Package Documentation
Storm Package: synapse-proofpoint
The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
proofpoint.config.add
Add a Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global configuration
proofpoint.config.add global_config principal1234 secret1234
// Add a configuration for the current user
proofpoint.config.add my_config principal5678 secret5678
Usage: proofpoint.config.add [options] <name> <principal> <secret>
Options:
--help : Display the command usage.
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: rep.proofpoint)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
Arguments:
<name> : A unique name for the configuration.
<principal> : The principal string.
<secret> : The secret string.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.config.del
Delete a Synapse-Proofpoint configuration.
Examples:
// Delete the "fooconfig" configuration
proofpoint.config.del fooconfig
Usage: proofpoint.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.config.list
Display the list of Synapse-Proofpoint configurations you have access to.
Usage: proofpoint.config.list [options]
Options:
--help : Display the command usage.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.config.migrate
Migrate options for all Synapse-Proofpoint configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
proofpoint.config.migrate --tag-prefix my.tagpref
Usage: proofpoint.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.admin
proofpoint.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
proofpoint.config.show
// Show a configuration by name
proofpoint.config.show myconfig
Usage: proofpoint.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.config.update
Update the configuration of a defined Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooconfig"
// configuration
proofpoint.config.update fooconfig --perm user myuser admin
// Set the permission level for the "all" role to "deny" on the
// "fooconfig" configuration
proofpoint.config.update fooconfig --perm role all deny
// Do not verify the SSL certificate when connecting to "fooconfig"
proofpoint.config.update fooconfig --ssl-verify (false)
// Change the name of the "fooconfig" configuration to "barconfig"
proofpoint.config.update fooconfig --name barconfig
Usage: proofpoint.config.update [options] <config>
Options:
--help : Display the command usage.
--principal <principal> : The principal string.
--secret <secret> : The secret string.
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
--name <name> : Rename the configuration. (default: None)
Arguments:
<config> : The name of the configuration to modify.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.tap.campaigns
Fetch a list of active campaign IDs within the given time window.
This will create risk:alert nodes for threats in each campaign.
The --updated option is parsed as an ival type, and therefore
single values and relative times are valid inputs. The default is
-1 hour ago. The maximum interval window is 24 hours.
Examples:
// Fetch a list of active campaign IDs within the last 24 hours
proofpoint.tap.campaigns --updated (-1day, now)
// Fetch a list of active campaign IDs within the last 24 hours limit to 10 results
proofpoint.tap.campaigns --updated (-1day, now) --size 10
// Fetch a list of active campaign IDs within a 2 hour window on a specific day
proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-18 02:00:00")
Endpoints:
/v2/campaign/ids : Fetch a list of Proofpoint campaigns.
/v2/campaign/{id} : Fetch a Proofpoint campaign by ID.
Usage: proofpoint.tap.campaigns [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of requested results to the given size (max 200). (default: 100)
--config <config> : The name of the custom configuration to use.
--updated <updated> : Specify the time window to limit results. (default: ('-1hour', 'now'))
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.tap.campaigns.get
Enrich data with Proofpoint campaign information by ID.
This will create risk:alert nodes for each threat in the campaign.
The campaign ID can be specified with the --campaign-id argument, or an inbound ou:campaign node.
Examples:
// Fetch campaign information for a specific campaign ID
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0
// Fetch campaign information for a specific campaign ID and yield the results
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield
Endpoints:
/v2/campaign/{id} : Fetch a Proofpoint campaign by ID.
/v2/forensics : Fetch the forensics information for a specific threat or campaign.
Usage: proofpoint.tap.campaigns.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--config <config> : The name of the custom configuration to use.
--campaign-id <campaign_id> : The ID of the campaign to fetch.
--no-forensics : Do not fetch forensics data.
Inputs:
ou:campaign : The ou:campaign node to fetch.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.tap.people.vap
Fetch the identities and attack index breakdown of Very Attacked People within your organization for a given period.
Examples:
// Fetch the identities and attack index breakdown of Very Attacked People within the last 14 days
proofpoint.tap.people.vap 14
// Fetch the identities and attack index breakdown of Very Attacked People within the last 30 days
proofpoint.tap.people.vap 30
// Fetch the identities and attack index breakdown of Very Attacked People within the last 90 days
proofpoint.tap.people.vap 90
Endpoints:
/v2/people/vap : Fetch the identities and attack index breakdown of Very Attacked People.
Usage: proofpoint.tap.people.vap [options] <window>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--size <size> : Limit the number of requested results to the given size (max 1000). (default: 1000)
--config <config> : The name of the custom configuration to use.
Arguments:
<window> : The number of days to fetch the data for. (choices: 14, 30, 90)
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.tap.siem.messages.blocked
Fetch the blocked messages from the Proofpoint SIEM.
The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.
The first time --since-last is used the --min-time argument will define the starting point,
otherwise the --min-time argument is ignored when --since-last is specified.
Note: The --filter-recipients argument matches on the recipient entries of the email
responses and is done client side post fetching of the blocked messages. This can be a single
address or list of addresses.
Examples:
// Fetch the blocked messages from the Proofpoint SIEM (using the default -1 hour time window)
proofpoint.tap.siem.messages.blocked
// Fetch the blocked messages from the Proofpoint SIEM for a specific recipient
proofpoint.tap.siem.messages.blocked --filter-recipients "test@example.com"
// Fetch the blocked messages from the Proofpoint SIEM for list of specific recipients
// using a list variable.
$filter_recipients = (["test@example.com", "test2@example.com"])
proofpoint.tap.siem.messages.blocked --filter-recipients $filter_recipients
// Fetch the blocked messages from the Proofpoint SIEM (starting -24 hours ago)
proofpoint.tap.siem.messages.blocked --min-time "-24hours"
// Fetch the blocked messages from the Proofpoint SIEM (starting 13:42:00 and ending 14:42:00)
proofpoint.tap.siem.messages.blocked --min-time "2025-09-10 13:42:00" --max-time "2025-09-10 14:42:00"
// Create a cron job to fetch the blocked messages from the Proofpoint SIEM every day
cron.add --name proofpoint.tap.siem.messages.blocked --hour 3
{ proofpoint.tap.siem.messages.blocked --since-last }
Endpoints:
/v2/siem/messages/blocked : Fetch the blocked messages from the Proofpoint SIEM.
Usage: proofpoint.tap.siem.messages.blocked [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--filter-recipients <filter_recipients>: Filter the results by recipient email address. Can be single or multiple email
addresses.
--min-time <min_time> : Specify the minimum time to start retrieving results. (default: -1hour)
--max-time <max_time> : Specify the maximum time to stop retrieving results. (default: now)
--since-last : Fetch the results since the last run of the command with --since-last specified.
--no-threat-info : Do not fetch threat information.
--config <config> : The name of the custom configuration to use.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
proofpoint.tap.threats.get
Enrich data with Proofpoint threat forensics information.
The Forensics endpoint pulls forensic evidence about threats observed in
their environment.
The threat ID can be specified with the --threat-id argument, or an inbound risk:alert node.
Examples:
// Fetch threat information for a specific threat ID
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066
// Fetch threat information for a specific threat ID and yield the results
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield
Endpoints:
/v2/threat/summary/{id} : Fetch detailed attributes about an individual threat identified by a Threat ID.
/v2/forensics : Fetch the forensics information for a specific threat or campaign.
Usage: proofpoint.tap.threats.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : No help available.
--config <config> : The name of the custom configuration to use.
--threat-id <threat_id> : The ID of the threat to fetch.
--no-forensics : Do not fetch forensics data.
Inputs:
risk:alert : The risk:alert node to fetch.
The command is accessible to users with one or more of the following permissions:
power-ups.proofpoint.adminpower-ups.proofpoint.user
Storm Modules
This package does not export any Storm APIs.