Enricher - Proofpoint Email Threat#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Proofpoint Email Threat

Input

Domain, email-subject, hash-md5, ipv4, and uri.

Output

Enriches supported observables and entities with information on email threats. Generates email threat indicators containing observables that represent the ingested data, as well as relationships between the enriched entities and the enrichment data. The output includes, when available, the brand a spoofing message uses to trick users, the message subject line, source IP address, source host name, and source email address, as well as any MD5 file hashes, if the malicious email contains attachments.

API endpoint

https://api.emaildefense.proofpoint.com/v1

Description

The Proofpoint Email Threat enricher uses input data such as email subjects, domain names, hashes, and IP addresses to return information on email threats such as phishing, spoofing, and email malware. The ingested Proofpoint data is stored to the platform as email threat indicators.

Requirements#

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.

Configure the enricher parameters#

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Proofpoint Email Threat enricher.

  3. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://api.emaildefense.proofpoint.com/v1.

  4. In the API key field, enter your API key.

  5. In the Likely impact threshold (low) field, enter an integer value between 0 and 100 to assess the maliciousness confidence level of detected email threats.
    This value sets the minimum maliciousness confidence value to flag a potential email threat as somewhat likely to be malicious.
    The lower threshold value needs to be smaller than the highest threshold value.

    • Default value: 60.

  6. In the Likely impact threshold (high) field, enter an integer value between 0 and 100 to assess the maliciousness confidence level of detected email threats.
    This value sets the minimum maliciousness confidence value to flag a potential email threat as very likely to be malicious.
    The higher threshold value needs to be bigger than the lower threshold value.

    • Default value: 90.

  7. To store your changes, click Save; to discard them, click Cancel.