Proofpoint ThreatProtection integration content-pack. #35270
Conversation
|
|
content-bot
added
Contribution
content-bot
changed the base branch from
master
to
contrib/ahopstetter-sce_xsoar-contrib_ahopstetter-sce_and_randomizerxd-ProofpointThreatProtection
content-bot
added
Community
Contribution Form Filled
|
@ahopstetter-sce Thank you for your contribution. Please let me know what you think. |
| name: cluster_id | ||
| required: true | ||
| type: 0 | ||
| description: Threat Protection APIs are REST APIs that allow our Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. |
There was a problem hiding this comment.
| description: Threat Protection APIs are REST APIs that allow our Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. | |
| description: Threat Protection APIs are REST APIs that allow Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. |
| - add | ||
| - delete | ||
| required: true | ||
| description: add or delete. |
There was a problem hiding this comment.
| description: add or delete. | |
| description: The action to perform. |
| - $helo | ||
| - $rcpt | ||
| required: true | ||
| description: Supported Attributes for the Organizational Safe List. |
There was a problem hiding this comment.
| description: Supported Attributes for the Organizational Safe List. | |
| description: Supported attributes for the Organizational Safe List. |
Is this for the Safe List or the Block list?
| - contain | ||
| - not_contain | ||
| required: true | ||
| description: Supported Operators for the Organizational Safe List. |
There was a problem hiding this comment.
| description: Supported Operators for the Organizational Safe List. | |
| description: Supported operators for the Organizational Safe List. |
Is this for the Safe List or the Block List?
| - not_contain | ||
| required: true | ||
| description: Supported Operators for the Organizational Safe List. | ||
| - description: Entry to be added to list. |
There was a problem hiding this comment.
Which list? Safe List or Block List?
Please specify.
|
|
||
| Use the key and secret generated from the Admin Portal ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) to generate an authentication token. The token is valid for 1 hour. | ||
|
|
||
| Click the <b>+Create New</b> button to display the <b>Create New Threat Protection API Key</b> dialog box for the cluster. Add a descriptive name for the key. The Cluster ID and Expiration Date for the key display in the dialog box. Keys are valid for one year from the date they are generated. Click <b>Generate Key</b> to create the key and secret. |
There was a problem hiding this comment.
| Click the <b>+Create New</b> button to display the <b>Create New Threat Protection API Key</b> dialog box for the cluster. Add a descriptive name for the key. The Cluster ID and Expiration Date for the key display in the dialog box. Keys are valid for one year from the date they are generated. Click <b>Generate Key</b> to create the key and secret. | |
| 1. Click <b>+Create New</b>. The <b>Create New Threat Protection API Key</b> dialog box for the cluster appears. | |
| 2. Add a descriptive name for the key. | |
| 3. Click <b>Generate Key</b> to create the key and secret. | |
| 4. The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Click the page icon next to each cluster to copy the API key and Secret to the clipboard and store them in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. | |
| The Cluster ID and Expiration Date for the key display in the dialog box. Keys are valid for one year from the date they are generated. |
| Use the key and secret generated from the Admin Portal ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) to generate an authentication token. The token is valid for 1 hour. | ||
|
|
||
| Click the <b>+Create New</b> button to display the <b>Create New Threat Protection API Key</b> dialog box for the cluster. Add a descriptive name for the key. The Cluster ID and Expiration Date for the key display in the dialog box. Keys are valid for one year from the date they are generated. Click <b>Generate Key</b> to create the key and secret. | ||
| - <b>Note</b>: Threat Protection API will honor the key and secret for a 7-day grace period when it expires to give you a chance to <b>Renew</b> it before permanently expiring it. |
There was a problem hiding this comment.
| - <b>Note</b>: Threat Protection API will honor the key and secret for a 7-day grace period when it expires to give you a chance to <b>Renew</b> it before permanently expiring it. | |
| - <b>Note</b>: The Threat Protection API will honor the key and secret for a 7-day grace period when it expires to give you a chance to <b>Renew</b> it before permanently expiring it. |
| --- | ||
| View Integration Documentation |
There was a problem hiding this comment.
| --- | |
| View Integration Documentation |
| - <b>Note</b>: Threat Protection API will honor the key and secret for a 7-day grace period when it expires to give you a chance to <b>Renew</b> it before permanently expiring it. | ||
| - The ellipsis menu for each key provides two choices: <b>Renew</b> and <b>Revoke</b>. <b>Renew</b> will extend the key expiration for one more year. <b>Revoke</b> will permanently remove the key and it cannot be restored. | ||
|
|
||
| The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Copy the API key and Secret to the clipboard by clicking the page icon next to each and store these in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. |
There was a problem hiding this comment.
| The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Copy the API key and Secret to the clipboard by clicking the page icon next to each and store these in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. |
| @@ -0,0 +1,3 @@ | |||
| # Proofpoint Threat Protection | |||
|
|
|||
| Threat Protection APIs are REST APIs that allow our Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. | |||
There was a problem hiding this comment.
| Threat Protection APIs are REST APIs that allow our Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. | |
| Threat Protection APIs are REST APIs that allow Proofpoint On Demand customers to retrieve, add, update or delete certain PoD configurations. | |
|
@ahopstetter-sce After implementing my comments/edits in the yml file, please regenerate the integration readme. |
…bling full client mock code if uvicorn run fails on load.
Hello @thefrieddan1 , I've added code to test load up the uvicorn server at module load time ... and upon failure .... the code reverts back to full client pytest.mocking responses. Previously only fastapi module load was tested at module load time, but the updated code actually test loads the binding of tcp port 8000 on the loopback. So that should fly on your test servers! :) Adam |
Thanks for your doc updates. I honestly upon review thought the _description.md file needed an almost complete redo. You may want to double check that one. Thanks! :) Adam |
…nd_randomizerxd-ProofpointThreatProtection' into xsoar-contrib_ahopstetter-sce_and_randomizerxd-ProofpointThreatProtection
|
|
||
| ### Proofpoint Threat Protection Integration Setup | ||
|
|
||
| To setup the Proofpoint Threat Protection API XSOAR integration, a Threat Protection API Key and its associated secret must be configured, along with the associated Proofpoint clusterID. ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) for more information regarding Proofpoint Threat Protection API key generation and management. |
There was a problem hiding this comment.
| To setup the Proofpoint Threat Protection API XSOAR integration, a Threat Protection API Key and its associated secret must be configured, along with the associated Proofpoint clusterID. ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) for more information regarding Proofpoint Threat Protection API key generation and management. | |
| To set up the Proofpoint Threat Protection API Corrtex XSOAR integration, a Threat Protection API Key and its associated secret must be configured, along with the associated Proofpoint clusterID. ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) for more information regarding Proofpoint Threat Protection API key generation and management. |
There was a problem hiding this comment.
I'm assuming Corrtex here should be Cortex @ShirleyDenkberg
| #### To Create a new Threat Protection API Key | ||
|
|
||
| 1. From within the Proofpoint Admin Portal, navigate to the API Key Management section. | ||
| 2. Click <b>+Create New</b>. The <b>Create New Threat Protection API Key</b> dialog box for the cluster appears. |
There was a problem hiding this comment.
| 2. Click <b>+Create New</b>. The <b>Create New Threat Protection API Key</b> dialog box for the cluster appears. | |
| 2. Click **+Create New**. The Create New Threat Protection API Key dialog box for the cluster appears. |
| 2. Click <b>+Create New</b>. The <b>Create New Threat Protection API Key</b> dialog box for the cluster appears. | ||
| 3. Add a descriptive name for the key. | ||
| 4. Click <b>Generate Key</b> to create the key and secret. | ||
| 5. The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Click the page icon next to each cluster to copy the API key and Secret to the clipboard and store them in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. |
There was a problem hiding this comment.
| 5. The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Click the page icon next to each cluster to copy the API key and Secret to the clipboard and store them in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. | |
| 5. The Create New Threat Protection API Key dialog box displays the key and secret for the currently-selected cluster. Click the page icon next to each cluster to copy the API key and Secret to the clipboard and store them in a safe place. The Secret will not be visible once you close this dialog box. You will need the key and secret to obtain the authentication token for the API service. |
|
|
||
| #### To Manage previously generated Threat Protection API Keys | ||
|
|
||
| 1. From within the Proofpoint Admin Portal, navigate to the API Key Management section. |
There was a problem hiding this comment.
| 1. From within the Proofpoint Admin Portal, navigate to the API Key Management section. | |
| 1. In the Proofpoint Admin Portal, navigate to the API Key Management section. |
|
|
||
| To setup the Proofpoint Threat Protection API XSOAR integration, a Threat Protection API Key and its associated secret must be configured, along with the associated Proofpoint clusterID. ([See API Key Management](https://help.proofpoint.com/Admin_Portal/Settings/API_Key_Management)) for more information regarding Proofpoint Threat Protection API key generation and management. | ||
|
|
||
| #### To Create a new Threat Protection API Key |
There was a problem hiding this comment.
| #### To Create a new Threat Protection API Key | |
| #### To Create a New Threat Protection API Key |
| 4. Click <b>Generate Key</b> to create the key and secret. | ||
| 5. The <b>Create New Threat Protection API Key</b> dialog box displays the key and secret for the currently-selected cluster. Click the page icon next to each cluster to copy the API key and Secret to the clipboard and store them in a safe place. The Secret will not be visible once you close this dialog box. <b>You will need the key and secret to obtain the authentication token for the API service</b>. | ||
|
|
||
| #### To Manage previously generated Threat Protection API Keys |
There was a problem hiding this comment.
| #### To Manage previously generated Threat Protection API Keys | |
| #### To Manage Previously Generated Threat Protection API Keys |
| #### To Manage previously generated Threat Protection API Keys | ||
|
|
||
| 1. From within the Proofpoint Admin Portal, navigate to the API Key Management section. | ||
| 2. For each API key previously generated there is an ellipsis providing two choices of action: <b>Renew</b> and <b>Revoke</b>. |
There was a problem hiding this comment.
| 2. For each API key previously generated there is an ellipsis providing two choices of action: <b>Renew</b> and <b>Revoke</b>. | |
| 2. For each API key previously generated there is an ellipsis providing two choices of action: <b>Renew</b> and <b>Revoke</b>. Select the action as needed. |
|
@ahopstetter-sce I reviewed the description file again. See my edits. |
These edits have been committed and pushed. @ShirleyDenkberg |
…nd_randomizerxd-ProofpointThreatProtection' into xsoar-contrib_ahopstetter-sce_and_randomizerxd-ProofpointThreatProtection
|
For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/1165178 |
content-bot
removed
the
ready-for-instance-test
...fpointThreatProtection/Integrations/ProofpointThreatProtection/ProofpointThreatProtection.py
Show resolved
Hide resolved
...fpointThreatProtection/Integrations/ProofpointThreatProtection/ProofpointThreatProtection.py
Show resolved
Hide resolved
thefrieddan1
added
the
ready-for-instance-test
|
For the Reviewer: Trigger build request has been accepted for this contribution PR. |
|
For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/1181485 |
content-bot
removed
the
ready-for-instance-test
There was a problem hiding this comment.
Hi @ahopstetter-sce
Thanks again for your contribution.
Here are the comments in accordance to the design doc:
- Separate the command add-or-delete into 2 different commands.
- Rename the get commands to list.
- Add pagination to the list commands.
| commands: | ||
| - arguments: [] | ||
| description: Get all entries in the Organizational Block List. | ||
| name: proofpoint-tp-blocklist-get |
There was a problem hiding this comment.
proofpoint-tp-blocklist-list
API: GET /api/v1/emailProtection/modules/spam/ orgBlockList?clusterId=
description: Get all entries in the Organizational Block List
Args:
ArgumentName: page Type: integer isArray: No Required: No
ArgumentName: page_size Type: integer isArray: No Required: No defualtValue: 50 Notes: number of issues per page.
ArgumentName: limit Type: integer isArray: No Required: No defualtValue: is 25 maximum is 100 the number of items to be present in the response
Context output base path: ProofpointThreatProtection.Blocklist
Outputs: Full API response should be returned as output
| required: true | ||
| - description: A short comment about the entry (max 150 chars). "comment" is ignored for the "delete" action. | ||
| name: comment | ||
| description: Add/Delete entry from the Organizational Block List. |
There was a problem hiding this comment.
Separate the command add-or-delete into 2 different commands.
| description: Standard HTTP response with status code 200. | ||
| - arguments: [] | ||
| description: Get all entries in the Organizational Safe List. | ||
| name: proofpoint-tp-safelist-get |
There was a problem hiding this comment.
proofpoint-tp-safelist-list
API: GET /api/v1/emailProtection/modules/spam/orgSafeList?clusterId=
Arguments:
ArgumentName: page, PossibleValues: Integer, IsArray: No, Required: No
ArgumentName: page_size, PossibleValues: Integer, IsArray: No, Required: No, DefaultValue: 50, Note: number of issued per page(optional)
ArgumentName: Integer, PossibleValues: Integer, IsArray: No, Required: No, DefaultValue: default is 25 maximum is 100, Note: the number of items to be present in the response.
Context output base path: ProofpointThreatProtection.Safelist
Outputs: Full API response should be returned as output
| - description: A short comment about the entry (max 150 chars). "comment" is ignored for the "delete" action. | ||
| name: comment | ||
| description: Add/Delete entry from the Organizational Block List. | ||
| name: proofpoint-tp-blocklist-add-or-delete-entry |
There was a problem hiding this comment.
proofpoint-tp-safelist-add-entry
API: POST /api/v1/emailProtection/modules/spam/orgSafeList?clusterId=
Inputs:
ArgumentName: action, PossibleValues: String:add, IsArray: No, Required: Yes, defaultValue: add, Note: (hardcoded not an arg)
ArgumentName: attribute, PossibleValues: String:from, hfrom, ip, host, help, rcpt, IsArray: No, Required: Yes, Note: See Table 1 (page 4)
ArgumentName: operator, PossibleValues: String: equal, not_equal, contain, not_contain, IsArray: No, Required: Yes, Note: See Table 1 (page 4)
ArgumentName: value, PossibleValues: String, IsArray: No, Required: Yes, Note: Entry to be added to list
ArgumentName: comment, PossibleValues: String, IsArray: No, Required: No, Note: A short comment about the entry (max 150 chars).
| name: comment | ||
| description: Add/Delete entry from the Organizational Block List. | ||
| name: proofpoint-tp-blocklist-add-or-delete-entry | ||
| outputs: |
There was a problem hiding this comment.
proofpoint-tp-blocklist-delete-entry
API: POST /api/v1/emailProtection/modules/spam/orgBlockList?clusterId=
Inputs:
ArgumentName: action, PossibleValues: String:delete, IsArray: No, Required: Yes, defaultValue: delete, Note: (hardcoded not an arg)
ArgumentName: attribute, PossibleValues: String:from, hfrom, ip, host, help, rcpt, IsArray: No, Required: Yes, Note: See Table 2 (page 8)
ArgumentName: operator, PossibleValues: String: equal, not_equal, contain,not_contain, IsArray: No, Required: Yes, defaultValue: add, Note: See Table 2 (page 8)
ArgumentName: value, PossibleValues: String, IsArray: No, Required: Yes, Note: Entry to be added to list
|
Hi @ahopstetter-sce Thanks |
|
Hi @ahopstetter-sce, |
Hey @thefrieddan1 .... sorry for the delayed response ..... yea I will get to work on these modifications for you ASAP ..... I was out for the last couple of weeks with a personal issue that suddently dominated my world but am over that now .... so in regaining focus I will get these items on my radar and work them to conclusion and get them pushed up as soon as humanly possible! :D Thanks! |
Hey @thefrieddan1 .... I have all the requested changes implemented save one .... which is pagination ... are we implementing this in integrations where the underlying API does NOT support .... and only supports fetching the entire list in an API operation .... seems like an utter abuse of resources to implement a lipstick style client side pagination interface only to front end multiple "get all" calls to the API server-side? Is this what xsoar is desiring here? |
|
All requested items have been completed, commited and pushed. |
thefrieddan1
merged commit dfb547c
into
demisto:contrib/ahopstetter-sce_xsoar-contrib_ahopstetter-sce_and_randomizerxd-ProofpointThreatProtection
|
Thank you for your contribution. Your external PR has been merged and the changes are now included in an internal PR for further review. The internal PR will be merged to the master branch within 3 business days. |
* Proofpoint ThreatProtection integration content-pack. (#35270) * Proofpoint ThreatProtection integration content-pack. * Updates to pass XSOAR Circle-CI validation checks. * Documentation review updates. * Added pre-emptive testload of uvicorn server at pytest load time, enabling full client mock code if uvicorn run fails on load. * Updates to the description.md. * Bugfixs for auth headers. * Rename get commands to list, split add/delete commands and fixup human readable returns. * Added limit and all_results arguments to list commands. * Fixed up the yaml file and updated the tests file to reflect new commands. * change url display name * add integration to conf.json * revert conf.json changes. --------- Co-authored-by: Danny_Fried <[email protected]> * update conf.json * bump docker image. --------- Co-authored-by: ahopstetter-sce <[email protected]> Co-authored-by: Danny_Fried <[email protected]>
* Proofpoint ThreatProtection integration content-pack. (#35270) * Proofpoint ThreatProtection integration content-pack. * Updates to pass XSOAR Circle-CI validation checks. * Documentation review updates. * Added pre-emptive testload of uvicorn server at pytest load time, enabling full client mock code if uvicorn run fails on load. * Updates to the description.md. * Bugfixs for auth headers. * Rename get commands to list, split add/delete commands and fixup human readable returns. * Added limit and all_results arguments to list commands. * Fixed up the yaml file and updated the tests file to reflect new commands. * change url display name * add integration to conf.json * revert conf.json changes. --------- Co-authored-by: Danny_Fried <[email protected]> * update conf.json * bump docker image. --------- Co-authored-by: ahopstetter-sce <[email protected]> Co-authored-by: Danny_Fried <[email protected]>
* Proofpoint ThreatProtection integration content-pack. (demisto#35270) * Proofpoint ThreatProtection integration content-pack. * Updates to pass XSOAR Circle-CI validation checks. * Documentation review updates. * Added pre-emptive testload of uvicorn server at pytest load time, enabling full client mock code if uvicorn run fails on load. * Updates to the description.md. * Bugfixs for auth headers. * Rename get commands to list, split add/delete commands and fixup human readable returns. * Added limit and all_results arguments to list commands. * Fixed up the yaml file and updated the tests file to reflect new commands. * change url display name * add integration to conf.json * revert conf.json changes. --------- Co-authored-by: Danny_Fried <[email protected]> * update conf.json * bump docker image. --------- Co-authored-by: ahopstetter-sce <[email protected]> Co-authored-by: Danny_Fried <[email protected]>
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Description
This is a new XSOAR content-pack contribution containing the XSOAR commands necessary to interact with the Proofpoint ThreatProtection API.
Related Issues
fixes: link to the issue
Must have