Integrate Proofpoint Threat Protection with Google SecOps
Integration version: 1.0
This document explains how to integrate Proofpoint Threat Protection with Google Security Operations.
Use cases
In the Google SecOps platform, the Proofpoint Threat Protectionintegration supports the following use cases:
-
Automated phishing mitigation: Automatically add malicious sender email addresses and domains to the Proofpoint block list after a phishing alert is verified to prevent further delivery of similar threats across the organization.
-
Accelerated incident response: Rapidly update block list entries for IP addresses and hostnames during an active investigation to ensure that newly discovered indicators of compromise (IOCs) are immediately neutralized at the email gateway.
-
Proactive threat protection: Proactively query and retrieve existing allow and block list entries to ensure security policies remain up to date and consistent with current threat intelligence, reducing the organization's attack surface.
-
Simplified policy management: Streamline the administration of email security policies by using playbooks to manage bulk additions or removals of trusted senders to the allow list based on approved business requests.
Before you begin
Before you configure the integration in the Google SecOps platform, verify that you have the following:
-
Proofpoint Threat Protection API credentials: Ensure you have a valid client ID and client secret. These are generated within the Proofpoint administrative console
-
Cluster ID: Identify the specific cluster ID associated with your Proofpoint instance. This ID is required to target the correct allow and block lists.
-
Network connectivity: Verify that the Google SecOps environment can communicate with the Proofpoint Threat Protection API root endpoint. If you're using a proxy, ensure the credentials and addresses are available.
Integration parameters
The Proofpoint Threat Protectionintegration requires the following parameters:
| Parameter | Description |
|---|---|
API Root
|
Required. The base URL of the Proofpoint Threat Protection instance. |
Client ID
|
Required. The client ID associated with your Proofpoint Threat Protection API credentials. |
Client Secret
|
Required. The client secret associated with your Proofpoint Threat Protection API credentials. |
Cluster ID
|
Required. The cluster ID associated with your Proofpoint Threat Protection API instance. |
Verify SSL
|
Optional. If selected, the integration validates the SSL certificate when connecting to the Proofpoint Threat Protection server. Enabled by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Entry to Allow List
Use the Add Entry to Allow Listaction to add an entry to the Proofpoint Threat Protection allow list.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Entry to Allow Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Cluster ID
|
Optional. The cluster ID of the allow list. If no value is provided, the action uses the cluster ID from the integration configuration. |
Allowlist Item
|
Required. The JSON object representing the allow list item to add. The default value is:
|
Action outputs
The Add Entry to Allow Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Entry to Allow Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Entry to Allow Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Add Entry to Block List
Use the Add Entry to Block Listaction to add an entry to the Proofpoint Threat Protection block list.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Entry to Block Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Cluster ID
|
Optional. The cluster ID of the block list. If no value is provided, the action uses the cluster ID from the integration configuration. |
Blocklist Item
|
Required. The JSON object representing the block list item to add. The default value is:
|
Action outputs
The Add Entry to Block Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add Entry to Block Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Entry to Block Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Add IOC to Allow List
Use the Add IOC to Allow Listaction to add specific IOCs to the Proofpoint Threat Protection allow list.
This action doesn't run on Google SecOps entities.
Action inputs
The Add IOC to Allow Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Cluster ID
|
Optional. The cluster ID of the allow list. If no value is provided, the action uses the cluster ID from the integration configuration. |
Recipient Email Address
|
Optional. A comma-separated list of recipient email addresses to add to the allow list. |
Sender Email Address
|
Optional. A comma-separated list of sender email addresses to add to the allow list. |
Sender IP Address
|
Optional. A comma-separated list of sender IP addresses to add to the allow list. |
Sender Hostname
|
Optional. A comma-separated list of sender hostnames to add to the allow list. |
Sender HELO Domain Name
|
Optional. A comma-separated list of HELO domain names to add to the allow list. |
Message Header From (Address Only)
|
Optional. A comma-separated list of "Message Header From" entries to add to the allow list. |
Comment
|
Optional. A description or justification associated with the allow list entries. |
Action outputs
The Add IOC to Allow Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add IOC to Allow Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add IOC to Allow Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Add IOC to Block List
Use the Add IOC to Block Listaction to add specific IOCs to the Proofpoint Threat Protection block list.
This action doesn't run on Google SecOps entities.
Action inputs
The Add IOC to Block Listaction requires the following parameters:
| Parameter | Description |
|---|---|
Cluster ID
|
Optional. The cluster ID of the block list. If no value is provided, the action uses the cluster ID from the integration configuration. |
Recipient Email Address
|
Optional. A comma-separated list of recipient email addresses to add to the block list. |
Sender Email Address
|
Optional. A comma-separated list of sender email addresses to add to the block list. |
Sender IP Address
|
Optional. A comma-separated list of sender IP addresses to add to the block list. |
Sender Hostname
|
Optional. A comma-separated list of sender hostnames to add to the block list. |
Sender HELO Domain Name
|
Optional. A comma-separated list of HELO domain names to add to the block list. |
Message Header From (Address Only)
|
Optional. A comma-separated list of "Message Header From" entries to add to the block list. |
Comment
|
Optional. A description or justification associated with the block list entries. |
Action outputs
The Add IOC to Block Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Add IOC to Block Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add IOC to Block Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Get Allow List Entries
Use the Get Allow List Entriesaction to retrieve existing entries from the Proofpoint Threat Protection allow list.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Allow List Entriesaction requires the following parameters:
Cluster ID
Required.
The cluster ID of the allow list.
If no value is provided, the action uses the cluster ID from the integration configuration.
IOC Type To Return
Optional.
The types of IOCs to return.
If All
is selected, the action returns all entries.
The possible values are as follows:
-
All -
Recipient Email Address -
Sender Email Address -
Sender IP Address -
Sender Hostname -
Sender HELO Domain Name -
Message Header From (Address Only)
The default value is All
.
Max IOCs To Return
Optional.
The number of IOCs to return.
The maximum value is 1000
.
The default value is 100
.
Action outputs
The Get Allow List Entriesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Allow List Entriesaction:
[
{
"attribute"
:
"$from"
,
"operator"
:
"equal"
,
"value"
:
"test@example.com"
,
"comment"
:
""
}
]
Output messages
The Get Allow List Entriesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Allow List Entriesaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Get Block List Entries
Use the Get Block List Entriesaction to retrieve existing entries from the Proofpoint Threat Protection block list.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Block List Entriesaction requires the following parameters:
Cluster ID
Required.
The cluster ID of the block list.
If no value is provided, the action uses the cluster ID from the integration configuration.
IOC Type To Return
Optional.
The types of IOCs to return.
If All
is selected, the action returns all entries.
The possible values are as follows:
-
All -
Recipient Email Address -
Sender Email Address -
Sender IP Address -
Sender Hostname -
Sender HELO Domain Name -
Message Header From (Address Only)
The default value is All
.
Max IOCs To Return
Optional.
The number of IOCs to return.
The maximum value is 1000
.
The default value is 100
.
Action outputs
The Get Block List Entriesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Block List Entriesaction:
[
{
"attribute"
:
"$from"
,
"operator"
:
"equal"
,
"value"
:
"test@example.com"
,
"comment"
:
""
}
]
Output messages
The Get Block List Entriesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Block List Entriesaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Ping
Use the Pingaction to test the connectivity to Proofpoint Threat Protection.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Failed to connect to the Proofpoint Threat Protection server!
Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Remove Entry from Allow List
Use the Remove Entry from Allow Listaction to remove an entry from the Proofpoint Threat Protection allow list.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Entry from Allow Listaction requires the following parameters:
Cluster ID
Required.
The cluster ID of the allow list.
If no value is provided, the action uses the cluster ID from the integration configuration.
IOC Type To Search
Optional.
The types of IOCs to search for.
If All
is selected, the action removes all entries matching
the value.
The possible values are as follows:
-
All -
Recipient Email Address -
Sender Email Address -
Sender IP Address -
Sender Hostname -
Sender HELO Domain Name -
Message Header From (Address Only)
The default value is All
.
Value
Optional.
The value to remove from the allow list.
Case Insensitive Search
Required.
If selected, the action performs a case-insensitive search to identify and remove all matching entries.
Action outputs
The Remove Entry from Allow Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove Entry from Allow Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Entry from Allow Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Remove Entry from Block List
Use the Remove Entry from Block Listaction to remove an entry from the Proofpoint Threat Protection block list.
This action doesn't run on Google SecOps entities.
Action inputs
The Remove Entry from Block Listaction requires the following parameters:
Cluster ID
Required.
The cluster ID of the block list.
If no value is provided, the action uses the cluster ID from the integration configuration.
IOC Type To Search
Optional.
The types of IOCs to search for.
If All
is selected, the action removes all entries matching
the value.
The possible values are as follows:
-
All -
Recipient Email Address -
Sender Email Address -
Sender IP Address -
Sender Hostname -
Sender HELO Domain Name -
Message Header From (Address Only)
The default value is All
.
Value
Optional.
The value to remove from the block list.
Case Insensitive Search
Required.
If selected, the action performs a case-insensitive search to identify and remove all matching entries.
Action outputs
The Remove Entry from Block Listaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Remove Entry from Block Listaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Remove Entry from Block Listaction:
| Script result name | Value |
|---|---|
| is_success | true
or false
|
Need more help? Get answers from Community members and Google SecOps professionals.
