Proofpoint TAP - Event Enrichment

This playbook enriches Proofpoint Targeted Attack Protection (TAP) incidents with forensic evidence. By utilizing the 'proofpoint-get-forensics' command, the playbook retrieves forensic evidence based on the campaign ID and threat ID detected in the Proofpoint TAP incidents.

Proofpoint TAP · 21 tasks · 0 inputs · 147 outputs

Outputs

  • Proofpoint.Campaign — Retrieved Campaign objects
  • Proofpoint.Campaign.info — The campaign information - ID,name, description, startDate, and notable.
  • Proofpoint.Campaign.actors — A list of actor objects.
  • Proofpoint.Campaign.families — A list of family objects.
  • Proofpoint.Campaign.malware — A list of malware objects.
  • Proofpoint.Campaign.techniques — A list of technique objects.
  • Proofpoint.Campaign.brands — A list of brand objects.
  • Proofpoint.Campaign.campaignMembers — A list of campaign member objects.
  • Proofpoint.Report — Retrieved Report object identifies
  • Proofpoint.Report.ID — The ID of the report.
  • Proofpoint.Report.Type — The threat type. Can be: "attachment", "url", or "hybrid".
  • Proofpoint.Report.Scope — Whether the report scope covers a campaign or an individual threat.
  • Proofpoint.Report.Attachment — Attachments evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Attachment.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Attachment.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Attachment.Display — A friendly display string.
  • Proofpoint.Report.Attachment.SHA256 — The SHA256 hash of the attachment's contents.
  • Proofpoint.Report.Attachment.MD5 — The MD5 hash of the attachment's contents.
  • Proofpoint.Report.Attachment.Blacklisted — Optional. Whether the file was block listed.
  • Proofpoint.Report.Attachment.Offset — Optional. The offset in bytes where the malicious content was found.
  • Proofpoint.Report.Attachment.Size — Optional. The size in bytes of the attachment's contents.
  • Proofpoint.Report.Attachment.Platform.Name — The name of the platform.
  • Proofpoint.Report.Attachment.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Attachment.Platform.Version — The version of the platform.
  • Proofpoint.Report.Cookie — Cookies evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Cookie.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Cookie.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Cookie.Display — A friendly display string.
  • Proofpoint.Report.Cookie.Action — Whether the cookie was set or deleted.
  • Proofpoint.Report.Cookie.Domain — The domain that set the cookie.
  • Proofpoint.Report.Cookie.Key — The name of the cookie being set or deleted.
  • Proofpoint.Report.Cookie.Value — Optional. The content of the cookie being set.
  • Proofpoint.Report.Cookie.Platform.Name — Name of the platform.
  • Proofpoint.Report.Cookie.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Cookie.Platform.Version — The version of the platform.
  • Proofpoint.Report.DNS — DNS evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.DNS.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.DNS.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.DNS.Display — A friendly display string.
  • Proofpoint.Report.DNS.Host — The hostname being resolved.
  • Proofpoint.Report.DNS.CNames — Optional. An array of CNames, which were associated with the hostname.
  • Proofpoint.Report.DNS.IP — Optional. An array of IP addresses that were resolved to the hostname.
  • Proofpoint.Report.DNS.NameServers — Optional. The nameservers responsible for the hostname's domain.
  • Proofpoint.Report.DNS.NameServersList — Optional. The nameservers responsible for the hostnames.
  • Proofpoint.Report.DNS.Platform.Name — The name of the platform.
  • Proofpoint.Report.DNS.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.DNS.Platform.Version — The version of the platform.
  • Proofpoint.Report.Dropper — Droppers evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Dropper.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Dropper.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Dropper.Display — A friendly display string.
  • Proofpoint.Report.Dropper.Path — The location of the dropper file.
  • Proofpoint.Report.Dropper.URL — Optional. The name of the static rule inside the sandbox that identified the dropper.
  • Proofpoint.Report.Dropper.Rule — Optional. The URL the dropper contacted.
  • Proofpoint.Report.Dropper.Platform.Name — The name of the platform.
  • Proofpoint.Report.Dropper.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Dropper.Platform.Version — The version of the platform.
  • Proofpoint.Report.File — Files evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.File.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.File.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.File.Display — A friendly display string.
  • Proofpoint.Report.File.Path — Optional. The location of the file operated on.
  • Proofpoint.Report.File.Action — Optional. The filesystem call made (create, modify, or delete).
  • Proofpoint.Report.File.Rule — Optional. The name of the static rule inside the sandbox that identified the suspicious file.
  • Proofpoint.Report.File.SHA256 — Optional. The SH256 hash of the file's contents.
  • Proofpoint.Report.File.MD5 — Optional. The MD5 hash of the file's contents.
  • Proofpoint.Report.File.Size — Optional. The size in bytes of the file's contents.
  • Proofpoint.Report.File.Platform.Name — The name of the platform.
  • Proofpoint.Report.File.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.File.Platform.Version — The version of the platform.
  • Proofpoint.Report.IDS — IDS evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.IDS.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.IDS.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.IDS.Display — A friendly display string.
  • Proofpoint.Report.IDS.Name — The friendly name of the IDS rule that observed the malicious traffic.
  • Proofpoint.Report.IDS.SignatureID — The identifier of the IDS rule that observed the malicious traffic.
  • Proofpoint.Report.IDS.Platform.Name — The name of the platform.
  • Proofpoint.Report.IDS.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.IDS.Platform.Version — The version of the platform.
  • Proofpoint.Report.Mutex — Mutex evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Mutex.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Mutex.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Mutex.Display — A friendly display string.
  • Proofpoint.Report.Mutex.Name — The name of the mutex.
  • Proofpoint.Report.Mutex.Path — Optional. The path to the process which spawned the mutex.
  • Proofpoint.Report.Mutex.Platform.Name — The name of the platform.
  • Proofpoint.Report.Mutex.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Mutex.Platform.Version — The version of the platform.
  • Proofpoint.Report.Network — Network evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Network.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Network.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Network.Display — A friendly display string.
  • Proofpoint.Report.Network.Action — The type of network activity being initiated (connect or listen).
  • Proofpoint.Report.Network.IP — The remote IP address being contacted.
  • Proofpoint.Report.Network.Port — The remote IP port being contacted.
  • Proofpoint.Report.Network.Type — The protocol being used (tcp or udp).
  • Proofpoint.Report.Network.Platform.Name — The name of the platform.
  • Proofpoint.Report.Network.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Network.Platform.Version — The version of the platform.
  • Proofpoint.Report.Process — Processes evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Process.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Process.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Process.Display — A friendly display string.
  • Proofpoint.Report.Process.Action — The action performed on the process. Relevant when create is produced.
  • Proofpoint.Report.Process.Path — The location of the executable that spawned the process.
  • Proofpoint.Report.Process.Platform.Name — The name of the platform.
  • Proofpoint.Report.Process.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Process.Platform.Version — The version of the platform.
  • Proofpoint.Report.Registry — Registry evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Registry.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Registry.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Registry.Display — A friendly display string.
  • Proofpoint.Report.Registry.Name — Optional. The name of the registry entry being created or set.
  • Proofpoint.Report.Registry.Action — The registry change made (create or set).
  • Proofpoint.Report.Registry.Key — The location of the registry key being modified.
  • Proofpoint.Report.Registry.Value — Optional. The contents of the key being created or set.
  • Proofpoint.Report.Registry.Platform.Name — The name of the platform.
  • Proofpoint.Report.Registry.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Registry.Platform.Version — The version of the platform.
  • Proofpoint.Report.URL — URL evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.URL.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.URL.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.URL.Display — A friendly display string.
  • Proofpoint.Report.URL.URL — The URL which was observed.
  • Proofpoint.Report.URL.Blacklisted — Optional. Whether the URL appeared on a block list.
  • Proofpoint.Report.URL.SHA256 — Optional. The SHA256 hash of the file downloaded from the URL.
  • Proofpoint.Report.URL.MD5 — Optional. The MD5 hash of the file downloaded from the URL.
  • Proofpoint.Report.URL.Size — Optional. The size in bytes of the file retrieved from the URL.
  • Proofpoint.Report.URL.HTTPStatus — Optional. The HTTP status code that was produced when our sandbox visited the URL.
  • Proofpoint.Report.URL.IP — Optional. The IP address that was resolved to the hostname by the sandbox.
  • Proofpoint.Report.URL.Platform.Name — The name of the platform.
  • Proofpoint.Report.URL.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.URL.Platform.Version — The version of the platform.
  • Proofpoint.Report.Behavior — Behavior evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Behavior.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Behavior.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Behavior.Display — A friendly display string.
  • Proofpoint.Report.Behavior.URL — The URL that was observed.
  • Proofpoint.Report.Behavior.Path — The location of the executable which spawned the behavior.
  • Proofpoint.Report.Behavior.Platform.Name — The name of the platform.
  • Proofpoint.Report.Behavior.Platform.OS — The operating system of the platform.
  • Proofpoint.Report.Behavior.Platform.Version — The version of the platform.
  • Proofpoint.Report.Screenshot — Screenshot evidence type objects retrieved from Proofpoint TAP.
  • Proofpoint.Report.Screenshot.Time — The relative time at which the evidence was observed during sandboxing.
  • Proofpoint.Report.Screenshot.Malicious — Whether the evidence was used to reach a malicious verdict.
  • Proofpoint.Report.Screenshot.Display — A friendly display string.
  • Proofpoint.Report.Screenshot.URL — The URL hosting the screenshot image.

Commands used

proofpoint-get-campaign proofpoint-get-forensics

Flowchart

Clicks Message Campaign ID Found Campiagn ID Found Threat ID Found Threat ID Found Campaign ID Campaign ID and ThreatID ThreatID Start Start Which Proofpoint Event? Which Proofpoint Event? Check if Campaign ID Exists Check if Campaign ID Exists Check if Campaign ID Exists Check if Campaign ID Exists No Threat ID or Campaign ID Retrieved - Print No Threat ID or Campaign ... Print Get Campaign Information given ID - proofpoint-get-campaign Get Campaign Information ... proofpoint-get-campaign Get Forensics given Campaign ID - proofpoint-get-forensics Get Forensics given Campa... proofpoint-get-forensics Get Forensics Information given Threat ID - proofpoint-get-forensics Get Forensics Information... proofpoint-get-forensics Extract Campaign ID to Context - SetAndHandleEmpty Extract Campaign ID to Co... SetAndHandleEmpty Check if Threat ID Exists Check if Threat ID Exists Get Forensics Information given Threat ID - proofpoint-get-forensics Get Forensics Information... proofpoint-get-forensics Done Done Extract Campaign ID to Context - SetAndHandleEmpty Extract Campaign ID to Co... SetAndHandleEmpty Check if Threat ID Exists Check if Threat ID Exists Extract Threat ID to Context - SetAndHandleEmpty Extract Threat ID to Context SetAndHandleEmpty Extract Threat ID to Context - SetAndHandleEmpty Extract Threat ID to Context SetAndHandleEmpty Enrichment Enrichment Message Events Message Events Click Events Click Events What Information has been Fetched? What Information has been... Irrelevant Event Type - PrintErrorEntry Irrelevant Event Type PrintErrorEntry