Welcome to my journey of continuous discovery. Enjoy your visit.
Targeted Attack Protection (TAP) provides alerting and tracking of User Mailbox threats. TAP support authenticated API access to alert, campaign and forensic detail.
Proofpoint Threat Response (PTR) Auto-Pull (TRAP) leverages the TAP APIs to manage alerts and provides many options for remediation. In addition to extensive built-in functionality (e.g. TRAP), PTR also provides a REST API.
For this use case we will only be discussing Auto-Pull and the PTR API.
Auto-Pull will be used to move malicious Emails from Recipients’ mailboxes to a quarantine in a secured mailbox. PTR quarantines the original email, any forwarded emails and all email of Distribution List members.
Additional details regarding TRAP installation and configuration can be found in the Threat Response portal, which is accessible directly from the PTR console, or via the link below: https://ptr-docs.proofpoint.com/ptr-guides/ptr-about/.
In addition to Auto-Pull, PTR can be configured to automatically add users to a “List”. Members of a list can be retrieved via a secure REST API web GET request to the PTR server. Members can also be deleted with a secure web DELETE request. Additional detail regarding the PTR API can be access via the PTR Portal from a licensed PTR Console.
Windows Task Scheduler is used to execute a PowerShell script every n minutes. This script uses a web GET request to retrieve all members of the configured list, validates the account against AD users and verifies the AD User meets requirements. Validated AD Users will be forced to change their password at next logon. A web DELETE request removes the user from the configured list.
Script log are stored in a configured path on the PowerShell hosting the Scheduled task. Updates are also shown in the PTR Console.
Link to the script
Threat response gives you the ability to automate list management. Lists can be updated with content from any alert source. Members can be add for for a length of time between 1 hour and forever.
Threat Response List types:
Using some simple scripts you can leverage list membership to remediate compromised accounts. This Project will introduce retrieving data in a JSON format using a REST API.
No defense can stop every attack. When something does get through, Proofpoint Threat Response takes the manual labor and guesswork out of incident response to help you resolve threats faster and more efficiently. Get an actionable view of threats, enrich alerts, and automate forensic collection and comparison. For verified threats, quarantine and contain users, hosts, and malicious email attachments—automatically or at the push of a button.
What is a REST API (from WikiPedia)?
Representational State Transfer (REST) is an architectural style that defines a set of constraints to be used for creating web services. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. REST-compliant web services allow the requesting systems to access and manipulate textual representations of web resources by using a uniform and predefined set of stateless operations. Other kinds of web services, such as SOAP web services, expose their own arbitrary sets of operations.[1]
Blah.blah. blah. That is a great definition but too much information.
REST API provides a standard way to GET, POST (create new), DELETE or PUT (update) data from or to an application using a URL. That's it, just those four things.
Now you know everything a REST API can do. The only piece you need to worry about is the URL of the application, if the application require authentication and in what format to exchange the data.
For this section we will be using Proofpoint Threat Response as our sample application and the JSON format. Threat Response does require authentication. so pay attention to the application keys sections of the scripts.
There are three iterations of the script with comments.
The Three Scripts:
ptr-get-list-members-basic.py : uses no authentication and shows resolution for Secure Request Warning
ptr-get-list-members-with-auth.py : adds authentication header to use API keys
ptr-get-list-members.py : allows variables and includes comments