I still don’t see how there is a way to handle new PP TAP alerts. The plugin has no triggers.
The closest thing I see is Parse Alert, but that isn’t clear to me yet.
We have had to resort to regex parsing the emails it sends.
Would love to have a trigger, but I don’t know if the api supports this.
1 Like
You would use the Get All Threats action.
Proofpoint not Rapid7 has a restriction that it can only be a search for a 1 hour period of time.
So you would need some logic that gets current time, and searches back 1 hour. Use the Timer Trigger and set it for an hour.
It isn’t ideal, but that is how you can currently do this.
2 Likes
I was in the middle of another issue when I first responded. I wanted to circle back and provide more context.
I don’t personally monitor anything that runs on a timer trigger regularly, but I have seen discussions indicating that it isn’t always precise. Setting it to run exactly every hour may not consistently trigger at the expected intervals.
To mitigate this, you could schedule it to run every 45 minutes while still searching back 1 hour. This should help ensure you capture all relevant data without gaps.
To avoid processing the same incident multiple times, you could utilize a Global Artifact (GA). The most efficient approach will depend on your setup, but the key steps would be:
- Capture the events and store relevant data in the GA.
- Check against the GA before taking action on any event.
For storing threat IDs efficiently, rather than adding each entry as an individual line item (which would require looping through them), you could:
- Use JQ to extract only the Threat IDs from your received object.
- Store them as a comma-separated string for that hour’s data.
- On the next run, retrieve this string, convert it to an array, and use the type converter to perform a difference comparison against new threat IDs.
This approach ensures that you only act on new threat IDs while avoiding unnecessary lookups and improving efficiency.
Whatever route you go, if you get it working I would love to see the finished product. Good luck.