campaigns active in a specified time period.
- Fetches details for a given campaign.
- Fetches a list of the most attacked users in the organization.
- Fetches a list of the top clickers in the organization for a specified time period.
- Decodes URLs that have been rewritten by TAP to their original, target URL.
The playbook in this pack enriches information about the event forensics.
<~XSIAM>
Collect Events from Vendor
To configure the collector for “Proofpoint Targeted Attack Protection”, follow the Cortex XSIAM documentation here.
The ingested “Proofpoint Tap” logs can be queried in XQL Search using the proofpoint_tap_raw dataset.
Notes:
- Data normalization capabilities (rules for parsing and modeling) are available for logs ingested via the mentioned above collector.
- Pay attention to the difference between collection via “Proofpoint Targeted Attack Protection” (which is mentioned above) and collection via “Proofpoint TAP”.
</~XSIAM>