Package Documentation
Storm Package: synapse-proofpoint
The following Commands are available from this package. This documentation is generated for version 0.3.0 of the package.
Storm Commands
This package implements the following Storm Commands.
proofpoint.config.add
Add a Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Add a global configuration
proofpoint.config.add global_config principal1234 secret1234
// Add a configuration for the current user
proofpoint.config.add my_config principal5678 secret5678
Usage: proofpoint.config.add [options] <name> <principal> <secret>
Options:
--help : Display the command usage.
--ssl-noverify : Do not perform SSL/TLS verification.
--proxy <proxy> : Configure the proxy usage. (default: True)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: rep.proofpoint)
--scope <scope> : Set the scope on the configuration. (default: global, choices: global, self, unscoped)
Arguments:
<name> : A unique name for the configuration.
<principal> : The principal string.
<secret> : The secret string.
proofpoint.config.del
Delete a Synapse-Proofpoint configuration.
Examples:
// Delete the "fooconfig" configuration
proofpoint.config.del fooconfig
Usage: proofpoint.config.del [options] <name>
Options:
--help : Display the command usage.
Arguments:
<name> : The name of the configuration.
proofpoint.config.list
Display the list of Synapse-Proofpoint configurations you have access to.
Usage: proofpoint.config.list [options]
Options:
--help : Display the command usage.
proofpoint.config.migrate
Migrate options for all Synapse-Proofpoint configurations.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Migrate the tag prefix for all configurations
proofpoint.config.migrate --tag-prefix my.tagpref
Usage: proofpoint.config.migrate [options]
Options:
--help : Display the command usage.
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
proofpoint.config.show
Show the details of a configuration.
Examples:
// Show the in-use configuration for the current user
proofpoint.config.show
// Show a configuration by name
proofpoint.config.show myconfig
Usage: proofpoint.config.show [options] <name>
Options:
--help : Display the command usage.
Arguments:
[name] : The name of the configuration.
proofpoint.config.update
Update the configuration of a defined Synapse-Proofpoint configuration.
The proxy argument can be set to one of the following values:
true: Use the Cortex configured proxy if set.
false: Do not use the Cortex configured proxy if set.
<str>: A proxy URL to use.
Examples:
// Set the permission level for user "myuser" to "admin" on the "fooconfig"
// configuration
proofpoint.config.update fooconfig --perm user myuser admin
// Set the permission level for the "all" role to "deny" on the
// "fooconfig" configuration
proofpoint.config.update fooconfig --perm role all deny
// Do not verify the SSL certificate when connecting to "fooconfig"
proofpoint.config.update fooconfig --ssl-verify (false)
// Change the name of the "fooconfig" configuration to "barconfig"
proofpoint.config.update fooconfig --name barconfig
Usage: proofpoint.config.update [options] <config>
Options:
--help : Display the command usage.
--principal <principal> : The principal string.
--secret <secret> : The secret string.
--perm <perm> : Set the permission level for a user or role on this configuration.
Arguments to this option are ``scope``, ``name``, ``level``:
<scope>: The scope for the permission, either "user" or "role".
<name>: The user/role name depending on scope.
<level>: The $lib.auth.easyperm.level, or None to remove the permission.
(default: None)
--ssl-verify <ssl_verify> : Set whether to verify the SSL certificate of the server. (default: None)
--proxy <proxy> : Configure the proxy usage. (default: None)
--tag-prefix <tag_prefix> : The tag prefix to use when recording data from Proofpoint. (default: None)
--name <name> : Rename the configuration. (default: None)
Arguments:
<config> : The name of the configuration to modify.
proofpoint.tap.campaigns
Fetch a list of active campaign IDs within the given time window.
This will create risk:alert nodes for threats in each campaign.
The --updated option is parsed as an ival type, and therefore
single values and relative times are valid inputs. The default is
-1 hour ago. The maximum interval window is 24 hours.
Examples:
// Fetch a list of active campaign IDs within the last 24 hours
proofpoint.tap.campaigns --updated (-1day, now)
// Fetch a list of active campaign IDs within the last 24 hours limit to 10 results
proofpoint.tap.campaigns --updated (-1day, now) --size 10
// Fetch a list of active campaign IDs within a 2 hour window on a specific day
proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-18 02:00:00")
Usage: proofpoint.tap.campaigns [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield the newly created nodes.
--size <size> : Limit the number of requested results to the given size (max 200). (default: 100)
--config <config> : The name of the custom configuration to use.
--updated <updated> : Specify the time window to limit results. (default: ('-1hour', 'now'))
proofpoint.tap.campaigns.get
Enrich data with Proofpoint campaign information by ID.
This will create risk:alert nodes for each threat in the campaign.
The campaign ID can be specified with the --campaign-id argument, or an inbound ou:campaign node.
Examples:
// Fetch campaign information for a specific campaign ID
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0
// Fetch campaign information for a specific campaign ID and yield the results
proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield
Usage: proofpoint.tap.campaigns.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--config <config> : The name of the custom configuration to use.
--campaign-id <campaign_id> : The ID of the campaign to fetch.
--no-forensics : Do not fetch forensics data.
proofpoint.tap.people.vap
Fetch the identities and attack index breakdown of Very Attacked People within your organization for a given period.
Examples:
// Fetch the identities and attack index breakdown of Very Attacked People within the last 14 days
proofpoint.tap.people.vap 14
// Fetch the identities and attack index breakdown of Very Attacked People within the last 30 days
proofpoint.tap.people.vap 30
// Fetch the identities and attack index breakdown of Very Attacked People within the last 90 days
proofpoint.tap.people.vap 90
Usage: proofpoint.tap.people.vap [options] <window>
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--size <size> : Limit the number of requested results to the given size (max 1000). (default: 1000)
--config <config> : The name of the custom configuration to use.
Arguments:
<window> : The number of days to fetch the data for. (choices: 14, 30, 90)
proofpoint.tap.siem.messages.blocked
Fetch the blocked messages from the Proofpoint SIEM.
The --since-last option can be used to set up a cron job that will automatically increment
the min-time with a globally stored value. Only a single cron job using --since-last
should be implemented to ensure that results are contiguous in the view it is running.
The first time --since-last is used the --min-time argument will define the starting point,
otherwise the --min-time argument is ignored when --since-last is specified.
Note: The --filter-recipients argument matches on the recipient entries of the email
responses and is done client side post fetching of the blocked messages. This can be a single
address or list of addresses.
Examples:
// Fetch the blocked messages from the Proofpoint SIEM (using the default -1 hour time window)
proofpoint.tap.siem.messages.blocked
// Fetch the blocked messages from the Proofpoint SIEM for a specific recipient
proofpoint.tap.siem.messages.blocked --filter-recipients "test@example.com"
// Fetch the blocked messages from the Proofpoint SIEM for list of specific recipients
// using a list variable.
$filter_recipients = (["test@example.com", "test2@example.com"])
proofpoint.tap.siem.messages.blocked --filter-recipients $filter_recipients
// Fetch the blocked messages from the Proofpoint SIEM (starting -24 hours ago)
proofpoint.tap.siem.messages.blocked --min-time "-24hours"
// Fetch the blocked messages from the Proofpoint SIEM (starting 13:42:00 and ending 14:42:00)
proofpoint.tap.siem.messages.blocked --min-time "2025-09-10 13:42:00" --max-time "2025-09-10 14:42:00"
// Create a cron job to fetch the blocked messages from the Proofpoint SIEM every day
cron.add --name proofpoint.tap.siem.messages.blocked --hour 3
{ proofpoint.tap.siem.messages.blocked --since-last }
Usage: proofpoint.tap.siem.messages.blocked [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : Yield newly created nodes.
--filter-recipients <filter_recipients>: Filter the results by recipient email address. Can be single or multiple email
addresses.
--min-time <min_time> : Specify the minimum time to start retrieving results. (default: -1hour)
--max-time <max_time> : Specify the maximum time to stop retrieving results. (default: now)
--since-last : Fetch the results since the last run of the command with --since-last specified.
--no-threat-info : Do not fetch threat information.
--config <config> : The name of the custom configuration to use.
proofpoint.tap.threats.get
Enrich data with Proofpoint threat forensics information.
The Forensics endpoint pulls forensic evidence about threats observed in
their environment.
The threat ID can be specified with the --threat-id argument, or an inbound risk:alert node.
Examples:
// Fetch threat information for a specific threat ID
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066
// Fetch threat information for a specific threat ID and yield the results
proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield
Usage: proofpoint.tap.threats.get [options]
Options:
--help : Display the command usage.
--debug : Show verbose debug output.
--yield : No help available.
--config <config> : The name of the custom configuration to use.
--threat-id <threat_id> : The ID of the threat to fetch.
--no-forensics : Do not fetch forensics data.
Storm Modules
This package does not export any Storm APIs.