Proofpoint with VMware Carbon Black Cloud

Proofpoint TAP

This is an integration between Proofpoint TAP and VMware Carbon Black Cloud (CBC). Depending on the configuration of Proofpoint TAP, users are able to access attachments while they're being analyzed by Proofpoint. If the attachment is found to be malicious, Proofpoint TRAP can remove the email from all corporate inboxes, however, if the attachment was downloaded prior to the email being deleted, the malicious file could still be present in the environment on end-user machines.

This integration will pull all email deliveries from x minutes ago (configurable, allows time for detonation, default 30) from Proofpoint TAP. For each attachment collected from Proofpoint, Carbon Black Cloud will search for any processes that match the malicious attachments' SHA256 hash value for a preset, custom time frame (up to 2 weeks). The process GUID's are stored in a local database to prevent duplication in searches and minimize API queries. Once the processes have been identified, the script will take action.

Action options consist of:

  • Adding to a CBC Enterprise EDR Watchlist Feed
  • Passing the SHA256, process information, and email information to a webhook
  • Running a script (stops process/deletes file with CBC Live Response by default)
  • Isolating the endpoint
  • Moving the endpoint into a different or updated policy

 

 

How it Works

This is a flow diagram of how the integrations is designed:

Diagram</p>
<p>Description automatically generated with medium confidence

 

Key Benefits

  • Detect and stop advanced email threats
  • Achieve multi-layered threat protection
  • Secure organizations endpoints and data against sophisticated malware and malware-free attacks

 

Requirements

  • Carbon Black Cloud Enterprise EDR
  • Proofpoint TAP
  • Python 3.x

Support

This is an open source, community supported integration posted to our community GitHub repo. Any issues should be submitted as an issue in GitHub, not a support ticket.

Enterprise EDR and Proofpoint Emerging Threats

This integration connects VMware Carbon Black Cloud Enterprise EDR with Proofpoint ET Intelligence Reputation List to provide visibility into the latest threats through a filterable Watchlist in the Carbon Black Cloud console. Using the command line arguments, a category (or feed) of IOCs from Proofpoint ET Intelligence Reputation List is pushed to a Watchlist in the Carbon Black Cloud. This Watchlist can be organized, filtered and alerted on based on severity and IOC type (IP or domain), and includes descriptions and tags for each IOC.

 

Requirements

  • Carbon Black Cloud Enterprise EDR
  • Proofpoint Emerging Threats
  • Python 3.x

Support

This is an open source, community supported integration posted to our community GitHub repo. Any issues should be submitted as an issue in GitHub, not a support ticket.

Summary and Additional Resources

For more information, visit the Github repo for the the integrations below.

 

Additional Resources

For more information about Proofpoint and Carbon Black Cloud, you can explore the following resources or select More on this page for access to downloadable content.

More

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/12/01

  • Guide was published.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Security Business Unit Technical Marketing at SBU_tech_content_feedback@vmware.com .

 

 

Associated Content

From the action bar MORE button.

Filter Tags

VMware Carbon Black Cloud Enterprise EDR Proofpoint Document API and Integration Advanced Integrate