Integrate Proofpoint TAP with Google SecOps
This document explains how to integrate Proofpoint TAP with Google Security Operations (Google SecOps).
Integration version: 11.0
Integration parameters
The Proofpoint TAP integration requires the following parameters:
| Parameter | Description |
|---|---|
| API Root | Required. The API root of the Proofpoint Targeted Attack Protection (TAP) instance. |
| Username | Required. The username of the Proofpoint TAP instance. |
| Password | Required. The API Key of the Proofpoint TAP instance. |
| Verify SSL | Optional. If enabled, that action verifies the validity of the SSL certificate. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
DecodeURL
Use the DecodeURL action to decode Proofpoint's encoded URLs.
This action runs on the following Google SecOps entity:
URL
Action inputs
| Parameter | Description |
|---|---|
| Encoded URLs | Optional. A comma-separated list of URLs to decode. |
| Create URL Entities | Optional. If selected, the action creates a URL entity from the URL after it has been successfully decoded. The default value is |
Action outputs
The DecodeURL action provides the following outputs.
Entity Enrichment
The DecodeURL action supports the following entity enrichment logic:
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Encoded Urls | A comma-separated list of URLs to decode. |
| Create URL Entities | If selected, the action creates a successfully-decoded URL entity from the URL after it has been successfully decoded. The default value is |
Script Result
The following table describes the values for the script result output when using the DecodeURL action:
| Script Result Name | Value Options | Example |
|---|---|---|
| decoded_urls | N/A | N/A |
GetCampaign
Use the GetCampaign action to get campaign information by the campaign ID.
This action runs on all entities.
Action inputs
The GetCampaign action requires the following parameter:
| Parameter | Description |
|---|---|
| Campaign ID | Required. The ID of the campaign to get information about. |
| Create Insight | Optional. If selected, the action creates an insight with the campaign information. Selected by default |
| Create Threat Campaign Entity | Optional. If selected, the action creates a threat campaign entity from the campaign information. Selected by default |
| Fetch Forensics Info | Optional. If selected, the action fetches forensics information from the campaign. Selected by default |
| Forensic Evidence Type Filter | Optional. A comma-separated list of evidence types to return when fetching forensic info. Possible values:
|
| Max Forensics Evidence To Return | Optional. The amount of evidence to return per campaign. The default value is The maximum value is |
Action outputs
The GetCampaign action provides the following outputs.
Script Result
The following table describes the values for the script result output when using the GetCampaign action:
| Script Result Name | Value Options | Example |
|---|---|---|
| campaign_info | N/A | N/A |
Ping
Use the Ping action to test ProofPoint TAP connectivity.
This action runs on all entities.
Action inputs
The Ping action doesn't require any parameters.
Action outputs
The Ping action provides the following outputs.
Script Result
The following table describes the values for the script result output when using the Ping action:
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Need more help? Get answers from Community members and Google SecOps professionals.