User Guide
Synapse-Proofpoint User Guide
Synapse-Proofpoint adds new Storm commands to allow you to query the Proofpoint API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Adding your personal API key
To add a personal API key:
> proofpoint.config.add myconfig myapikey --scope self --tag-prefix "my.user.proofpoint"
Synapse-Proofpoint config "myconfig" added
List available configurations
To list the available configurations, use the proofpoint.config.list
command:
> proofpoint.config.list
name | scope | owner
===========================|==========|====================================================
myconfig | user | root
To view the tag prefix of a configuration, use the vault.list --name <name>
command where <name>
is synapse-proofpoint:<config name>
:
> vault.list --name synapse-proofpoint:myconfig
Available Vaults
----------------
Vault: a27412b2a2976ac9b11c9469a354d2d0
Name: synapse-proofpoint:myconfig
Type: synapse-proofpoint
Scope: user
Permissions:
Users:
root: admin
Roles: None
Configs:
proxy: true
ssl_verify: true
tag_prefix: my.user.proofpoint
Fetching campaign data
To fetch a list of active campaign IDs within a given time window, use the proofpoint.tap.campaigns
command:
> proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-19 00:00:00") --size 1 --yield
ou:campaign=d8a677359f998faac6a621615279b41b
.created = 2025/07/31 15:42:41.427
:desc = Emails with characteristics (Examples):
From: "phonycompany.co.jp " <[email protected]>
From: "phonycompany.co.jp " <[email protected]>
:ext:id = 0a9f5348-c955-4e19-895f-f779658ae5c0
:name = company abc phishing | "cogui" | urls | "vevncupnsodm" | japan | 18 - 22 may 2025
:period = ('2025/05/18 00:00:00.000', '2025/05/18 00:00:00.001')
:reporter = ab4e472b1463f912ea91897fa366ec84
:reporter:name = proofpoint
#my.user.proofpoint.ttp.cogui_phishing_kit
#my.user.proofpoint.ttp.geofencing
#my.user.proofpoint.ttp.headers_fencing
To fetch campaign data for a specific campaign, use the proofpoint.tap.campaigns.get
command:
> proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield
ou:campaign=d8a677359f998faac6a621615279b41b
.created = 2025/07/31 15:42:41.427
:desc = Emails with characteristics (Examples):
From: "phonycompany.co.jp " <[email protected]>
From: "phonycompany.co.jp " <[email protected]>
:ext:id = 0a9f5348-c955-4e19-895f-f779658ae5c0
:name = company abc phishing | "cogui" | urls | "vevncupnsodm" | japan | 18 - 22 may 2025
:period = ('2025/05/18 00:00:00.000', '2025/05/18 00:00:00.001')
:reporter = ab4e472b1463f912ea91897fa366ec84
:reporter:name = proofpoint
#my.user.proofpoint.ttp.cogui_phishing_kit
#my.user.proofpoint.ttp.geofencing
#my.user.proofpoint.ttp.headers_fencing
Fetching threat data
To fetch threat data for a specific threat, use the proofpoint.tap.threats.get
command:
> proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield
risk:attack=57bd7f22502079d6732318c09ce9990a
.created = 2025/07/31 15:42:41.499
:_proofpoint:severity = 0
:_proofpoint:spread = 1541
:detected = 2025/05/18 16:54:01.000
:ext:id = 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066
:reporter = ab4e472b1463f912ea91897fa366ec84
:reporter:name = proofpoint
:type = proofpoint.phish.url
#my.user.proofpoint.phish.url
#my.user.proofpoint.ttp.cogui_phishing_kit
#my.user.proofpoint.ttp.compromised_website
#my.user.proofpoint.ttp.geofencing
#my.user.proofpoint.ttp.headers_fencing
Use of meta:source
nodes
Synapse-Proofpoint uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the Proofpoint API.
> meta:source=6c1e00b4db994549e58b3bad0b2ec654
meta:source=6c1e00b4db994549e58b3bad0b2ec654
.created = 2025/07/31 15:42:41.416
:name = proofpoint api
:type = synapse.proofpoint
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Proofpoint. The following example shows how to filter the results of a query to include only results observed by Synapse-Proofpoint:
> #cool.tag.lift +{ <(seen)- meta:source=6c1e00b4db994549e58b3bad0b2ec654 }
Model Extensions
The following extended props are created by the Synapse-Proofpoint powerup:
risk:attack:_proofpoint:severity
int - The Proofpoint severity score, ranges from 0-1000.
risk:attack:_proofpoint:spread
int - The number of Proofpoint customers that also received this threat.