To learn more, visit the Proofpoint Threat Response Auto Pull documentation.

Basic Parameters

ParameterDescription
Closed AfterRetrieve incidents that were closed after specified date.
Expand EventsRetrieve incidents with events data expanded.
RecipientA comma separated list of recipients to filter by.
SenderA comma separated list of senders to filter by.
Source TypeRetrieve incidents only belong to a specific source.
StateThe state of the incidents to retrieve.

Advanced Parameters

ParameterDescription
Attack VectorRetrieve incidents where the attack vector is specified.
Closed AtRetrieve incidents that were closed on a specific date.
Closed BeforeRetrieve incidents that were closed before specified date.
Created AfterRetrieve incidents that were created after specified date.
Created BeforeRetrieve incidents that were created before specified date.
DispositionFilter by deposition. This filtering parameter may be combined with the sub-disposition parameter only when the disposition parameter is specified as “Unknown”.
Exclude Message BodyWhether to exclude the message body from the json response.
Exclude Mime ContentWhether to exclude the mime content from the json response.
File HashRetrieve incidents which contain the specified file hash.
File NameRetrieve incidents which contain an attachment with the specified name.
File TypeRetrieve incidents which contain a certain type of attachment.
Format To TimezoneFormat the time values in the response to match the specified timezone. For more information please refer to Proofpoint’s documentation.
IPRetrieve incidents by the attacker’s (sender’s) IP address.
Incident Value Fields To JsonSpecify if the response’s incidentfieldvalues section should be returned as json.
Message IDRetrieve incidents by the message IDs enclosed in <>.Example:34f3d3xda2f@foo.com,45g47sgvtt456@bar.com
Sub DispositionRetrieve incidents which have either a Needs Manual Review or Likely Harmless sub-disposition.
Target UserRetrieve incidents where the alert threat name is specified.
URLRetrieve incidents contain the specified url or a part of the specified URL.
Updated AtRetrieve incidents that were updated on a specific date.

Example Output

[    {        "id": 1,        "type": "Malware",        "summary": "Unsolicited Bulk Email",        "description": "EvilScheme test message",        "score": 4200,        "state": "Open",        "created_at": "2018-05-26T21:07:17Z",        "event_count": 3,        "event_sources": [            "Proofpoint TAP"        ],        "users": [            "nbadguy"        ],        "assignee": "Unassigned",        "team": "Unassigned",        "hosts": {            "attacker": [                "54.214.13.31",                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf"            ],            "forensics": [                "http://tapdemo.evilscheme.org/files/313532373336373133382e33.pdf",                "tapdemo.evilscheme.org"            ]        },        "incident_field_values": [            {                "name": "Attack Vector",                "value": "Email"            },            {                "name": "Classification",                "value": "Spam"            },            {                "name": "Severity",                "value": "Critical"            }        ],        "events": [            {                "id": 3,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",                "classified": false,                "state": "Linked",                "description": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF.",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z",                "malwareName": "Infection.PDF.File.Exploit.CVE-2010-0188_LibTIFF."            },            {                "id": 1,                "category": "spam",                "severity": "Critical",                "source": "Proofpoint TAP",                "threatname": "Unsolicited Bulk Email",                "classified": false,                "state": "Linked",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z"            },            {                "id": 2,                "category": "spam",                "severity": "Critical",                "source": "Proofpoint TAP",                "threatname": "Unsolicited Bulk Email",                "classified": false,                "state": "Linked",                "attackDirection": "inbound",                "received": "2018-05-26T21:07:17Z"            }        ],        "quarantine_results": [],        "successful_quarantines": 0,        "failed_quarantines": 0,        "pending_quarantines": 0    },    {        "id": 2,        "type": "Reported-abuse",        "summary": "Unsolicited Bulk Email",        "description": "",        "score": 5200,        "state": "Open",        "created_at": "2018-06-01T17:57:09Z",        "event_count": 2,        "event_sources": [            "Abuse Mailbox 1",            "Proofpoint TAP"        ],        "users": [],        "assignee": "Unassigned",        "team": "Unassigned",        "hosts": {            "attacker": [                "54.214.13.31",                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf"            ],            "cnc": [                "54.214.13.31"            ],            "url": [                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",                "https://urldefense.proofpoint.com/v2/url?u=http-3A__tapdemo.evilscheme.org_files_313532373837353631342e3137.pdf&d=DwMBAg&c=iwluXPtBMDye_7UHm8BbHNhgJ2spJfG0G_Q5BwBe3AQ&r=zo9nQ1F7O9QiDphB0J9hvAhz521RbrdV9nCXSkiNU_g&m=7wroSca_eZ7TP3t47x-Q6n9tm1ABRvkUGBwwUvdvb6I&s=xTtBtrXodsTPyBwCFIDGBJxCvLCJXaYaiPQa1uSx6cs&e="            ],            "forensics": [                "http://tapdemo.evilscheme.org/files/313532373837353631342e3137.pdf",                "tapdemo.evilscheme.org"            ]        },        "incident_field_values": [            {                "name": "Attack Vector",                "value": "Email"            },            {                "name": "Severity",                "value": "Critical"            },            {                "name": "Classification",                "value": "Reported Abuse"            },            {                "name": "Abuse Disposition",                "value": "Malicious"            }        ],        "events": [            {                "id": 8,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Malicious content dropped during execution",                "classified": false,                "state": "Linked",                "description": "Malicious content dropped during execution",                "attackDirection": "inbound",                "received": "2018-06-01T18:02:10Z",                "malwareName": "Malicious content dropped during execution"            },            {                "id": 6,                "category": "malware",                "severity": "Info",                "source": "Proofpoint TAP",                "threatname": "Example signature to fire on TAP demo evilness",                "classified": false,                "state": "Linked",                "description": "Example signature to fire on TAP demo evilness",                "attackDirection": "inbound",                "received": "2018-06-01T17:57:10Z",                "malwareName": "Example signature to fire on TAP demo evilness"            },        ],        "quarantine_results": [            {                "alertSource": "Not Available",                "startTime": "2018-06-01T18:17:43.941Z",                "endTime": "2018-06-01T18:17:44.001Z",                "status": "successful",                "recipientType": "Search",                "recipient": "jsmith@company.com",                "messageId": "<20180601175356.GA30914@tapdemo.evilscheme.org>"                "isRead": "true",                "wasUndone": "true",                "details": "Success"            }        ],        "successful_quarantines": 1,        "failed_quarantines": 0,        "pending_quarantines": 0    }]

Workflow Library Example

Retrieve Incidents with Proofpoint Threat Response Auto Pull and Send Results Via Email

Preview this Workflow on desktop

Proofpoint Threat Response Auto Pull Custom ActionPub-Sub