User Guide

Synapse-Proofpoint User Guide

Synapse-Proofpoint adds new Storm commands to allow you to query the Proofpoint API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Adding your personal API key

To add a personal API key:

> proofpoint.config.add myconfig myapikey --scope self --tag-prefix "my.user.proofpoint"
Synapse-Proofpoint config "myconfig" added

List available configurations

To list the available configurations, use the proofpoint.config.list command:

> proofpoint.config.list
 name                      | scope    | owner
===========================|==========|====================================================
 myconfig                  | user     | root

To view the tag prefix of a configuration, use the vault.list --name <name> command where <name> is synapse-proofpoint:<config name>:

> vault.list --name synapse-proofpoint:myconfig
Available Vaults
----------------
Vault: 272bf44f70e6c08793cb75a7c6c89afc
  Name: synapse-proofpoint:myconfig
  Type: synapse-proofpoint
  Scope: user
  Permissions:
    Users:
      root: admin
    Roles: None
  Configs:
    proxy: true
    ssl_verify: true
    tag_prefix: my.user.proofpoint

Fetching campaign data

To fetch a list of active campaign IDs within a given time window, use the proofpoint.tap.campaigns command:

> proofpoint.tap.campaigns --updated ("2025-05-18 00:00:00", "2025-05-19 00:00:00") --size 1 --yield
ou:campaign=d8a677359f998faac6a621615279b41b
        .created = 2025/08/20 17:11:51.940
        :desc = Emails with characteristics (Examples):
                From: "phonycompany.co.jp  " <[email protected]>
                From: "phonycompany.co.jp  " <[email protected]>
        :ext:id = 0a9f5348-c955-4e19-895f-f779658ae5c0
        :name = company abc phishing | "cogui" | urls | "vevncupnsodm" | japan | 18 - 22 may 2025
        :period = ('2025/05/18 00:00:00.000', '2025/05/18 00:00:00.001')
        :reporter = ab4e472b1463f912ea91897fa366ec84
        :reporter:name = proofpoint
        #my.user.proofpoint.ttp.cogui_phishing_kit
        #my.user.proofpoint.ttp.geofencing
        #my.user.proofpoint.ttp.headers_fencing

To fetch campaign data for a specific campaign, use the proofpoint.tap.campaigns.get command:

> proofpoint.tap.campaigns.get --campaign-id 0a9f5348-c955-4e19-895f-f779658ae5c0 --yield
ou:campaign=d8a677359f998faac6a621615279b41b
        .created = 2025/08/20 17:11:51.940
        :desc = Emails with characteristics (Examples):
                From: "phonycompany.co.jp  " <[email protected]>
                From: "phonycompany.co.jp  " <[email protected]>
        :ext:id = 0a9f5348-c955-4e19-895f-f779658ae5c0
        :name = company abc phishing | "cogui" | urls | "vevncupnsodm" | japan | 18 - 22 may 2025
        :period = ('2025/05/18 00:00:00.000', '2025/05/18 00:00:00.001')
        :reporter = ab4e472b1463f912ea91897fa366ec84
        :reporter:name = proofpoint
        #my.user.proofpoint.ttp.cogui_phishing_kit
        #my.user.proofpoint.ttp.geofencing
        #my.user.proofpoint.ttp.headers_fencing

Fetching threat data

To fetch threat data for a specific threat, use the proofpoint.tap.threats.get command:

> proofpoint.tap.threats.get --threat-id 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066 --yield
risk:attack=57bd7f22502079d6732318c09ce9990a
        .created = 2025/08/20 17:11:52.042
        :_proofpoint:severity = 0
        :_proofpoint:spread = 1541
        :detected = 2025/05/18 16:54:01.000
        :ext:id = 0ff0ee396f7dc349b7348ffa32c3163e79e3301a6fcaabda2b0ae4f847da3066
        :reporter = ab4e472b1463f912ea91897fa366ec84
        :reporter:name = proofpoint
        :type = proofpoint.phish.url
        #my.user.proofpoint.phish.url
        #my.user.proofpoint.ttp.cogui_phishing_kit
        #my.user.proofpoint.ttp.compromised_website
        #my.user.proofpoint.ttp.geofencing
        #my.user.proofpoint.ttp.headers_fencing

Use of meta:source nodes

Synapse-Proofpoint uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Proofpoint API.

> meta:source=6c1e00b4db994549e58b3bad0b2ec654
meta:source=6c1e00b4db994549e58b3bad0b2ec654
        .created = 2025/08/20 17:11:51.924
        :name = proofpoint api
        :type = synapse.proofpoint

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Proofpoint. The following example shows how to filter the results of a query to include only results observed by Synapse-Proofpoint:

> #cool.tag.lift +{ <(seen)- meta:source=6c1e00b4db994549e58b3bad0b2ec654 }

Model Extensions

The following extended props are created by the Synapse-Proofpoint powerup:

risk:attack:_proofpoint:severity
    int - The Proofpoint severity score, ranges from 0-1000.

risk:attack:_proofpoint:spread
    int - The number of Proofpoint customers that also received this threat.