- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Palo Alto XSOAR is not able to ingest Proofpoint's TAP (Targeted Attack Protection) or TRAP (Threat Response Auto-Pull) emails. Because of the automation that is being done with TAP and TRAP, these emails do not go through XSOAR for "phishing" analysis. Our "Phishing" emails go right to XSOAR once a user reports it as phishing with the outlook extension. The TAP and TRAP emails go to a separate mailbox "Quarantine" that myself and team do not have visibility/privileges (administrated by another team) we are not able to just add that mailbox to our exchange profile and report the TAP and TRAP emails due to the high powered account that is used for the "Quarantine" mailbox, has the privileges to read ANY mailbox in the organization, and there are privacy/risk concerns.
My question is, how are other customers ingesting their Proofpoint TAP and TRAP auto quarantined emails into XSOAR? is there another way that we can ingest the TAP and TRAP emails?
Customers use the ProofPoint TAP integration to pull events like "Message Blocked" and "Message Delivered". For these types of alerts we get fields like messageTime, subject, fromAddress and toAddress. We can use this to search for the original email using an integration with EWS/O365/Gmail/etc.. Once you have the original EML or MSG file you can trigger a phishing playbook.
Note: Searching for email across multiple users inboxes requires higher privileges. In the case of Exchange it requires delegation and impersonation rights. You can also do it by running a compliance search which requires a different set of privileges.
The easiest method would be to integration directly with the "Quarantine" inbox. You and your team must decide what set of permission is an acceptable risk. Also an additional point failure where your email search can return more that one result. The playbook would then halt while the analyst decides which eml to process.
Other customers use XSOAR to complement ProofPoint by only ingesting "Message Delivered" and "Clicks Permitted" events. Playbooks are then run to notify, scan or quarantine/block user accounts and endpoints.
Apologies for the long answer. I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!