Incoming feed - Proofpoint Email Brand Defense

Requirements

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

1. Create or edit an incoming feed.

2. From the Transport type drop-down menu, select Proofpoint Email Brand Defense threat API.

3. From the Content type drop-down menu, select Proofpoint Message.

4. In the API key field, enter your Proofpoint API key.

5. The API URL field is automatically filled in with the default domain for the endpoint.
   You can add a proxy or set up ports according to your needs.
   Default value: https://api.emaildefense.proofpoint.com/v1.

6. In the Likely impact threshold (low) field, e nter an integer value to assess the maliciousness confidence level of processed email threats.
   This value sets the minimum maliciousness confidence value to flag a potential email threat as somewhat likely to be malicious.
   The lower threshold value needs to be smaller than the highest threshold value.

   • Enter a value between 0 and 100.

   • Default value: 60.

7. In the Likely impact threshold (high) field, e nter an integer value to assess the maliciousness confidence level of processed email threats.
   This value sets the minimum maliciousness confidence value to flag a potential email threat as very likely to be malicious.
   The higher threshold value needs to be bigger than the lower threshold value.

   • Enter a value between 0 and 100.

   • Default value: 90.

8. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
   By default, the max. amount of days in the past per each query/request is set to 60 days.

9. In the Domain field, enter a domain name to retrieve information on fraudulent email messages sent on behalf of the specified domain.
   Returned data includes, when available, the brand a spoofing message uses to trick users, the message subject line, source IP address, source host name, and source email address, as well as any MD5 file hashes, if the malicious email contains attachments.
   If you do not specify any domain name, the feed defaults to retrieving a list with the most relevant threats, based on your Proofpoint Email Fraud Defense subscription and account preferences.
   The list contains the most relevant fraudulent messages reported in the previous 07 days.

10. To store your changes, click Save; to discard them, click Cancel.

About impact thresholds

• Ingested observables with a lower value than the one you set in Likely impact lower threshold are automatically flagged as Malicious - Low confidence.

• Ingested observables whose likely impact value is bigger than the lower threshold and smaller than the higher threshold values are automatically flagged as Malicious - Medium confidence.

• Ingested observables with a higher value than the one you set in Likely impact higher threshold are automatically flagged as Malicious - High confidence.

You can use impact threshold values to automatically filter enricher output data, and to instrument external systems and devices, such as a SIEM, to execute follow-up actions.
For example, add all high confidence maliciousness email addresses to a blocklist, or route all ingested Snort rules with a high maliciousness confidence to a Snort instance to trigger rule-driven actions.

See also

• Configure the general options

• Set a schedule

• About TLP overrides

• Set half-life values

• Start and stop incoming feeds

• Purge incoming feeds

• Delete incoming feeds

• List of incoming feeds