Package Documentation

Storm Package: synapse-proofpoint

The following Commands are available from this package. This documentation is generated for version 0.1.0 of the package.

Storm Commands

This package implements the following Storm Commands.

proofpoint.config.add

Add a Synapse-Proofpoint configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Add a global configuration
  proofpoint.config.add global_config apikey1234

  // Add a configuration for the current user
  proofpoint.config.add my_config apikey5678


Usage: proofpoint.config.add [options] <name> <apikey>

Options:

  --help                      : Display the command usage.
  --ssl-noverify              : Do not perform SSL/TLS verification.
  --proxy <proxy>             : Configure the proxy usage. (default: True)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from Proofpoint. (default: rep.proofpoint)
  --scope <scope>             : Set the scope on the configuration. (default: global, choices: global, self, unscoped)

Arguments:

  <name>                      : A unique name for the configuration.
  <apikey>                    : The API key string.

proofpoint.config.del

Delete a Synapse-Proofpoint configuration.

Examples:

  // Delete the "fooconfig" configuration
  proofpoint.config.del fooconfig


Usage: proofpoint.config.del [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  <name>                      : The name of the configuration.

proofpoint.config.list

Display the list of Synapse-Proofpoint configurations you have access to.


Usage: proofpoint.config.list [options]

Options:

  --help                      : Display the command usage.

proofpoint.config.migrate

Migrate options for all Synapse-Proofpoint configurations.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Migrate the tag prefix for all configurations
  proofpoint.config.migrate --tag-prefix my.tagpref


Usage: proofpoint.config.migrate [options]

Options:

  --help                      : Display the command usage.
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from Proofpoint. (default: None)

proofpoint.config.show

Show the details of a configuration.

Examples:

  // Show the in-use configuration for the current user
  proofpoint.config.show

  // Show a configuration by name
  proofpoint.config.show myconfig


Usage: proofpoint.config.show [options] <name>

Options:

  --help                      : Display the command usage.

Arguments:

  [name]                      : The name of the configuration.

proofpoint.config.update

Update the configuration of a defined Synapse-Proofpoint configuration.

The proxy argument can be set to one of the following values:
  true: Use the Cortex configured proxy if set.
  false: Do not use the Cortex configured proxy if set.
  <str>: A proxy URL to use.

Examples:

  // Set the permission level for user "myuser" to "admin" on the "fooconfig"
  // configuration
  proofpoint.config.update fooconfig --perm user myuser admin

  // Set the permission level for the "all" role to "deny" on the
  // "fooconfig" configuration
  proofpoint.config.update fooconfig --perm role all deny

  // Do not verify the SSL certificate when connecting to "fooconfig"
  proofpoint.config.update fooconfig --ssl-verify (false)

  // Change the name of the "fooconfig" configuration to "barconfig"
  proofpoint.config.update fooconfig --name barconfig


Usage: proofpoint.config.update [options] <config>

Options:

  --help                      : Display the command usage.
  --apikey <apikey>           : The API key string. (default: None)
  --perm <perm>               : Set the permission level for a user or role on this configuration.
                                Arguments to this option are ``scope``, ``name``, ``level``:
                                  <scope>: The scope for the permission, either "user" or "role".
                                  <name>: The user/role name depending on scope.
                                  <level>: The $lib.auth.easyperm.level, or None to remove the permission.
                                 (default: None)
  --ssl-verify <ssl_verify>   : Set whether to verify the SSL certificate of the server. (default: None)
  --proxy <proxy>             : Configure the proxy usage. (default: None)
  --tag-prefix <tag_prefix>   : The tag prefix to use when recording data from Proofpoint. (default: None)
  --name <name>               : Rename the configuration. (default: None)

Arguments:

  <config>                    : The name of the configuration to modify.

proofpoint.tap.campaigns

Fetch a list of active campaign IDs within the given time window.
This will create risk:attack nodes for threats in each campaign.

The --updated option is parsed as an ival type, and therefore
single values and relative times are valid inputs. The default is
-1 hour ago. The maximum interval window is 24 hours.

Examples:
  // Fetch a list of active campaign IDs within the last 24 hours
  proofpoint.tap.campaigns --updated (-1day, now)

  // Fetch a list of active campaign IDs within the last 24 hours limit to 10 results
  proofpoint.tap.campaigns --updated (-1day, now) --size 10

  // Fetch a list of active campaign IDs within a 2 hour window on a specific day
  proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-18 02:00:00")


Usage: proofpoint.tap.campaigns [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --size <size>               : Limit the number of requested results to the given size (max 200). (default: 100)
  --config <config>           : The name of the custom configuration to use.
  --updated <updated>         : Specify the time window to limit results. (default: ('-1hour', 'now'))

proofpoint.tap.campaigns.get

Enrich data with Proofpoint campaign information by ID.
This will create risk:attack nodes for each threat in the campaign.

The campaign ID can be specified with the --campaign-id argument, or an inbound ou:campaign node.

Examples:
  // Fetch campaign information for a specific campaign ID
  proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0

  // Fetch campaign information for a specific campaign ID and yield the results
  proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield


Usage: proofpoint.tap.campaigns.get [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield newly created nodes.
  --config <config>           : The name of the custom configuration to use.
  --campaign-id <campaign_id> : The ID of the campaign to fetch.

proofpoint.tap.threats.get

Enrich data with Proofpoint threat forensics information.

The Forensics endpoint pulls forensic evidence about threats observed in
their environment.

The threat ID can be specified with the --threat-id argument, or an inbound risk:attack node.

Examples:
  // Fetch threat information for a specific threat ID
  proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066

  // Fetch threat information for a specific threat ID and yield the results
  proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield


Usage: proofpoint.tap.threats.get [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : No help available.
  --config <config>           : The name of the custom configuration to use.
  --threat-id <threat_id>     : The ID of the threat to fetch.

Storm Modules

This package does not export any Storm APIs.