Package Documentation
Storm Package: synapse-proofpoint
The following Commands are available from this package. This documentation is generated for version 0.1.0 of the package.
Storm Commands
This package implements the following Storm Commands.
proofpoint.config.add
Add a Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global configuration
proofpoint.config.add global_config apikey1234
// Add a configuration for the current user
proofpoint.config.add my_config apikey5678
Usage: proofpoint.config.add [options] <name> <apikey>
Options:
--help : Display the command usage.
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: rep.proofpoint)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
Arguments:
<name> : A unique name for the configuration.
<apikey> : The API key string.
proofpoint.config.del
Delete a Synapse-Proofpoint configuration.
Examples:
// Delete the "fooconfig" configuration
proofpoint.config.del fooconfig
Usage: proofpoint.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
proofpoint.config.list
Display the list of Synapse-Proofpoint configurations you have access to.
Usage: proofpoint.config.list [options]
Options:
--help : Display the command usage.
proofpoint.config.migrate
Migrate options for all Synapse-Proofpoint configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
proofpoint.config.migrate --tag-prefix my.tagpref
Usage: proofpoint.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
proofpoint.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
proofpoint.config.show
// Show a configuration by name
proofpoint.config.show myconfig
Usage: proofpoint.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
proofpoint.config.update
Update the configuration of a defined Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooconfig"
// configuration
proofpoint.config.update fooconfig --perm user myuser admin
// Set the permission level for the "all" role to "deny" on the
// "fooconfig" configuration
proofpoint.config.update fooconfig --perm role all deny
// Do not verify the SSL certificate when connecting to "fooconfig"
proofpoint.config.update fooconfig --ssl-verify (false)
// Change the name of the "fooconfig" configuration to "barconfig"
proofpoint.config.update fooconfig --name barconfig
Usage: proofpoint.config.update [options] <config>
Options:
--help : Display the command usage.
--apikey <apikey> : The API key string. (default: None)
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
--name <name> : Rename the configuration. (default: None)
Arguments:
<config> : The name of the configuration to modify.
proofpoint.tap.campaigns
Fetch a list of active campaign IDs within the given time window.
This will create risk:attack nodes for threats in each campaign.
The --updated option is parsed as an ival type, and therefore
single values and relative times are valid inputs. The default is
-1 hour ago. The maximum interval window is 24 hours.
Examples:
// Fetch a list of active campaign IDs within the last 24 hours
proofpoint.tap.campaigns --updated (-1day, now)
// Fetch a list of active campaign IDs within the last 24 hours limit to 10 results
proofpoint.tap.campaigns --updated (-1day, now) --size 10
// Fetch a list of active campaign IDs within a 2 hour window on a specific day
proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-18 02:00:00")
Usage: proofpoint.tap.campaigns [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of requested results to the given size (max 200). (default: 100)
--config <config> : The name of the custom configuration to use.
--updated <updated> : Specify the time window to limit results. (default: ('-1hour', 'now'))
proofpoint.tap.campaigns.get
Enrich data with Proofpoint campaign information by ID.
This will create risk:attack nodes for each threat in the campaign.
The campaign ID can be specified with the --campaign-id argument, or an inbound ou:campaign node.
Examples:
// Fetch campaign information for a specific campaign ID
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0
// Fetch campaign information for a specific campaign ID and yield the results
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield
Usage: proofpoint.tap.campaigns.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--config <config> : The name of the custom configuration to use.
--campaign-id <campaign_id> : The ID of the campaign to fetch.
proofpoint.tap.threats.get
Enrich data with Proofpoint threat forensics information.
The Forensics endpoint pulls forensic evidence about threats observed in
their environment.
The threat ID can be specified with the --threat-id argument, or an inbound risk:attack node.
Examples:
// Fetch threat information for a specific threat ID
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066
// Fetch threat information for a specific threat ID and yield the results
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield
Usage: proofpoint.tap.threats.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : No help available.
--config <config> : The name of the custom configuration to use.
--threat-id <threat_id> : The ID of the threat to fetch.
Storm Modules
This package does not export any Storm APIs.