Jump to a Section

Overview

When you add a Proofpoint card to a Flow for the first time, you’ll be prompted to configure the connection. This will enable you to connect your Proofpoint account, save your account information, and reuse the connection for future Proofpoint Flows.

Note: You can create multiple connections and manage them from your Settings page.

To create a new connection from an Event or Action card:

  1. Click New Connection.
  2. Enter a Connection Nickname. This is useful if you plan to create multiple Box connections to share with your team.
  3. In a separate browser tab, open the TAP dashboard and create a new credential, copying the credential’s Service Principal and Secret values. See Generate TAP Service Credentials.
  4. Paste the credential values into the Service Principal and Secret fields.
  5. Click Create. This saves your connection and returns you to your Flow.

    Events

    • New Permitted Malicious Click

      Start FLO when there are new events for clicks to malicious URLs permitted.

      This is a polling event that returns at most one hour’s worth of data. Setting the polling interval to an interval greater than one hour will result in no data being returned.

      Unless otherwise mentioned, all fields are text.

      Output

      Links

      • URL: malicious URL that was clicked
      • Classification: threat category of the URL
      • Click Time (date): the time at which the user clicked the URL
      • Threat Time (date): the time at which Proofpoint identified the URL as a threat
      • User Agent: User-Agent header from the clicker’s HTTP request
      • Campaign ID: identifer for the campaign the threat belongs to, if available
      • Click IP: external IP address of the user who clicked the link
      • Sender: email address of sender; user-part is hashed and domain-part in plaintext
      • Recipient: email address of the recipient
      • Sender IP: IP address of the sender
      • ID: UUID of the event
      • GUID: unique identifier of the message in Proofpoint Protection Server (PPS)
      • Threat ID: unique identifier of the threat
      • Threat URL: link to threat entry on TAP dashboard
      • Threat Status: status of the threat
      • Message ID: non-unique message ID extracted from headers of email message

      Context

      • Execution ID: unique identifier associated with the execution of the Flow

    Actions

    • Custom API Action

      Make a custom, authenticated HTTP call to the Proofpoint API.

      NOTE: This action is unlike other Proofpoint cards. Refer to Proofpoint API.

      Required fields are indicated in red.

      Unless otherwise mentioned, all fields are text.

      Options

      • Request Type (drop-down): one of the supported HTTP request methods (sometimes called verbs) in custom API calls:
        • GET retrieves data from a web server based on your parameters. GET requests a representation of the specified resource. If successful, GET will receive a 200 OK response message with the requested content. Refer to additional documentation here.
        • POST sends data to a web server based on your parameters. POST requests include actions like uploading a file. Multiple POSTs may result in a different outcome than a single POST, so you should be cautious about unintentionally sending multiple POSTs. If a POST is successful, you will receive a 200 OK response message. Refer to additional documentation here.
        • PUT sends data to a location in the web server based on your parameters. PUT requests include actions like uploading a file. The difference between a PUT and POST is that PUT is idempotent, meaning that the result of a single successful PUT is the same as many identical PUT’s. If a PUT is successful, you will receive a 200 response message (usually 201 or 204). Refer to additional documentation here.
        • PATCH applies partial modifications to a resource on a web server based on your parameters. PATCH is not idempotent, meaning that multiple PATCHs could have unintended consequences. If a PUT is successful, you will receive a 200 response message (usually 204). Refer to additional documentation here.
        • DELETE deletes the specified resource from the web server based on your parameters (if the resource exists). If a DELETE is successful, you will receive a 200 OK response message. Refer to additional documentation here.

      Input

      Request

      • Relative URL (text): address on the web server you are attempting to interact with. Relative URL means that you don’t have to explicitly specify the protocol at the beginning of the URL (such as “http://“). This suggests to the web server that the interaction is occurring on the server (in this instance).

        Example: https://tap-api-v2.proofpoint.com{{input.Request.Relative URL}}
      • Query (object or text): JSON object that determines the action taken at the URL

        Example: {"name":"something-urgent"}
      • Headers (object): JSON object that determines the content type of the request. This will usually be a replica of the example below.

        Example: {"Content-type":"application/json"}
        • Body (object): data for your selected HTTP request.

      Output

      Response

      • Status Code (number): success or failure of your HTTP request. Here is a list of all status codes.
      • Headers (object): detailed context for the status code, unrelated to the output body. Response headers are dependent on your selected HTTP request option. Note that not all headers are response headers.
      • Body (object): data returned from your selected HTTP request (for example, the data from a GET request).
    • Read Compromised User

      Get users which were most attacked during a specified period in their organizations.

      Required fields are indicated in red.

      Unless otherwise mentioned, all fields are text.

      Options

      • Window (dropdown): choose from available time windows

      Output

      • Total VAP Users (number): number of Very Attacked Persons (VAPs)
      • Interval: time interval in ISO 8601 format that the response was calculated for
      • Average Attack Index (number): average attack index value
      • VAP Attack Index Threshold (number): attack index threshold for this interval; users above this threshold are considered to be VAPs

      • Users: an array of User objects

        • Identity (object)
        • GUID: unique Proofpoint identifier
        • Customer User ID: identifier associated with the user that was provided by customer
        • Emails (object): list of email addresses associated with user
        • Name: user’s name
        • Department: user’s department
        • Location: user’s location
        • Title: user’s title
        • VIP (true/false): ‘true’ if user is considered to be a VIP

        • Threat Statistics (object)

        • Attack Index: user’s attack index value for the specified period

        • Families (object): a collection of threat families, with each entry containing the name and threat score for that family

    • Read Delivered Malicious Messages

      Fetch events for messages delivered in the specified time period which contained a known threat.

      The events returned for a specified range are based on the time that the event was created, not the time that the event occurred. The time that an event is created is the later of the following: - the time that the message was sent - the time that the threat referenced by the message was recognized by Proofpoint

      The input fields in this card are dynamically generated based on your instance.

      Required fields are indicated in red.

      Unless otherwise mentioned, all fields are text.

      Options

      • Range Type (dropdown): choose from available ranges

      Input

      timeRange

      • Interval (date): time interval to query in ISO 8601 format. The minimum interval allowed is 30 seconds and the maximum interval is 1 hour.
      • Since Time (date): start time of query in ISO 8601 format. The end of the period is the current API server time rounded to the nearest minute.
      • Since Seconds Ago (number): set start time of query to this many seconds before the current API server time (rounded to the nearest minute)

      Output

      • Query End Time (date): time the period being queried ended
      • Messages (object)
        • Spam Score (number): message’s spam score
        • Phish Score (number): message’s phish score
        • Impostor Score (number): message’s imposter score
        • Malware Score (number): message’s malware score
        • Threats Info Map (array): array of structures containing details of threats found in the message
        • Sender: email address of sender; user-part is hashed and domain-part in plaintext
        • Recipient: email addresses of the recipients
        • Sender IP: IP address of sender
        • Message ID: non-unique Message-ID extracted from headers of the email message
        • Message Time (date): time when message was delivered to user or quarantined
        • Message Size (number): size of message in bytes
        • ID: UUID of the event
        • QID: queue ID of the message in PPS
        • GUID: unique ID of message in PPS
        • From Address: email address extracted from the From: header of the message, excluding friendly name
        • cc Addresses: list of email addresses from the CC: header, excluding friendly names
        • Reply To Addresses: email address from the Reply-To: header, excluding friendly name
        • To Addresses: list of email addresses from the To: header, excluding friendly names
        • Header From: full From: header, including any friendly name
        • Header Reply To: full Reply-To: header (if present), including friendly name
        • Completely Rewritten: rewrite status of message
        • Cluster: name of the PPS cluster that processed the message
        • Subject: subject line of the message
        • Quarantine Folder: name of folder that contains the quarantined message
        • Quarantine Rule: name of rule that quarantined the message
    • Read Permitted Malicious Clicks

      Fetch events for clicks to malicious URLs permitted in the specified time period.

      The events returned for a specified range are based on the time that the event was created, not the time that the event occurred. The time an event is created is the later time of the following: - the time that the click occurred - the time that the threat referenced by click was recognized by Proofpoint

      The input fields in this card are dynamically generated based on your instance.

      Required fields are indicated in red.

      Unless otherwise mentioned, all fields are text.

      Options

      • Range Type (dropdown): choose from available ranges

      Input

      timeRange

      • Interval (date): time interval to query in ISO 8601 format. The minimum interval allowed is 30 seconds and the maximum interval is 1 hour.
      • Since Time (date): start time of query in ISO 8601 format. The end of the period is the current API server time rounded to the nearest minute.
      • Since Seconds Ago (number): set start time of query to this many seconds before the current API server time (rounded to the nearest minute)

      Output

      • Query End Time (date): time the period being queried ended
      • Links (list)
        • URL: malicious URL that was clicked
        • Classification: threat category of the URL
        • Click Time (datetime): time at which the user clicked the URL
        • Threat Time (datetime): time at which Proofpoint identified the URL as a threat
        • User Agent: User-Agent header from the clicker’s http request
        • Campaign ID: ID of campaign the threat belongs to, if available
        • Click IP: external IP address of user who clicked the URL
        • Sender: email address of sender; user-part is hashed and domain-part in plaintext
        • Recipient: email addresses of the recipient
        • Sender IP: IP address of the sender
        • ID: UUID of the event
        • GUID: unique Proofpoint Protection Server (PPS) identifier
        • Threat ID: unique identifier of the threat
        • Threat URL: link to threat entry on TAP dashboard
        • Threat Status: status of the threat
        • Message ID: message ID