Welcome to my journey of continuous discovery. Enjoy your visit.

Ugli Scripting
Ugli Scripting
  • Home
  • Blog
  • .PY
    • Python 2.7 on Windows
    • Python 2.7 on Ubuntu
    • Python 2.7 IDE Set up
    • Run Python Script via CLI
    • Adding Python Packages
    • Basic REST API
  • .PS1
    • Install AD Module Win 10
    • Connecting to MSO and EOP
    • Storing Script Variables
    • Storing Secure Strings
    • Storing User Credentials
    • Basic REST API
  • Sample Integrations
    • Isolate SEP Clients
    • Force Password Change
    • o365 Account Remediation
    • Threat Response Lists
    • Endpoint Scripts
  • SITQ Lab
    • Lab Resources
    • AD Lab Account Imports
    • DLP Sample
  • More
    • Home
    • Blog
    • .PY
      • Python 2.7 on Windows
      • Python 2.7 on Ubuntu
      • Python 2.7 IDE Set up
      • Run Python Script via CLI
      • Adding Python Packages
      • Basic REST API
    • .PS1
      • Install AD Module Win 10
      • Connecting to MSO and EOP
      • Storing Script Variables
      • Storing Secure Strings
      • Storing User Credentials
      • Basic REST API
    • Sample Integrations
      • Isolate SEP Clients
      • Force Password Change
      • o365 Account Remediation
      • Threat Response Lists
      • Endpoint Scripts
    • SITQ Lab
      • Lab Resources
      • AD Lab Account Imports
      • DLP Sample
  • Home
  • Blog
  • .PY
    • Python 2.7 on Windows
    • Python 2.7 on Ubuntu
    • Python 2.7 IDE Set up
    • Run Python Script via CLI
    • Adding Python Packages
    • Basic REST API
  • .PS1
    • Install AD Module Win 10
    • Connecting to MSO and EOP
    • Storing Script Variables
    • Storing Secure Strings
    • Storing User Credentials
    • Basic REST API
  • Sample Integrations
    • Isolate SEP Clients
    • Force Password Change
    • o365 Account Remediation
    • Threat Response Lists
    • Endpoint Scripts
  • SITQ Lab
    • Lab Resources
    • AD Lab Account Imports
    • DLP Sample

Force Password Change

Solution Summary

Targeted Attack Protection (TAP) provides alerting and tracking of  User Mailbox threats.  TAP support authenticated API access to alert,  campaign and forensic detail.

Proofpoint Threat Response (PTR) Auto-Pull (TRAP) leverages the TAP  APIs to manage alerts and provides many options for remediation.  In  addition to extensive built-in functionality (e.g. TRAP), PTR also  provides a REST API.


For this use case we will only be discussing Auto-Pull and the PTR API.

Auto-Pull will be used to move malicious Emails from Recipients’  mailboxes to a quarantine in a secured mailbox.  PTR quarantines the  original email, any forwarded emails and all email of Distribution List  members.


Additional details regarding TRAP installation and configuration can  be found in the Threat Response portal, which is accessible directly  from the PTR console, or via the link below: https://ptr-docs.proofpoint.com/ptr-guides/ptr-about/.


In addition to Auto-Pull, PTR can be configured to automatically add  users to a “List”. Members of a list can be retrieved via a secure REST  API web GET request to the PTR server.  Members can also be deleted  with a secure web DELETE request.  Additional detail regarding the PTR  API can be access via the PTR Portal from a licensed PTR Console.


Windows Task Scheduler is used to execute a PowerShell script every n  minutes.  This script uses a web GET request to retrieve all members of  the configured list, validates the account against AD users and  verifies the AD User meets requirements.  Validated AD Users will be  forced to change their password at next logon.  A web DELETE request  removes the user from the configured list.


Script log are stored in a configured path on the PowerShell hosting  the Scheduled task.  Updates are also shown in the PTR Console.


Link to the script

ptr-change-password-atlogon.ps1

ugli_PTR_ChangePasswordAtLogon_v1 (pdf)Download

Threat Response Lists

List Management

Threat response gives you the ability to automate list management.  Lists can be updated with content from any alert source.  Members can be add for for a length of time between 1 hour and forever.


Threat Response List types:

  • Host
  • URL
  • User
  • File
  • Allow Lists


Using some simple scripts you can leverage list membership to remediate compromised accounts.  This Project will introduce retrieving data in a JSON format using a REST API.

Learn More

No defense can stop every attack. When something does get through, Proofpoint Threat Response takes the manual labor and guesswork out of incident response to help you resolve threats faster and more  efficiently. Get an actionable view of threats, enrich alerts, and  automate forensic collection and comparison. For verified threats, quarantine and contain users, hosts, and malicious email  attachments—automatically or at the push of a button.

Product Website

Accessing List Members

Using Python 'requests' and JSON

What is a REST API (from WikiPedia)?


Representational State Transfer (REST) is an  architectural style that defines a set of constraints to be used for  creating web services. Web Services that conform to the REST  architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. REST-compliant web services allow the requesting systems to access and manipulate textual representations of web resources by using a uniform and predefined set of stateless operations. Other kinds of web services, such as SOAP web services, expose their own arbitrary sets of operations.[1] 


Blah.blah. blah.  That is a great definition but too much information.


REST API provides a standard way to GET, POST (create new), DELETE or PUT (update) data from or to an application using a URL. That's it, just those four things.


Now you know everything a REST API can do.  The only piece you need to worry about is the URL of the application, if the application require authentication and in what format to exchange the data.


For this section we will be using Proofpoint Threat Response as our sample application and the JSON format.  Threat Response does require authentication. so pay attention to the application keys sections of the scripts.  


There are three iterations of the script with comments.


The Three Scripts:


ptr-get-list-members-basic.py : uses no authentication and shows resolution for Secure Request Warning

ptr-get-list-members-with-auth.py : adds authentication header to use API keys

ptr-get-list-members.py : allows variables and includes comments

Link to GitHub Repo

Copyright © 2018 Ugli Scripting - All Rights Reserved.

  • Blog
  • CV

Powered by GoDaddy