Threat Response - Release Notes

This section presents how Threat Response is being developed over time. For each release, we list major and minor improvements as well as providing descriptions of all features and fixed bugs.

Upgrade Process Recommendations

As with any software upgrade, it is recommended that a full system backup be created in the Appliance Management Console. This backup, as well as an export of the Master Secret, should be downloaded and stored in a secure location.

The following information outlines the process for upgrading

If you encounter any issues (during or after the upgrade process), please open a support ticket here: https://proofpointcommunities.force.com.

Downloading Threat Response

PTR/TRAP 5.6.0 can be deployed on VMware or AWS:

  • VMware deployments for PTR/TRAP 5.6.0 require a minimum of VMware ESXi 6.0.
  • m5a.large is the minimum recommended configuration for EC2 instances as regards AWS deployments.

Note that you must be designated an Authorized Support Contact with Proofpoint to download these images. Please use your Proofpoint CTS credentials to access these downloaded images.

Recovering Proofpoint CTS Credentials

If you do not remember your Proofpoint CTS credentials, visit the Reset Password page in the Proofpoint CTS portal to provide your email address (that was used to log in to the portal), and then you will receive an email with instructions on what to do next.

  • 5.6.0 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.6.0 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256
  • 5.6.0 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

5.6.0 - (August 2021)

Summary of 5.6.0 Release

PTR/TRAP 5.6.0 introduces significant enhancements to the processing of messages reported via the Abuse Mailbox Monitor / CLEAR as well as major database performance improvements related to processing and storing alert information.

The enhancements pertaining to alert processing for CLEAR should greatly benefit scenarios where several recipients are included in a single suspicious message reported by an end user. Consequently, an analyst will experience fewer alerts created per incident. This leads to better visibility of abuse message reporters and ultimately, it improves the overall system performance over time.

All customers who use PTR/TRAP for abuse mailbox monitoring with CLEAR are advised to upgrade to this version, thus improving the general stability and performance of PTR/TRAP.

Download this Document

CLEAR Enhancements

New Alert Model for Abuse Mailbox Monitor / CLEAR Source

This release introduces a new alert model for the Abuse Mailbox Monitor / CLEAR alert source whereby a single alert is created for each reporter of an abuse message irrespective of how many recipients there are on the “To” and “CC” lines of the message. This change departs from the previous system behavior where an alert was created for every recipient on the “To” and “CC” lines of a reported message.

The following scenarios illustrate how this change is beneficial to security analysts as well as the system.

Scernaio Previous Behavior New Behavior – 5.6.0
Identification of the Abuse Reporter An alert created for every To/CC recipient made it difficult to identify who reported the message. Only one alert is created. The Target or Recipient field denotes the reporter.
Alerts for Legitimate Recipients An alert was created for every To/CC recipient regardless of whether they were internal to the organization or not. Only one alert is created per abuse reporter. None of the alerts denote an external recipient or email domain.
Multiple Reports of the Same Abuse Message Each abuse report created alerts for every To/CC recipient; for example, a message sent to 100 recipients and reported by two users would create 200 alerts. Each abuse report creates one alert; for example, a message sent to 100 recipients and reported by two users will create two alerts.

Peer Following of “To” and “CC” Recipients for Quarantine Actions

PTR/TRAP 5.6.0 introduces a new capability to quarantine message copies from recipients on the “To” and “CC” lines of a message as a part of manual and automated response actions. This capability ensures that messages in need of remediation are removed from the To/CC recipients.

Furthermore, a new checkbox option is visible for the Move Email to Quarantine response to enable Peer Following. Note that the checkbox appears in the automatic match condition response as well as the manual response within an incident.

Default Behavior: Move Email to Quarantine Response with Peer Following

For a manual response action, the new checkbox option is the default. Disenable it if the message should not be quarantined for “To” and “CC” recipients.

Following an upgrade to 5.6.0, automatic match condition responses are defined as follows:

  • Abuse Mailbox Monitor match conditions that include a quarantine response have the Peer Following option enabled by default; this maintains parity with previous behavior for quarantining message copies for “To” and “CC” recipients.

  • Other sources, such as TAP and Smart Search, that include a quarantine response, do not have the Peer Following option enabled by default; however, it can be enabled.

Database Indexes to Accelerate CLEAR Alert Processing

PTR/TRAP 5.6.0 adds various database indexes to accelerate the alert processing of Abuse Mailbox alerts. This should mitigate the effects of situations where large volumes of alerts overwhelm the alert processing queue and lead to alerts without incidents that cannot be accessed via the UI.

Bug Fixes

Error Exporting Reports to PDF

PTR/TRAP 5.6.0 addresses a bug that prevented a report from being exported to a PDF file, affecting versions 5.4.2, 5.5.0, and 5.5.1.

Abuse Mailbox Polling Failures Due to EWS API Request Failures (No Longer Require Restarts)

PTR/TRAP 5.6.0 handles request failures from EWS API’s more efficiently by continuing to poll for subsequent alerts if individual requests fail due to lack of EWS API response. This fix eliminates the need for rebooting the system to recover it from a “jammed” state.

Vulnerability Fix Pertaining to Cross-Site Tracking (XST)

PTR/TRAP 5.6.0 addresses vulnerabilities related to Cross-Site Tracking (XST) Attacks.

Download Instructions

PTR/TRAP 5.6.0 can be deployed on VMware or AWS:

  • VMware deployments for PTR/TRAP 5.6.0 require a minimum of VMware ESXi 6.0.
  • m5a.large is the minimum recommended configuration for EC2 instances as regards AWS deployments.

Note that you must be designated an Authorized Support Contact with Proofpoint to download these images. Please use your Proofpoint CTS credentials to access these downloaded images.

Recovering Proofpoint CTS Credentials

If you do not remember your Proofpoint CTS credentials, visit the Reset Password page in the Proofpoint CTS portal to provide your email address (that was used to log in to the portal), and then you will receive an email with instructions on what to do next.

  • 5.6.0 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.6.0 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256
  • 5.6.0 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.6.0 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.5.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.6.0 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.6.0 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.6.0. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.6.0. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.6.0 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.6.0. Before upgrading the appliance from 5.0.0 to 5.6.0, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.6.0 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.6.0. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.6.0 on AWS.

5.5.1 - (May 2021)

Summary of 5.5.1 Release

PTR/TRAP 5.5.1 is a minor release that fixes a few defects affecting customers running version 5.5.0.

Download this Document

Bug Fixes

TAP Source Fails to Connect on Some Deployments

PTR/TRAP 5.5.1 fixes an issue that causes permanent connectivity failure with the TAP alert source for some PTR/TRAP deployments.

Failures to Deliver Email Notifications Based on Team-Assigned Match Conditions

PTR/TRAP 5.5.1 fixes an issue that caused failures to generate an email notification when a team is assigned to an incident, as part of a match condition.

Content Rules Included in Backup without Incident Data

PTR/TRAP 5.5.1 ensures that content rules are included with database backups without incident data.

Download Instructions

PTR/TRAP 5.5.1 can be deployed on VMware or AWS:

  • VMware deployments for PTR/TRAP 5.5.1 require a minimum of VMware ESXi 6.0.
  • m5a.large is the minimum recommended configuration for EC2 instances as regards AWS deployments.

Note that you must be designated an Authorized Support Contact with Proofpoint to download these images. Please use your Proofpoint CTS credentials to access these downloaded images.

Recovering Proofpoint CTS Credentials

If you do not remember your Proofpoint CTS credentials, visit the Reset Password page in the Proofpoint CTS portal to provide your email address (that was used to log in to the portal), and then you will receive an email with instructions on what to do next.

  • 5.5.1 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.5.1 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256
  • 5.5.1 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.5.1 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.5.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.5.1 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.5.1 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.5.1. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.5.1. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.5.1 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.5.1. Before upgrading the appliance from 5.0.0 to 5.5.1, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.5.1 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.5.1. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.5.1 on AWS.

5.5.0 - (April 2021)

Summary of 5.5.0 Release

PTR/TRAP 5.5.0 introduces a new integration with Proofpoint Smart Search (Proofpoint-hosted Admin Portal Interface only) to simplify threat hunting and responding to incidents based on messages reported to the Abuse Mailbox. Incident responders can find messages based on similar tells with a single click in PTR/TRAP.

PTR/TRAP 5.5.0 also introduces key improvements to the management of match conditions for CLEAR (Abuse Mailbox). These improvements include new features such as creating content sets, duplicating a match condition, and sorting and auditability of match condition “matches.” Furthermore, support for content rules has now been extended to the TAP alert source.

And lastly, this release improves the platform with the ability to automatically transfer new backups to remote locations, email notifications for outage monitoring and the ability to purge alerts not belonging to incidents.

Download this Document

CLEAR and TRAP Enhancements

BEC / EAC Email Threat Searches and Incident Response

In the context of searching for Business Email Compromise (BEC) and Email Account Compromise (EAC) threats, PTR/TRAP customers that use Proofpoint Protection Server (PoD only) can benefit from a new integration between PTR/TRAP and the PPS Admin Portal. Incident responders can pivot from PTR/TRAP into Smart Search to find similar messages based on a given sender, recipient, or return-path with a single click.

A new View Similar Messages link on the Alerts tab for incidents cross launches users into the new Admin Portal interface for Proofpoint Smart Search and prepopulates the search box with the appropriate search query and a time range (last 7 days).

Any messages deemed worthy of quarantine can then be exported to TRAP with a few clicks as part of incident response. This speeds up the process of threat searching and incident response for messages in a BEC/EAC context where sender, recipient and return-path are important attributes for discovering threat lures.

Note

The ‘View Similar Messages’ links can be toggled on or off under ‘System Settings > Contextual Data Sources > Smart Search Similar Messages’.

Content Rules for TAP Alerts

PTR/TRAP 5.5.0 adds content rule support for match conditions and alert filters on the Proofpoint TAP alert source. Customers who need to separate TRAP operations across email domains, business units, or geographies can now filter out alerts into separate TRAP instances using content rules in alert filters based on the email recipient’s domain. The list of supported fields for writing content rules in the TAP source includes:

  1. Recipient
  2. Sender
  3. Message ID
  4. Threat URL
  5. Attachment Hash
  6. Attachment Name
  7. Subject (Only available for some TAP alert types)

Content Sets for Related Attribute Values in Content Rules

PTR/TRAP 5.5.0 enables the creation of centralized sets of related content attributes, for use in content rules, across multiple match conditions on the Proofpoint TAP or Abuse Mailbox Monitor alert sources. For instance, content sets may be created with a list of common internal sender email addresses, known vendor domains, executive email lists, or common email subjects and then referenced in multiple content rules to define desired workflows for any of these scenarios.

A key advantage of using content sets is that updates such as adding new entries or removing existing ones only need to be made to the content set. These updates will propagate to individual content rules automatically.

Match Condition Management – UX Improvements

PTR/TRAP 5.5.0 highlights an improved user experience with respect to the management of match conditions.

Better Look and Feel

The alert source side panel has been widened with increased spacing between match conditions, for clarity, readability, and ease of navigation.

Sorting Options

Match conditions can be sorted by

  • Name of Match Condition
  • Initial Timestamp
  • Last Updated Timestamp
  • Enabled Status

Note that the list of match conditions is arranged alphabetically by default.

Enabled/Disabled Indicators

The listing also includes a new green/gray indicator. It denotes the enabled/disabled state of a match condition. The colored icons serve as a useful way to examine any disabled match conditions.

Duplicating a Match Condition

Match conditions, including criteria, content rules, and responses, can be duplicated by using the new Duplicate icon button beside each match condition.

Auditing Historical Matches

The number of matched alerts is now clickable and shows the alerts “matched” by this match condition over time.

Note that alerts that have been purged from the system but had previously “matched” will be included in the count; they will not, however, appear in the pop-up list of matches as they no longer exist in the system.

Platform Improvements

Connection Failure Notification

This release introduces a new type of email notification to the product called Connection Failure. Once configured, this notification is designed to alert a recipient to a connectivity outage between PTR/TRAP and any critical external services.

PTR/TRAP 5.5.0 supports monitoring for the following services:

  1. Exchange and Microsoft 365 mail servers
  2. G Suite (Google Workspace) mail servers
  3. LDAP servers
  4. Proofpoint TAP alert source
  5. Abuse Mailbox Monitor alert source(s)
  6. Proofpoint Smart Search – Export to TRAP alert source
  7. Scripted Poller alert source(s)

A connection failure notification is triggered after 15 consecutive minutes of failure to connect to a specified service. Thereafter, notifications are generated at one-minute intervals throughout the duration of the outage.

Note that in the event of an expected or known outage, this notification can be disabled and reenabled from the Email Notifications section under System Settings.

Purging Alerts Without Incidents

Manual and Scheduled Incident Purges under System Settings now provide an additional option to include alerts that are not associated with incidents. By checking this option, orphaned or suppressed alerts lying latent in the system will be cleared as a part of the purge operation.

Purging such alerts should speed up alert processing and reduce processing errors or timeouts since these latent, orphaned alerts tend to slow down alert processing and linking significantly.

Note that the deletion of orphaned alerts or incidents is treated as an add-on operation to regular incident purges. Checking this option will not stop alerts/incidents belonging to regular closed incidents from being purged.

SCP Server for System Backups

On the Appliance Management Console on port 8080, PTR/TRAP 5.5.0 provides the option to configure a Secure Copy Protocol (SCP) server as a remote location for backing up a system configuration and incident data. The SCP server must be configured with any requisite access credentials.

Copying a Backup to a configured Remote Location Automatically – AWS S3 Bucket / SCP Server

On the Appliance Management Console on port 8080, PTR/TRAP 5.5.0 provides the option to copy a system backup into either or both of the following automatically:

  • A configured AWS S3 bucket
  • A configured SCP server

Once the automatic copy is enabled, it works in conjunction with the scheduled purge and backup capability within the product to create new backups and transfer them over to the specified remote location automatically.

Backups Status Page

On the Appliance Management Console on port 8080, PTR/TRAP 5.5.0 adds a new Backups Status page. It provides details on the success or failure status of previous backup operations as well as the status of the associated transfer to an SCP location or an S3 bucket.

Bug Fixes

Occasional Failures to Attach Original Email to Abuse Feedback Template

PTR/TRAP 5.5.0 fixes an issue that caused an occasional failure to attach an original reported message back with the abuse feedback email template to the end user.

Occasional Failures to Deliver Email Notifications Based on Team Assigned Match Conditions

PTR/TRAP 5.5.0 fixes an issue that caused an occasional failure to generate an email notification when a team is assigned to an incident, as part of a match condition.

Removed Alert Linking Based on Schema URLs in the Message

For end-user reported abuse messages, PTR/TRAP 5.5.0 improves alert-linking behavior based on the combination of sender address and URL. Messages are no longer linked on Web schema URLs from w3.org or Microsoft Schema URLs from schemas.microsoft.com.

Security Hardening and Vulnerability Fixes

Further to the CentOS 7.9 version upgrade in PTR/TRAP 5.4.2, PTR/TRAP 5.5.0 adds even more security enhancements with package upgrades for several common system libraries.

Threat Response/TRAP API Enhancements

API to Fetch Investigation Details

PTR/TRAP 5.5.0 provides a new API to fetch the details of an investigation being conducted across multiple incidents. This API requires the specification of the investigation ID and returns all available information about that investigation, including any incident IDs.

Optionally, the API response can include full incident data for each incident linked to the investigation. Additionally, the API response can include full alert data for each of these incidents.

Download Instructions

Customers are recommended to upgrade to/install PTR/TRAP 5.5.1 instead of PTR/TRAP 5.5.0 as it fixes a few defects found in version 5.5.0 in addition to providing the same feature functionality. You can find links to installing version 5.5.1 below.

  • 5.5.1 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.5.1 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256
  • 5.5.1 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.5.1 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.5.1. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.5.1 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.5.1 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.5.1. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.5.1. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.5.1 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.5.1. Before upgrading the appliance from 5.0.0 to 5.5.1, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.5.1 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.5.1. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.5.1 on AWS.

5.4.2 - (March 2021)

Summary of 5.4.2 Release

PTR/TRAP 5.4.2 addresses vulnerabilities in some default system libraries/packages in connection with the underlying CentOS operating system (VMware only).

Security Enhancements

Operating System Upgraded to CentOS 7.9

PTR/TRAP 5.4.2 upgrades the underlying operating system platform to CentOS 7.9. This applies to VMware deployments of PTR/TRAP alone. This ensures that many default CentOS libraries are upgraded to versions beyond those with recognized vulnerabilities at this point in time. Notable upgrades include Net-SNMP, OpenEXR, OpenSSL, Pacemaker, Perl, Sudo, Samba, and FreeType.

New Features and Bug Fixes

Proxy Support for Google Workspace (Formerly G Suite) Mail Connections

PTR/TRAP 5.4.2 extends support for connections to Google Workspace environments via a proxy server. This enables emails to be quarantined from Google Workspace mail environments in scenarios where PTR/TRAP has to route Google Workspace API requests through a proxy server.

Inclusion of Puma Logs in System Dumps

Puma logs are now included in system dumps from PTR/TRAP 5.4.2. These logs permit effective troubleshooting by Proofpoint Support teams.

Download Instructions

PTR/TRAP 5.4.2 can be deployed on VMWare or AWS. For VMWare deployments PTR/TRAP 5.4.2 requires a minimum of VMware ESXi 6.0. For AWS deployments, ‘m5a.large’ is the minimum recommended configuration for EC2 instances. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.4.2 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.4.2 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256.
  • 5.4.2 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.4.2 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.4.2. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.4.2 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.4.2 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.4.2. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.4.2. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.4.2 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.4.2. Before upgrading the appliance from 5.0.0 to 5.4.2, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.4.2 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.4.2. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.4.2 on AWS.

5.4.0 - (December 2020)

Summary of 5.4.0 Release

PTR/TRAP 5.4.0 introduces a new integration with Proofpoint Browser Isolation to simplify the task of triaging message-related URLs, reported by employees, to the Abuse Mailbox. Analysts now can inspect URLs safely, in a sandbox experience, with a single click, directly from the PTR/TRAP alerts page.

In addition, this release simplifies the incident response workflow for abuse mailbox incidents with quick links to the Alerts and Activity pages directly from the incident list page. Also, it offers enrichment from Proofpoint Targeted Attack Protection (TAP) by highlighting Very Attacked People (VAP) who are targeted in an incident, thus providing visibility into threat types represented by TAP alerts.

Lastly, customers who use TAP will also benefit from the direct visibility of TRAP quarantine activity on the TAP Dashboard. PTR/TRAP version 5.3.0 added the capability to communicate information about successful quarantines back to the TAP Dashboard. The presentation of this information is now available with the launch of PTR/TRAP 5.4.0.

Download this Document

Closed Loop Email Analysis & Response (CLEAR)

Using Proofpoint Browser Isolation to Triage URLs

This release enables security teams to triage URLs in messages submitted by employees to the Abuse Mailbox by using the Closed Loop Email Analysis & Response (CLEAR) solution with a single click from the TRAP user interface. The URLs section of the Alerts page has a new column entitled ”Open in Proofpoint Browser Isolation.”

Clicking on a link in ”Open in Proofpoint Browser Isolation” opens the webpage in a safe web browsing environment (sandbox) entitled “Proofpoint SaaS Isolation.“

Browsing by means of Proofpoint Browser Isolation enables an analyst to click on a URL in the same way that an end user would behave. The analyst can click on links on the webpage and submit forms, thereby identifying potential phishing/spam threats without the fear of infection from malware as the browsing experience does not allow uploads/downloads of files to the system.

Customers don’t need to own a license for Proofpoint Browser Isolation to use this feature. Further information about the Proofpoint Browser Isolation product can be obtained by clicking on this link.

Note

The use of Proofpoint Browser Isolation requires that an analyst’s machine be connected to the internet. Further, use of a proxy is supported on condition that there is internet connectivity.

Attaching Feedback to Reported Email and Sending It to End Users

PTR/TRAP 5.4.0 enables security teams to attach an original message, reported by end users, to the email template responses sent to them from TRAP. This is helpful when an email is scored as either Low Risk or Bulk; moreover, it is desirable for end users to be able to retrieve the reported email with ease. This setting can be configured by PTR/TRAP admins when creating/editing an email template here: Abuse Feedback under Email Templates (in System Settings).

Previewing an Email Template’s Content Prior to Sending a Manual Response

This release enables manual “Send email notification” response actions from the incident/alert page to provide a preview of the content of an email template prior to sending it to an end user. This helps to verify that the appropriate email feedback template is being sent to the end user to reinforce their security awareness training.

Quick Links to the Alerts and Activity Pages From the Incident List

PTR/TRAP 5.4.0 adds quick links to the Alerts and Activity pages, directly from the incident list, to reduce the number of clicks required to reach critical information for resolving incidents.

Abuse Incidents List Is a Supported Default Landing Page

The Incident List - Abuse Incidents page is now a supported landing page in the Account Preferences section.

TAP Enhancements

Quarantine Reporting on the TAP Dashboard

Importantly, while this feature is being announced and will be generally available with the launch of PTR/TRAP 5.4.0, the underlying components have been populating data since the launch of PTR/TRAP 5.3.0.

PTR/TRAP can now communicate with the TAP Dashboard to provide customers with visibility into successful and skipped quarantines directly on the TAP Dashboard. Quarantine information is correlated with delivered messages and is presented clearly in order to help security teams capture the value delivered by TRAP, namely the mitigation of delivered threats and reduced exposure to risk.

Customers must be running PTR/TRAP 5.3.0 or above and need to turn on Feedback Reporting (in System Settings) to benefit from this feature.

TAP Threat Type Is Available on the Alerts View

In addition, PTR/TRAP 5.4.0 contributes to the enrichment of TAP alerts by providing details of the type of threat represented by the alert on the Alerts page. The threat type maps to one of the following values:

  • Permitted Clicks
  • Delivered Attachment Threats
  • Unprotected URL Threats
  • Delivered URL Threats
  • Delivered Impostor Threats

Very Attacked People Enrichment, Badges, and Match Conditions

This release supplements alerts and incidents with information as it relates to VAPs from TAP. VAP recipients who are targeted and identified in incidents are marked with a “badge” on the incidents and alerts pages.

Dedicated match conditions can also be configured for VAP recipients to enforce greater security controls as they represent a potentially higher risk to your organization by virtue of being attacked more.

General Improvements and Notable Tech Upgrades

Expand_Events Query Parameter Extended to the Incident API

PTR/TRAP 5.4.0 extends supports for the expand_events query parameter in the Get Incident Details API. Setting this parameter to a value of false can speed up API calls significantly. This can be used in scenarios where individual alert details are not required in the API response.

Hostname Support for the License Proxy Server

The proxy server field under Licensing on the Appliance Management Console now supports hostnames besides IP addresses.

Improved PTR/TRAP Error-handling

PTR/TRAP 5.4.0 removes points of failure around licensing-related restarts and EWS request failures thereby improving product robustness.

Download Instructions

PTR/TRAP 5.4.0 can be deployed on VMWare or AWS. For VMWare deployments PTR/TRAP 5.4.0 requires a minimum of VMware ESXi 6.0. For AWS deployments, ‘m5a.large’ is the minimum recommended configuration for EC2 instances. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.4.0 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.4.0 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256.
  • 5.4.1 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.4.0 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.4.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.4.0 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.4.0 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.4.0. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.4.0. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.4.0 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.4.0. Before upgrading the appliance from 5.0.0 to 5.4.0, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.4.0 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.4.0. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.4.0 on AWS.

5.3.0 - (September 2020)

Summary of 5.3.0 Release

PTR/TRAP 5.3.0 introduces a significantly improved approach to Abuse Mailbox Monitoring workflows by delivering key enhancements on many different fronts, namely the improvement of automation and the simplification of manual triaging workflows. It also brings some technology and security upgrades, and general enhancements that benefit our customers’ overall security posture.

Download this Document

Closed Loop Email Analysis & Response (CLEAR)

Content Rules for Improving Abuse Mailbox Monitoring Automation

PTR/TRAP 5.3.0 enables security teams to add context to the CLEAR automation pipeline by defining message content rules in match conditions for the Abuse Mailbox Monitor alert source. This allows for the automated processing of mass internal emails and known vendor emails as well as the creation of separate workflows for executive submissions among other use cases.

Content rules are defined as criteria based on message content such as email headers, recipients, senders, URLs, attachments, or other attributes of a message. Please refer to the Content Rules Guide for detailed instructions on how to set this up correctly.

Download Original Message for Manual Investigation/Sandbox Submission

PTR/TRAP 5.3.0 allows security teams to download the original message corresponding to an abuse mailbox submission from the alert view on the PTR/TRAP UI. This can be helpful in cases where an advanced analysis of a submitted message is required, such as visual inspection or sandboxing.

Email Notifications for CLEAR Incidents Requiring Manual Review

The current release makes it possible for email notifications to be configured to trigger based on a team or an incident field update for incidents. Such communication can be used to notify the team whenever an incident receives an ‘unknown’ or ‘suspicious’ abuse disposition, thus implying that it requires manual review.

Detailed information on the topic of setting up notifications for ‘Unknown’ and ‘Suspicious’ incidents can be obtained here.

Subject and Sender Values on Incident List for Abuse Incidents

This release adds the Subject and Sender values for the latest alert to the incident list view for abuse mailbox monitor incidents, thus allowing incidents with known/recognized emails to be triaged as well as taking bulk action directly from the incident list.

False Negative Reporting for CLEAR Submissions

CLEAR analysis of a message can result in an ”unknown” abuse disposition, in which case Proofpoint Threat Intelligence defers the final decision on the message to the customer’s security team. If an analysis, carried out by the security team, reveals a threat in the message, PTR/TRAP 5.3.0 gives a customer the opportunity to report it back to Proofpoint. This allows Proofpoint Threat Research to review such threats and ensure a more appropriate disposition in the future.

For customers who use the Proofpoint Protection Server (PPS) and Targeted Attack Protection (TAP) as their email gateway solution, this process also allows messages, confirmed as malicious/spam by Proofpoint Threat Researchers, to be blocked pre-delivery.

Important Note

Customers must exercise caution and ensure that messages without actual threats are not reported as False Negatives to Proofpoint. Any attempts to do so would be considered detrimental to Proofpoint’s Threat Intelligence and may necessitate Proofpoint to disable this feature going forward.

Reporting the Value of Automation From CLEAR

This release presents a new ”abuse dispositions” report to measure the direct automation value received from CLEAR. Essentially, the report sorts any abuse incidents into categories based on the abuse disposition. (There are six abuse dispositions.) Incidents assigned any one of the following abuse dispositions, namely “Malicious,” “Spam,” “Low Risk,” or “Bulk,” are fully automated by TRAP and the sum of the counts (under these buckets) represents the automation value received from CLEAR.

Predesigned Email Templates for Responding to End Users

Lastly, this release introduces six new email templates to be used in conjunction with the six abuse dispositions for the purpose of communicating deployment best practices identified and recommended by Proofpoint. They are located under the Email Templates section (under Email Notifications) on the System Settings screen. Note that the templates each have a “V2” tag alongside their names for easy identification.

General Improvements

Dashboard Loading Enhancements

The PTR/TRAP Dashboard is the landing page of choice for a lot of security teams using PTR/TRAP. PTR/TRAP 5.3.0 substantially improves the loading performance of the dashboard, by, for example, reducing the time range of data loaded onto the view by default. The dashboard now loads only 7 days of data instead of 90 days. Note that 90 days of data can be obtained by using the drop-down menu on the top right-hand side of the dashboard.

Additionally, the dashboard now supports a “manual” refresh mode as well as the pre-existing “auto” refresh behavior. The “manual” refresh mode will be the default selection as most users do not require the screen to be refreshed automatically (at regular [short] intervals). Customers who use the dashboard as a display for monitoring activity can choose to change the refresh mode to “auto” by using the settings on the top right-hand side of the dashboard.

Matched Conditions, Alerts, and Matched Alert Counts

PTR/TRAP 5.3.0 introduces a new subsection under Alerts called Matched Conditions. The subsection has been designed to capture all the match conditions that an alert has triggered, including the timestamps. This makes it easy to track an alert and any match conditions associated with it.

Similarly, match conditions under Alert Sources now display a count for the number of alerts matched. Thus, we can understand match conditions that have proved effective in providing automation value.

This feature is very useful for identifying content rule match conditions that are effective in providing automation value with respect to abuse mailbox monitoring.

Visibility of Licensing Information

PTR/TRAP 5.3.0 provides visibility of the expiry date of valid licenses on the licensing page to ensure that licenses are renewed before they expire.

Use of Appropriate Terminology

PTR/TRAP 5.3.0 introduces changes to its terminology base to reaffirm Proofpoint’s strong support for social equality. The following expressions are being changed permanently:

  1. Quarantine Whitelist -> Quarantine Skiplist
  2. Whitelist (under the Lists section) -> Allowlist (under the Lists section)

Technology/Security Upgrades and Key Defect Fixes

Platform Operating System Update to CentOS 7.8

PTR/TRAP 5.3.0 introduces an update to the underlying platform operating system (OS) on which PTR/TRAP runs. Essentially, the platform OS has been upgraded to CentOS version 7.8. This update better overall security and reliability of PTR/TRAP.

Progress Indicator for Master Secret Upload

PTR/TRAP 5.3.0 introduces a UI dialog describing the status of a Master Secret upload to the PTR/TRAP management console. This UI dialog ensures that a user is notified when a restart of system services is in progress. Ultimately, this prevents conflict when old backup files are being uploaded.

Team Sync Doesn’t Update LDAP Group Changes in TRAP

PTR/TRAP 5.3.0 resolves the issue that prevents LDAP group changes from being synced to teams in TRAP.

High Availability and LDAP Conflicts

PTR/TRAP 5.3.0 addresses the issue that prevents the configuration of High Availability when LDAP sync is enabled on the product.

Download Instructions

PTR/TRAP 5.3.0 can be deployed on VMWare or AWS. For VMWare deployments PTR/TRAP 5.3.0 requires a minimum of VMware ESXi 6.0. For AWS deployments, ‘m5a.large’ is the minimum recommended configuration for EC2 instances. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.3.0 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.3.0 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256.
  • 5.3.0 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.3.0 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.3.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.3.0 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.3.0 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.3.0. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.3.0. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.3.0 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.3.0. Before upgrading the appliance from 5.0.0 to 5.3.0, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions

The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.3.0 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.3.0. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.3.0 on AWS.

5.2.0 - (May 2020)

Summary of 5.2.0 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) version 5.2.0 delivers several key customer requests, including a new integration with Proofpoint Smart Search that reduces a multi-step message remediation workflow to a single click.

Moreover, version 5.2.0 includes multiple enhancements that strengthen the Proofpoint Targeted Attack Protection (TAP) integration with TRAP/PTR. Also, it accelerates system and UI performance for executing core TRAP/Threat Response workflows.

Lastly, this version provides additional “help” text for messages analyzed by Proofpoint Closed Loop Email Analysis and Response (CLEAR). This text enables messaging as well as security analysts to understand why a specific abuse disposition was assigned to an alert following message analysis.

Download this Document

New/Improved Integrations

Smart Search – Export to TRAP

A large number of PTR/TRAP customers also use Proofpoint Protection Server’s (PPS) cloud-hosted offering, also known as Proofpoint On-Demand (PoD), in their mail environments. The execution of these products together enables you to find malicious/unwanted messages using PPS and then quarantine them using TRAP. Messages can be queried by similar subject, sender address, URL, domain, etc and then PPS exports a CSV file of the results, TRAP, in turn, can use the results to target quarantines.

PTR/TRAP 5.2.0 adds a new integration with Proofpoint Smart Search, also known as “Proofpoint Smart Search – Export to TRAP.” It allows you to use PPS Smart Search to “push” the results from a Smart Search query directly into your PTR/TRAP appliance with a single click by using the new Export to TRAP button available within the Smart Search Admin Portal interface.

This integration requires a new alert source called ‘Proofpoint Smart Search - Export to TRAP’ to be configured on your PTR/TRAP 5.2.0 (or above) appliance. Refer to the Export to TRAP Integration Guide for detailed instructions on how to set this up to work correctly.

Increased Lookback Period for TAP Alerts

PTR/TRAP 5.2.0 increases the lookback period for TAP alerts from 1 hour to 12 hours. This means that in the event of a disaster or other meaningful outage, PTR/TRAP can now recover TAP alerts up to 12 hours in the past on restart and will continue to quarantine/remediate based on those alerts configured in your match conditions.

Searching for TAP Dashboard Threat URLs in PTR/TRAP

PTR/TRAP 5.2.0 introduces the capability to search for any URL threat found on the TAP Dashboard within the PTR/TRAP search interface and to return all incidents and alerts pertaining to that URL threat within PTR/TRAP.

PTR/TRAP 5.2.0 also introduces two new columns in the search results for alerts in both the basic and detailed search results view:

  1. Threat Hostname (the subdomain and domain corresponding to the URL threat)
  2. Email Recipient (the alert’s target)

CLEAR Enhancements

“Suspiciousness” Classifier

PTR/TRAP 5.2.0 provides reasons for arriving at an abuse disposition value following a CLEAR analysis of a message. This reasoning is displayed on the Threat Description field in the Incident Overview and in a new CLEAR analysis section on the Alert view. It presents specific URLs or attachment names that were found to be malicious in each message where applicable.

Performance Enhancements

Automatic Backups Before Scheduled Purges

PTR/TRAP 5.2.0 allows administrators to schedule backups prior to executing regular purge operations. This enables the automation of regular backups of your database and thus keeps your appliance’s systems “light” to ensure that the UI is fast. Backend performance benefits as well. The setting can be configured by filling in the checkbox when scheduling a new purge.

The data stored in a backup can be restored on any PTR/TRAP appliance with the same (or higher) version as needed. A successful backup operation is a prerequisite to the execution of any incident purges. This ensures that none of your data is ever lost without a copy.

Intelligent Backup Recommendations

Given the capability to configure a scheduled backup and purge operation in PTR/TRAP 5.2.0, the system also provides useful recommendations for scheduling such operations to make sure that system performance is optimal. These notifications will be displayed to both admin and non-admin PTR/TRAP users but can only be acted on by admin users since the recommendations could lead to the deletion of data. Non-admin users can acknowledge these recommendations and inform admin users to act. All notifications can be dismissed temporarily (for 7 days).

General Enhancements

Importing Additional LDAP Object Classes

PTR/TRAP 5.2.0 allows you to import custom LDAP object classes within PTR/TRAP instead of being limited to the object class of “user” only. These can be used as attributes to configure match conditions with active directory actions following a CLEAR analysis or as data points for enrichment of alerts with target LDAP information.

Global Support for Azure AD authentication

PTR/TRAP 5.2.0 introduces the ability to configure Azure AD authentication for deployments in countries across the globe with different authentication endpoints. With this change, PTR/TRAP can now work with Azure AD endpoints across deployments globally.

Defect Fixes

Fixes Problems Causing Alert Loss With Scripted Poller Integrations (IMD/CASB)

PTR/TRAP 5.2.0 fixes memory-related issues with scripts running in PTR/TRAP versions 5.0.0-5.1.1.

Download Instructions

PTR/TRAP 5.2.0 can be deployed on VMWare or AWS. For VMWare deployments PTR/TRAP 5.2.0 requires a minimum of VMware ESXi 6.0. For AWS deployments, ‘m5a.large’ is the minimum recommended configuration for EC2 instances. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.2.0 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.2.0 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256.
  • 5.2.0 VHDX File (AWS AMI Installations) – Download VHDX and SHA-256.

The API documentation for PTR/TRAP 5.2.0 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.2.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.2.0 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.2.0 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.2.0. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.2.0. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

VMWare Deployments - Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.2.0 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.2.0. Before upgrading the appliance from 5.0.0 to 5.2.0, it is advisable to take a VM snapshot first.

AWS Deployments - Upgrade Instructions From 5.1.1 The upgrade process for AWS deployments requires a new EC2 instance to be set up using the 5.2.0 VHDX file. Data must be migrated from the older version of PTR/TRAP to 5.2.0. Refer to the AMI Installation Guide for detailed instructions on deploying PTR/TRAP 5.2.0 on AWS.

5.1.1 - (March 2020)

Summary of 5.1.1 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) version 5.1.1 delivers fixes for a couple of defects identified in the recently released version 5.1.0.

Download this Document

Inclusion of Threat Type Fields for TAP Alert Source

PTR/TRAP 5.1.1 includes a fix for an issue relating to the Targeted Attack Protection (TAP) alert source. Specifically, when a match condition was created or edited, such actions caused certain fields in the Threat Type to disappear in the user interface. A fix has been implemented such that all fields relevant to the Threat Type are displayed correctly in a match condition.

Fix for Display of Authentication Page in Appliance Management Console

PTR/TRAP 5.1.1 includes a fix for an issue relating to the Authentication page in the Appliance Management Console. Upon loading the page, an error message is no longer displayed.

Download Instructions

The VMWare offering for PTR/TRAP 5.1.1 requires a minimum of VMware ESXi 6.0. Please use Proofpoint CTS credentials to access the downloaded images.

  • 5.1.1 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA and SHA-256.
  • 5.1.1 IMG File (Upgrades from 5.0.0 and above) – Download IMG and SHA-256.

The API documentation for PTR/TRAP 5.1.1 can be found here.

Please refer to the 5.1.0 Release Notes for Installation and Upgrade instructions of PTR/TRAP 5.1.1.

5.1.0 - (March 2020)

Summary of 5.1.0 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) version 5.1.0 delivers several key benefits and enhancements, spanning Closed Loop Email Analysis and Response (CLEAR), Targeted Attack Protection (TAP) false positives, quarantine reporting, and system maintenance.

Download instructions

Installation of PTR/TRAP 5.1.0 requires a minimum of VMware ESXi 6.0.

Download this Document

Platform - AWS

PTR/TRAP 5.1.0 introduces the option to deploy the application in the Amazon Web Services (AWS) public cloud. For customers who wish to benefit from the many features supported by the product but are averse to setting up any on-premises infrastructure for it, PTR/TRAP can now be deployed as an Amazon Machine Image (AMI) within an AWS Elastic Compute Cloud (EC2) instance. Customers must instantiate their respective PTR/TRAP AMIs within EC2. (This is similar to setting up a Virtual Machine (VM) in their own datacenters.)

This platform offering complements the existing deployment option for PTR/TRAP on VMware. Both platform offerings support the same features for alert ingestion, alert enrichment, incident management, and reports. The key differences with the AMI offering pertain to the underlying platform:

• The underlying operating system is Amazon Linux 2; • Upgrades to a newer version must be performed by moving data between the old and new instances; and • High Availability, while it is not offered, can be compensated for by using a variety of tools and features in AWS, such as Termination Protection, Elastic Block Storage (EBS) snapshots, AWS Cloud Watch, or other preferred methods.

The AWS Installation Guide contains a detailed set of steps for deploying PTR/TRAP in AWS.

The Console Guide includes some important differences in the platform pertaining to appliance management activities.

CLEAR Enhancements

Improved Categorization of Reported Abuse Messages That Are Spam

PTR/TRAP 5.1.0 introduces a new Spam disposition for reported abuse messages following a reanalysis by Proofpoint Threat Intelligence. This enables new workflows for security teams so that they can differentiate responses to spam messages from those (responses) to malicious messages and thus leverage the benefits of increased automation. Ultimately, security teams can analyze the volume of reported spam messages and drive changes to their email spam engines that reduce or prevent spam traffic from entering their environment over time.

Better Controls for Triggering Match Conditions on Reported Abuse Messages

PTR/TRAP 5.1.0 allows for a more granular control on the “triggering” of match conditions for reported abuse messages. Given the following scenarios, match conditions can now be set up to “trigger”

  • when a reported abuse message is received in PTR/TRAP as a new alert,
  • after a reported abuse message is reanalyzed by Proofpoint Threat Intelligence, or
  • both of the above.

Such granular control enables several use cases based on the updated abuse disposition value, such as

  • reassigning an abuse incident based on initial and final disposition values,
  • notifying end-users after the message is given a disposition with a specific value, and
  • sending incident data, including the abuse disposition to an external system (SIEM, ticket management, etc.)

Running Additional Responses Following a CLEAR Re-analysis

Building on the ability to run Scripted Responses in 5.0.1, PTR/TRAP 5.1.0 allows the following responses to be run after an abuse message (submitted via CLEAR) has been reanalyzed by Proofpoint:

  • Disable a user account in active directory.
  • Reset a user account password in active directory.
  • Invalidate a user account password in active directory.
  • Custom Responses (requires a full Threat Response license).

Note that the responses relating to active directory can be leveraged to protect the accounts of special users, namely VIPs/employees in sensitive roles, if there is reason to believe that a message reported by them was dispositioned as malicious and/or if they were victims of a phishing attack.

Running Match Conditions Following a CLEAR Analysis Based on LDAP Attributes

PTR/TRAP 5.1.0 supports the ability to run match conditions based on the values of LDAP attributes associated with an abuse message reporter, when an abuse message (submitted via CLEAR) has been reanalyzed by Proofpoint. This ability enables security teams to “trigger” automated responses based on the abuse reporter’s role, location, etc.

For example:

  • Notify the end-user via email in a specific language based on the user’s location.
  • Assign the abuse incident to a special team based on the user’s role (executive, payroll employee, etc.).

Support for SENDER Tag in End-User Abuse Feedback Email Templates

The end-user email template for abuse feedback in PTR/TRAP 5.1.0 supports the use of the SENDER tag in addition to the existing tags, namely RECIPIENT, SUBJECT, and RECEIVED DATE. When the email template is used to send out an email notification to the abuse reporter, the SENDER tag is substituted with the email address of the envelope sender (in the original reported abuse message).

Utilization of this tag lets security teams include additional context about the abuse message in the email notification. Moreover, it educates users to exercise caution if they receive future emails from the specified sender.

PTR/TRAP Enhancements

Ability to Automatically Close Incidents Reopened for TAP False Positive Alerts

PTR/TRAP 5.1.0 provides the ability to automatically close an incident that was reopened upon receiving a False Positive (FP) alert from Targeted Attack Protection (TAP). Previously, such reopened incidents could be set up to perform an automatic “undo quarantine” action on any previously quarantined messages. Currently, such incidents can be configured to close automatically, subject to the following conditions:

  • The incident was previously closed and was reopened owing to an FP alert.
  • All “automatic undo quarantine” actions have been successfully completed.

This allows you to focus only on incidents with FP alerts that require manual action such as those involving failed “undo quarantine” operations.

Improved Counts for Quarantined Messages in Abuse Incidents

PTR/TRAP 5.1.0 has implemented an improved method for displaying the counts of messages that were quarantined in an abuse incident. Previously, message counts for both successful and failed quarantine actions reflected the latest attempt of that action on messages associated with the incident. Currently, these counts reflect the cumulative value of all quarantine attempts (automatic or manual) made during the time in which the incident exists.

System Maintenance Features and Enhancements

Scheduled Purges

PTR/TRAP 5.1.0 introduces the ability to create and manage schedules to purge incidents regularly and automatically. System administrators can set up one or more “purge schedules” which run at specified intervals and act on specific filters, namely Alert Sources and Incident Creation Date Range.

Schedules can be enabled or disabled based upon your preference. At the end of a scheduled run, an email notification can be sent to an administrative user for any follow-up. Moreover, the results of each scheduled run can be viewed under Incident Purges in System Settings. Note that this section contains details of a “purge” operation, including its configuration and results.

Purge Filter for False Positive Incidents

PTR/TRAP 5.1.0 includes a new filter for both scheduled and manual incident purge operations. Essentially, the filter permits system administrators to target incidents whose alerts are only false positives received from TAP (Targeted Attack Protection). Thus system administrators can manage false positive incidents that provide little value to the security team and eliminate any clutter in reports and metrics associated with incident management.

Bulk Action to Purge Incidents

PTR/TRAP 5.1.0 lets system administrators “trigger” an incident purge as a bulk action from the Incident List. The bulk action can be executed on any filtered list of closed incidents. For example, a system administrator can filter incidents that are assigned to a non-existent analyst or associated with the value of a specific incident field (Severity, Classification, Attack Vector, etc.) and perform a purge operation on these incidents.

This feature can only be used by system administrators (belonging to the “Admins” team). Further, the bulk action can only be triggered when selected incidents are in the “closed” state.

Download Instructions

Please refer to the 5.1.1 Release Notes for instructions to download PTR/TRAP 5.1.1, instead of version 5.1.0.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.1.0. There are a few changes in the following sections in both guides.

Please refer to the PTR AWS Installation Guide for instructions concerning the installation of 5.1.0 on AWS.

Upgrade Instructions from versions older than 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.1.0 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.1.0. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.1.0. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

Upgrade Instructions from 5.0.0 and above

Upgrading from PTR/TRAP 5.0.0 and above to 5.1.0 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.1.0. Before upgrading the appliance from 5.0.0 to 5.1.0, it is advisable to take a VM snapshot first.

5.0.2 - (February 2020)

Summary of 5.0.2 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) version 5.0.2 delivers fixes to defects affecting version 5.0.0 and 5.0.1.

Download instructions

Installation of PTR/TRAP 5.0.2 requires a minimum of VMware ESXi 6.0.

Download this Document

Defect Fixes

PTR/TRAP Fails to Connect to Azure AD/Modern Auth via Proxy

PTR/TRAP 5.0.2 contains a fix for an issue wherein a proxy connection to Office-365 via Azure AD and Modern Auth did not work. The fix ensures that proxy connections to Office-365 are handled correctly.

LDAP Authorization Over SSL not Working on the PTR Appliance Management Console

PTR/TRAP 5.0.2 contains a fix for an issue that prevented LDAP authorization from working over SSL in the Appliance Management Console for versions 5.0.0 and 5.0.1.

Ability to Configure Network from Appliance Management Console

PTR/TRAP 5.0.2 contains a few fixes that allow Network Addresses to be configured from the Appliance Management Console and the ability to switch between DHCP and Static for primary interface.

Download Instructions

PTR/TRAP 5.0.2 requires a minimum of VMware ESXi 6.0. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.0.2 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA.
  • 5.0.2 IMG File (Upgrades from 5.0.0/5.0.1) – Download IMG.

The API documentation for PTR/TRAP 5.0.2 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.0.2. There are a few changes in the following sections in both guides.

Upgrade Instructions from Versions older to 5.0.0

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.0.2 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.0.2. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.0.2. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

Upgrade Instructions from 5.0.0/5.0.1

Upgrading from PTR/TRAP 5.0.0/5.0.1 to 5.0.2 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.0.2. Before upgrading the appliance from 5.0.0 to 5.0.2, it is advisable to take a VM snapshot first.

5.0.1 - (December 2019)

Summary of 5.0.1 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) version 5.0.1 delivers fixes to defects affecting version 5.0.0 and enhancements in Closed Loop Email Analysis and Response (CLEAR).

Download instructions

Installation of PTR/TRAP 5.0.1 requires a minimum of VMware ESXi 6.0.

Download this Document

Enhancements

Running Scripted Responses Following a CLEAR Rescore

PTR 5.0.1 supports the ability to run a scripted response when an abuse message (submitted via CLEAR) has been reanalyzed by Proofpoint, thus enabling a host of customized workflows (with a PTR-licensed appliance).

CLEAR-ID Displayed Under Incident Activity for Easier Follow-Up With Proofpoint

After the reanalysis of a reported abuse message, PTR/TRAP 5.0.1 displays a CLEAR-ID associated with such a reanalysis. The ID can be found on the Incident Activity page. Note that if a customer reports a false negative (FN) or false positive (FP) to Proofpoint based on the abuse disposition from the CLEAR reanalysis, they should include the CLEAR-ID. This enables the support team to act on the request promptly.

TAP Connectivity Errors Displayed Under Source Errors

In the event of a connectivity error between the Proofpoint TAP source and PTR/TRAP 5.0.1, the problem is highlighted in Source Errors alongside the username.

Defect Fixes

PTR/TRAP Installation Failures With Hypervisors Running Over Certain CPU Types

PTR/TRAP 5.0.1 fixes a problem related to 5.0.0 concerning the inaccessibility of the UI after installation because of a compatibility issue with certain CPU models on servers running VMware ESX.

PTR/TRAP Installation Failures With IP Address Conflicts for Docker Interfaces

PTR/TRAP 5.0.1 fixes a problem related to 5.0.0 concerning the inaccessibility of the UI after installation because of a network address conflict with interfaces running Docker used internally on the appliance. If the network address range used by Docker overlaps with any others in the PTR/TRAP VM’s environment, certain internal services do not remain functional. In PTR/TRAP 5.0.1, the Initial Configuration Wizard allows you to define the IP subnets to be used by these Docker services, thus preventing any conflict.

Initial Configuration Wizard Enforces a Minimum Length for Password

The Initial Configuration Wizard in PTR/TRAP 5.0.1 requires a minimum length of seven characters with respect to the system administrator password, thus resolving the issue of appliance inaccessibility due to an empty password.

CLEAR: Quarantines Work With Multiple Exchange Servers/Domains

PTR/TRAP 5.0.1 includes a fix involving abuse messages that could not be quarantined if the reporting end-user mailboxes resided on Exchange servers or domains different from those hosting the abuse mailbox.

CLEAR: Handling of Messages With Invalid Characters in Message-ID

Abuse messages forwarded to PTR/TRAP by PhishAlarm Analyzer sometimes contained invalid characters (spaces) and/or missing delimiters in the Message-ID, thus preventing PTR/TRAP from finding the original message. PTR/TRAP 5.0.1 handles these cases competently by ensuring that an original message can be located using the Message-ID.

CLEAR: Handling a Large Number of Abuse Messages With Large Attachments

When several hundred abuse messages with large-sized attachments are reported simultaneously (into an abuse mailbox), PTR/TRAP 5.0.1 processes them more efficiently and create alerts and incidents.

Download Instructions

PTR/TRAP 5.0.1 requires a minimum of VMware ESXi 6.0. Please use the Proofpoint CTS credentials to access the downloaded images.

  • 5.0.1 OVA File (Fresh Installations and Upgrades from 3.x, 4.x) – Download OVA.
  • 5.0.1 IMG File (Upgrades from 5.0.0) – Download IMG.

The API documentation for PTR/TRAP 5.0.1 can be found here.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions concerning the installation of 5.0.1. There are a few changes in the following sections in both guides.

Upgrade Instructions: 3.x to 4.x

The upgrade process from a 3.x or a 4.x version requires a new virtual machine to be set up using the 5.0.1 OVA file. Data must be migrated from the older version of PTR/TRAP to 5.0.1. Refer to the Upgrade Guide for detailed instructions about upgrading an older version of PTR/TRAP to 5.0.1. The FAQ (Frequently Asked Questions) section contains answers to several common queries about the upgrade process.

Upgrade Instructions from 5.0.0

Upgrading from PTR/TRAP 5.0.0 to 5.0.1 can be completed “in place” (on the appliance) using the IMG file. Refer to the Console Guide for instructions.

Warning

An issue in PTR/TRAP 5.0.0 prevents rolling back to 5.0.0 after the appliance has been upgraded and running 5.0.1. Before upgrading the appliance from 5.0.0 to 5.0.1, it is advisable to take a VM snapshot first.

5.0.0 - (October 2019)

Summary of 5.0.0 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) 5.0.0 is a major release with a new platform which offers many enhancements. This release strengthens system integrity relating to appliance management, Closed Loop Email Analysis and Response (CLEAR), and Incident Management (via UI and APIs) by delivering performance, reliability, and usability improvements across these areas of the product.

Download instructions

Installation of PTR/TRAP 5.0.0 requires a minimum of VMware ESXi 6.0.

Download this Document

Platform

The underlying Linux platform in PTR/TRAP 5.0.0 has been updated to a new version, namely CentOS 7, and includes the kernel and many system libraries. This version increases the stability, security, reliability, and performance of the appliance and enables Proofpoint to better support future enhancements to the platform.

New Appliance Management Console

The updated platform in PTR/TRAP 5.0.0 includes a new Appliance Management Console for monitoring and managing the system. The console offers several system management operations that are commonly used and lays the groundwork for future enhancements. It is accessible to PTR/TRAP Admin users via web browser and by visiting the appliance at https://appliance_host_or_ip:8080. Refer to the New Console Guide for additional details about the user interface.

Simplified System Shell

PTR/TRAP 5.0.0 employs a simplified system shell for SSH-based access. The shell requires a few basic commands to be configured in order to diagnose networking and offers a way to switch to the system-level shell. It also eliminates the need for a temporary shell license in order to enable easier access to the system, if necessary.

CLEAR Features and Enhancements

Better Classification of Reported Abuse Messages

To drive higher automation value with CLEAR, PTR/TRAP 5.0.0 incorporates changes in the CLEAR reanalysis engine that create fewer abuse messages classified with an “Unknown” disposition.

Messages previously classified with the “Unknown” disposition that have been analyzed by Proofpoint Threat Intelligence as part of the CLEAR workflow are now evaluated by the Threat Operation Center’s (TOC’s) rulesets, which are actively curated by Proofpoint Threat Researchers and updated regularly. After applying these rules, several messages are reclassified with “Suspicious,” “Bulk,” or “Low-Risk” dispositions and returned to PTR/TRAP for automatic response handling. This leads to a significant reduction in messages with an “Unknown” disposition that would otherwise require manual analysis by a Security Operations Center (SOC) team member.

Re-Attempting Quarantines and Undo-Quarantines With Increasing Back-Offs

PTR/TRAP 5.0.0 includes enhancements for carrying out quarantine and undo-quarantine operations on email messages as well as completing them more reliably.

These operations are known to fail at times, owing to connectivity issues or aggressive throttling by mail servers, namely Exchange, O365, and Gmail. Given such intermittent issues, PTR/TRAP 5.0.0 includes the ability to attempt a quarantine or an undo-quarantine several times on every message until the operation succeeds. The number of attempts is configurable as a global value under System Settings → Quarantine Settings. When an attempt results in failure, PTR/TRAP 5.0.0 backs off for a limited time before its next attempt. This interval increases over subsequent attempts since the mail server remains unavailable and is likely to continue causing failures. The intervals are set to the following values with a random jitter between 1,600 and 2,400 milliseconds:

Retries Back-off Intervals
1 2s
2 4s
3 6s
4 10s
5 4m
6 6m
7 20m
8 33m
9 53m
10 1hr

Note

Any subsequent attempts beyond 10 are spaced one-hour apart.

Consequently, automatic and manual quarantine as well as undo-quarantine operations triggered in PTR/TRAP 5.0.0 can expect much higher rates of success when confronted with throttling. Ultimately, this translates into a reduced burden on the SOC analyst team in terms of monitoring and time wasted on follow-up measures.

Prioritized Email Headers for Easier Manual Inspection

SOC analysts continue to encounter incidents in email messages that require manual inspection before a response is confirmed. The “X-headers” associated with an email message often contain important information for analysts to understand about the context of a message, and thus classify a message correctly.

PTR/TRAP 5.0.0 provides a way to define a set of headers under System Settings → Prioritized Email Headers. These headers, when displayed in the Alerts tab of an incident associated with an email message, appear at the top of the list and are emphasized. This enables an analyst to prioritize them and to expedite the review process.

Further, PTR/TRAP 5.0.0 improves on the visual presentation of the email X-headers by displaying them clearly with options to view and download the headers in plain-text format.

Automatic Updates to Incident Severity Based on CLEAR Abuse Dispositions

As part of the CLEAR workflow for handling abuse messages, PTR/TRAP automatically sets the Incident Severity field based on the Abuse Disposition provided after a CLEAR reanalysis of a reported message.

Abuse Disposition Incident Severity
Malicious Critical
Suspicious High
Bulk Informational
Low-Risk Informational

Messages with an “Unknown” abuse disposition do not change the incident severity in any way. The incident severity is also not downgraded to a less severe value.

Ultimately, SOC analysts can use incident severity to determine the extent of a threat across abuse message incidents and to prioritize the threat for further action.

Quarantine and Undo-Quarantine Email Notifications for Manual Operations

PTR/TRAP 5.0.0 provides a SOC analyst with the option to send end user email notifications during manual responses involving a quarantine or an undo-quarantine action carried out at the incident level or as a bulk action. These manual responses now include the selection of an appropriate email template that is used to notify the end users of a quarantine or an undo-quarantine action.

Undo-Quarantine Email Notifications for TAP False Positives

The Proofpoint Targeted Attack Protection (TAP) source in PTR/TRAP 5.0.0 can be set up to use an email notification template to inform any affected end users that a TAP false-positive alert resulted in an automatic undo-quarantine action.

Recipients of Quarantine Email Notifications Displayed Under Incident Activity

The Incident Activity section in PTR/TRAP 5.0.0 has been improved to show a list of end users who were notified via email of any quarantine or undo-quarantine actions carried out on their messages (in their mailboxes). This list of users is displayed at the end of the chain of messages that were subject to a quarantine or an undo-quarantine as a collapsible field.

Ability to Remove Proofpoint Threat Response Prefix in Email Templates

Email Templates for “Quarantine,” “Undo-Quarantine,” and “Abuse Feedback” in PTR/TRAP include the following title in the “Subject” field: Proofpoint Threat Response. In PTR/TRAP 5.0.0, this title is displayed in the editable “Subject” field of the email template. Importantly, removing this title removes it from any email notifications sent using these templates.

Incident Management Features and Enhancements

Basic and Detailed Modes for Global Search

Global Search in PTR/TRAP 5.0.0 includes two new modes of search, thus allowing the user to choose between faster search performance and more information.

The Basic mode of search runs at a much faster rate for queries and returns fewer columns. Note that it excludes the Campaign and the Infection Confidence columns.

The Detailed mode of search includes all columns and has also been implemented to run slightly faster than searches on earlier versions of PTR/TRAP. A SOC analyst can switch between these modes by employing User Preferences.

Filter on Timestamps

PTR/TRAP 5.0.0 includes the ability to specify both date and time with filters on the Created Within and Closed Within fields. This is especially useful for dealing with a considerable number of daily incidents.

Filter on Quarantine Successes or Failures

PTR/TRAP 5.0.0 includes a new filter for incidents involving email messages that are associated with quarantine activity. This filter can be set up to search for incidents with a certain number of Successful Quarantines and/or a certain number of Failed Quarantines. This is useful when looking for incidents requiring manual examination for quarantine or undo-quarantine operations.

Purge Manually Created Incidents

Incident Purges in PTR/TRAP 5.0.0 includes a new option whereby manually created incidents that are not associated with any alerts or alert sources can also be purged. This option is available when selecting Alert Sources for those incidents to be purged and by choosing Include Incidents With No Alerts.

Threat Response/TRAP API Enhancements

The API documentation for PTR/TRAP 5.0.0 can be found at API Docs. Refer to the documentation for details concerning these APIs.

API to Update Incident Description

PTR/TRAP 5.0.0 provides a new API to add or to update the Incident Description field for a given incident. The value specified in the API can be overwritten or appended to the existing description of the incident.

API to Close an Incident

PTR/TRAP 5.0.0 provides a new API to close a given incident. The comment to be appended to the closure of the incident can be specified as a parameter to the API.

Enhancements to Get Incident Details API

The Get Incident Details API has been enhanced to include the following fields of an incident:

  • Incident Comment Objects
    • Username (who made the comment)
    • Comment Value
    • Comment Timestamp (when it was added)
  • Closure Timestamp for a Closed Incident
  • Closure Comments for a Closed Incident

In order to enable faster responses for incidents with a considerable number of events, the API supports a new query parameter called expand_events. If it is set to false, the API response contains an array of event IDs instead of full event details. The user can follow up with calls to the Alert API for specific event id’s in this array to obtain details about those events.

Additionally, note that in this case, the response does not include the false_positive_count key for an incident.

General Features and Enhancements

Invalidate Password for User Accounts in Active Directory

PTR/TRAP 5.0.0 supports a new type of response that can invalidate passwords for one or more Microsoft Active Directory (AD) user accounts that were associated with an alert.

This can be useful in cases where an alert indicates that a user’s account was possibly compromised and a severe action, such as disabling the user account, can lead to collateral damage, e.g. Loss of files /resources associated with the user’s organizational structure and privileges. Instead, this response can be used to set the user account’s AD password to an inaccessible, random value, thus locking the user’s account and preventing any further damage.

As soon as this response has been executed, affected end users must contact their IT administrator to set their account passwords to a known value once their accounts have been sanitized.

Enable/Disable an LDAP Server

PTR/TRAP 5.0.0 provides a flag to enable or disable LDAP syncs with a configured LDAP server under System Settings → LDAP servers. This is useful when dealing with a considerable number of LDAP servers whereby servers can be selectively disabled during maintenance downtimes or as part of configuration changes.

Query Custom LDAP Attributes for User Enrichment

PTR/TRAP 5.0.0 allows a system administrator to specify one or more custom LDAP attributes that can be used to query a user by their email address on an LDAP server. These custom attributes can be configured, under System Settings → LDAP servers, in addition to specifying the standard list of attributes that PTR/TRAP uses to query the user’s email address.

Ability to Enter Multiple Internal Email Domains

For deployments that deal with a considerable number of whitelisted email address domains to be quarantined, PTR/TRAP 5.0.0 enables a system administrator to set up several domains using a comma-separated list of domain values, under System Settings → Internal Email Domains.

Consolidated SOC Email Notifications for Large CSV Uploads

SOC email notifications that relate to Incident Changes and deal with conditions associated with Incident Updates, are used to notify the SOC analyst team about new alerts in an incident when the New Alert flag is enabled. This flag is used when uploading large CSV files containing several hundred rows, such as a Smart Search CSV Upload and a Proofpoint CSV Upload. In such cases, the SOC team receives a notification for every row in the CSV file.

PTR/TRAP 5.0.0 includes an option to consolidate the indefinite quantity of email notifications into a single email, which is sent after the alerts from the CSV file have been processed. The setting can also be programmed to not send any emails. Note that the Link Alerts option must be turned on. The option to specify this setting is available when editing the Smart Search CSV or Proofpoint CSV alert source.

Download and Upgrade Instructions

Download instructions

PTR/TRAP 5.0.0 requires a minimum of VMware ESXi 6.0. Please use Proofpoint CTS credentials to access OVA or IMG files.

Threat Response 5.0.0 – OVA File (Fresh Installations and Upgrades): - Click here to download

Note

An IMG file cannot be used for upgrading from previous versions and hence is not available for this release. Please refer to the Upgrade Instructions below for details about upgrading to PTR/TRAP 5.0.0.

Installation Instructions

Please refer to the PTR Installation Guide or TRAP Installation Guide for instructions on installing 5.0.0. There are a few changes in the following sections on both guides.

Upgrade Instructions

Since PTR/TRAP 5.0.0 provides an overhauled platform, the upgrade process, for all intents and purposes, differs as compared to previous versions. A new virtual machine must be set up using the 5.0.0 OVA file and data must be migrated from the older version of PTR/TRAP to the new one.

Please refer to the Upgrade Guide for detailed instructions on how to upgrade an older version of PTR/TRAP to 5.0.0. The section entitled FAQ (Frequently Asked Questions) contains answers to several common queries about the upgrade process.

Upgrades from PTR/TRAP 5.0.0 to future releases will be conducted “in place” on the new appliance (as was done for earlier upgrades).

4.6.1 - (June 2019)

Summary of 4.6.1 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) 4.6.1 deliver fixes to critical defects affecting 4.6.0. Customers running PTR/TRAP 4.6.0 are strongly advised to upgrade to 4.6.1.

Download instructions

Installation of PTR/TRAP 4.6.1 requires a minimum of VMware ESXi 6.0.

Download this Document

Defect Fixes

CLEAR re-analysis submissions with PhishAlarm are not reflected in PTR/TRAP

In PTR/TRAP 4.6.0, abuse messages reported with the PhishAlarm button and submitted for re-analysis by PhishAlarm Analyzer were not being tracked inside a PTR/TRAP incident. As a result, the incident did not reflect the updated abuse disposition after re-analysis and may not have triggered appropriate responses.

PTR/TRAP 4.6.1 fixes this issue by correctly tracking messages submitted for re-analysis by PhishAlarm Analyzer and sets any updated abuse disposition that will be used to trigger appropriate responses.

Notably, abuse messages reported via manual forwards were/are unaffected by this issue.

Improved times for upgrades

PTR/TRAP 4.6.1 contains a fix for an issue where upgrades to 4.6.0 in some cases took several hours to complete, because of a slow-running database migration task. The task has now been sped up significantly via performance improvements made with this fix.

Note

In cases with a large number of abuse mailbox incidents, the upgrade can still take a few hours to complete. The extended time would be specific to this upgrade path i.e. upgrading to 4.6.1 owing to certain database schema changes made for reduced data size and query optimizations around abuse message and TAP alerts.

During this time, the console may keep showing system messages such as checktime reached, running e2fsck is recommended., but these can be safely ignored.

Proxy usage in Azure AD/Modern Auth configuration

PTR/TRAP 4.6.1 contains a fix for an issue wherein a proxy connection to Office-365 via Azure AD and Modern Auth did not work. The fix ensures that proxy connections to Office-365 are handled correctly.

Download and Upgrade Instructions

Download instructions

PTR/TRAP 4.6.1 requires a minimum of VMware ESXi 6.0. Please use Proofpoint CTS credentials to access OVA or IMG files.

Threat Response 4.6.1– OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.6.1.ova

Threat Response 4.6.1 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.6.1.img

The API docs for PTR/TRAP 4.6.1 can be found at API Docs.

4.6.0 - (June 2019)

Summary of 4.6.0 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) 4.6.0 deliver several features and enhancements for abuse mailbox handling, Closed Loop Email Analysis and Response (CLEAR), incident management and overall user experience.

Download instructions

Installation of PTR/TRAP 4.6.0 requires a minimum of VMware ESXi 6.0.

Download this Document

CLEAR Enhancements

Better automated processing of Low-Risk abuse messages

PTR/TRAP 4.6.0 improves on the disposition delivered for abuse messages that were analyzed by Proofpoint Threat Intelligence via PhishAlarm Analyzer.

In PTR/TRAP 4.5.0, the Unknown abuse disposition was applied to incidents in two cases: when messages were deemed clean and when messages had a minor cause of concern but not enough to be labeled Malicious or Suspicious or Bulk. PTR/TRAP 4.6.0 introduces a new abuse disposition value called Low-Risk. This is applied to incidents whose abuse messages are deemed as clean by Proofpoint Threat Intelligence, thus reducing the number of delivered Unknown dispositions.

Incidents with Low-Risk disposition can be set up for automatic closure by enabling a pre-defined match condition in PTR/TRAP 4.6.0. The match condition is named Close Incidents for Low Risk Email.

Customers can continue to use the Known-Good abuse disposition when manually analyzing abuse message incidents, for delivering a clean verdict and executing appropriate response actions thereafter.

Abuse Feedback Email Notifications

PTR/TRAP 4.6.0 provides a new type of response called Send Email Notification that notifies reporters of abuse messages after a message has been analyzed automatically or manually. This response can be used to provide effective feedback to an abuse message reporter based on how the message was classified.

Using this response, the system can notify an abuse reporter when a message is automatically classified as Bulk or Low-Risk, and when a message is manually classified as Known-Good by a SOC analyst.

These email notifications can be setup as templates in System Settings. On upgrading from an older version to 4.6.0, the system will be setup with default templates for acknowledgment of bulk emails and clean emails.

TRAP Features and Enhancements

Automatic Undo Quarantines for TAP False Positive Alerts

PTR/TRAP 4.6.0 now includes the ability to ingest False Positive (FP) alerts from Targeted Attack Protection (TAP) and automatically restore emails that were previously quarantined by these alerts. This feature effectively addresses situations where TAP FP’s previously required laborious manual undo-quarantine actions across incidents. The ability to automatically undo-quarantine can be enabled in the TAP source settings; this setting will be turned on by default after an upgrade to 4.6.0 from an older version. For querying the presence of TAP FP’s, the Incident List can now be filtered on FP alerts received from TAP.

The Incident Details API has also been enhanced with information about false positives. The API response includes the following event-level fields:

  • falsePositive – an event-level Boolean field set for FP alerts/events
  • falsePositiveReceivedAt – an event-level timestamp field denoting when the FP alert was received.
  • false_positive_count – an incident-level field indicating the total FP’s received for an incident

Reset Password for User Accounts in Active Directory

PTR/TRAP 4.6.0 supports a new type of response that can reset passwords for one or more Microsoft AD user accounts that were associated with an alert. This can be useful in cases where an alert indicates that a user account was associated with suspicious activity and a change of credentials would prevent further account compromise. After execution of this response, affected users will be forced to change their AD password during their next attempt to login.

With the availability of multiple Active Directory responses, PTR/TRAP 4.6.0 includes a new team-level permission called Active Directory Responses. This permission enables SOC team members to configure and manually execute the responses for disabling a user account or forcing a password reset.

Filter internal email domains for quarantine

PTR/TRAP 4.6.0 includes the ability to list internal email domains for use during the quarantine action. These domains can be configured under System Settings - Internal Email Domains and the use of this list can be activated under System Settings - Quarantine Settings. Activating the list of internal email domains will ensure that only mailboxes whose addresses belong to one of these domains are quarantined; mailboxes from any other domains will be excluded from quarantine and appear as skipped in the Incident Activity screen.

This ensures a cleaner quarantine experience without unnecessary failures corresponding to external domains. It improves the efficiency of a SOC analyst by focusing their time/attention towards genuine quarantine failures.

General Features and Enhancements

Progress Indicator on UI for CSV upload Sources

PTR/TRAP 4.6.0 features a detailed progress indicator for files uploaded into the Proofpoint Smart Search and Proofpoint CSV data sources. This enables PTR users to effectively track the progress of alert ingestions for large CSV files.

Improvements to accessing quarantine activity and actions

PTR/TRAP 4.6.0 includes a new Quarantines tab in Incident Activity that lists quarantine and undo quarantine actions for that incident. This tab can be reached with a single click from the Incident List by clicking on the View link next to the Quarantine label for an incident.

Customizable headers for emails added/removed from quarantine

When PTR/TRAP 4.6.0 is used in impersonation mode, the templated messages displayed as headers for quarantined emails can now be customized. These headers can be setup for each configured Exchange Server under System Settings, using plain text or HTML markup.

Bulk Action to set Incident-level fields

PTR/TRAP 4.6.0 includes a new bulk action called Set Field to set incident-level fields – Incident Severity, Abuse Disposition, Classification and Attack Vector. This action can also be applied to custom or user-defined incident fields, if they are enabled for use.

HTML and Plain-text Email Templates

All template types defined under System Settings - Email Templates now support both HTML and plain-text content types.

Defect Fixes

Date Picker widget in Reports

PTR/TRAP 4.6.0 contains a fix for the date picker widget used in several reports. The widget allows a user to pick a date correctly and renders the report after the complete date has been input.

Support for TLS v1.2 ciphers in LDAP

In PTR/TRAP 4.6.0, LDAP configurations created inside the Appliance Management Console support TLS v1.2 ciphers for communicating with configured LDAP servers.

Download and Upgrade Instructions

Download instructions

PTR/TRAP 4.6.0 requires a minimum of VMware ESXi 6.0. Please use Proofpoint CTS credentials to access OVA or IMG files.
NOTE: PTR/TRAP 4.6.1 contains fixes for critical defects in 4.6.0. The download links below have been updated to point to PTR/TRAP 4.6.1.

Threat Response 4.6.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.6.1.ova

Threat Response 4.6.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.6.1.img

The API docs for PTR/TRAP 4.6.0 can be found at API Docs.

4.5.0 - (March 2019)

Summary of 4.5.0 Release

Proofpoint Threat Response (PTR) and Threat Response Auto Pull (TRAP) 4.5.0 deliver several new features that advance the capabilities of the Closed Loop Email Analysis and Response (CLEAR) solution, enhance abuse mailbox monitoring and improve on the ability for customized responses to incidents.

Download instructions

Installation of PTR/TRAP 4.5.0 requires a minimum of VMware ESXi 6.0.

Download this Document

TRAP Features

PhishAlarm Analyzer integration with Proofpoint threat intelligence

PTR/TRAP 4.5.0 enables enrichment and external analysis of email alerts that in turn provide multiple benefits:

  • Upgrade the capabilities of PhishAlarm Analyzer by adding Proofpoint’s threat intelligence for employee-reported abuse messages.
  • Enable the submission of suspicious messages to Proofpoint.

PTR/TRAP 4.5.0 includes a new type of response action that submits reported email alerts for further analysis and re-scoring as enabled by PhishAlarm Analyzer (PAA). The capability to submit alerts for such analysis can be setup as an automated response or requested manually. PTR/TRAP updates the abuse disposition of the related incident based on the results of this analysis and maintains a history of changes to this field.

After being analyzed, these alerts can be resubmitted for an evaluation of match conditions using the updated abuse disposition so that an appropriate response action can be executed.

On upgrading from an older version to 4.5.0, the abuse mailbox source will have a pre-configured match condition that is enabled and re-submits emails to PhishAlarm Analyzer.

Disable User Accounts in Active Directory

PTR/TRAP 4.5.0 supports a new type of response that can disable one or more Microsoft Active Directory user accounts that were impacted by an alert. This can be useful in cases where an alert provides evidence that the user account may be under imminent danger and must be disabled before it can result in further damage. After the execution of this response, the Active Directory administrator would be required to re-enable the disabled user accounts.

Email Notifications for Quarantine and Undo Quarantine

PTR/TRAP 4.5.0 provides the ability to notify the recipient(s) of an email message which has been quarantined or removed from quarantine. These email notifications can be set up with plain-text templates in System Settings and can be customized depending on the match condition(s) that trigger the response. The emails can be additionally delivered to other email addresses including SMTP-supported distribution lists.

On upgrading from an older version to 4.5.0, the system will be setup with two default email templates for quarantine and undo quarantine actions.

Threat Response Features

Scripted Responses in Python

PTR/TRAP 4.5.0 supports python scripts that can be run as responses to match conditions. These response scripts can be set up with support for both Auth Profiles and Variable Files. This response framework provides a powerful, flexible way for administrators to setup orchestration workflows that can integrate with external systems that support Python API’s. e.g. - helpdesk ticketing systems, third party.

General Features

Private Teams, Incidents and Investigations

Teams can be designated as private and assigned with private incidents and private investigations. These incidents and investigations are listed in reports and are accessible only to members of the assigned private teams. Even members who belong to the Admins or Script-Admins teams will not have access to these private incidents and investigations; but they can add themselves to a private team, if necessary.

Public incidents and investigations are listed in the reports and accessible for any team member.

Filter Incidents by Closed Date Range

The Incidents List report now includes the ability to filter closed incidents using a range of dates. This filter is visible only on the Closed tab.

TAXII & STIX 2.0 Support

PTR/TRAP 4.5.0 supports the addition of TAXII Servers that support TAXII v2.0 in addition to the older TAXII v1.x. This also includes support for STIX v2.0 wherein data is exchanged using JSON format. During the addition of a TAXII server under System Settings, the user can choose to specify the version of TAXII and optionally specify multiple media types.

Download and Upgrade Instructions

Download instructions

PTR/TRAP 4.5.0 requires a minimum of VMware ESXi 6.0. Please use Proofpoint CTS credentials to access OVA or IMG files.

Threat Response 4.5.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.5.0.ova

Threat Response 4.5.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.5.0.img

The API docs for PTR/TRAP 4.5.0 can be found at API Docs.

4.4.0 - (January 2019)

Summary of 4.4.0 Release

Proofpoint Threat Response (PTR) 4.4.0 specifically addresses customer-reported issues and general bug fixes, including security vulnerabilities and performance improvements.

Download this Document

Enhancements and Improvements

Improvement: Abuse Mailbox Alerts Linking

  • “Abuse Mailbox” alerts now link automatically when at least two of the following fields match: Sender, Subject, and URLs from the message body.

Bug Fixes

  • Multiple PRI Headers Are Displayed in Remote Rails Syslogs – The issue concerning multiple message-header fields with the same field name, as displayed in remote rails syslog messages, has been corrected.

  • Auto-Quarantine Response Is Attempted Even When Invalid CSV File Is Imported – While PTR allows a random CSV file to be uploaded and processed to create alerts, it no longer allows a quarantine to be attempted when there is a “match condition” present and when neither Message-ID nor “recipient” Email-ID exist.

  • LDAP Attribute telephoneNumber Is Not Displayed on the User Interface – Previously, the LDAP attribute telephoneNumber was fetched from LDAP but was not shown on the UI. All the attributes for a user in the Active Directory are now displayed along with telephoneNumber.

  • Containers and the “Exited/Stopped” State – Containers with a state of “Exited/Stopped” are cleaned up via the /var partition.

  • ETL: Add UI and Fix Up Backend Cleaner to Include Failed Script Runs – A UI option has been added to configure the number of failed runs to retain per event source. A daily “cleanup” task now runs and clears out the input and output of the oldest script runs up to the configured limit. In summary, failed script runs, as well as any successful runs, are cleaned up daily.

  • Unable to Quarantine a DL Using Modern Authentication on Office 365 – We resolved an issue where quarantining a DL using Modern Authentication on Office 365 results in failure. Note that if Modern Authentication is used, the account which belongs to a “quarantine mailbox” must have sufficient permissions to expand DL.

  • LDAP Team Sync Fails if One of the Sync-Enabled Teams Has Invalid LDAP Details – We resolved an issue where an LDAP team sync failed when the list included invalid LDAP groups.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.4.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.4.0.ova

Threat Response 4.4.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.4.0.img

4.3.0 - (November 2018)

Summary of 4.3.0 Release

Threat Response 4.3.0 is a minor release that adds enhancements to the Abuse Mailbox Monitoring functionality.

Download this Document

Enhancements and Improvements

Improvement: PPS Email Header and Setting the Abuse Alert Severity

  • Severity of an alert is now directly derived from PPS.

Feature: Setting the Abuse Disposition

  • Whenever an abuse alert creates or links to an “incident,” the message is quarantined and the abuse disposition changes to “malicious.”

Feature: Allowing Auto-Close Incident Upon Successful Quarantine for the Abuse Mailbox

  • The auto-close “incident” capability has been extended to include the abuse “mailbox” case.

Improvement: Allowing Quarantine Response Based on Abuse Disposition

  • The auto-quarantine “response” is triggered if an abuse “message” is deemed malicious by its abuse disposition.

Improvement: The Close Incident Response Condition

  • New response action “Close incident” can be used on any source even when quarantine action is not involved.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.3.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.3.0.ova

Threat Response 4.3.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.3.0.img

4.2.1 - (October 2018)

Summary of 4.2.1 Release

Threat Response 4.2.1 is a release with bugfixes and some minor enhancements.

Download this Document

Enhancements and Improvements

The following bugs have been resolved:

  • “Bulk Action” response dialogue box would delay for extended periods of time when multiple incidents were selected.
  • High Volume Automatic Quarantine Responses were failing to process due to event receiver timeout when identifying if event correlations were needed.
  • Custom Responses would cause the Threat Response UI to hang in a “Processing” when the system itself had experienced an internal error.
  • Abuse Mailbox Monitor would occasionally report the abuse mailbox address as the reporter instead of the targeted user.
  • Resolved issue with latency in navigating across multiple incidents

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.2.1 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.2.1.ova

Threat Response 4.2.1 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.2.1.img

4.2.0 - (September 2018)

Summary of 4.2.0 Release

Threat Response 4.2.0 is a minor release that adds enhancements to the Abuse Mailbox Monitoring functionality. It adds support for Modern Auth for Office 365 and extends the email notifications feature.

Download this Document

TRAP Abuse Mailbox Enhancements

End-user Feedback

  • Email notifications can be configured to be sent to the reporter (for an Abuse Mailbox incident) when a Threat Response administrator has determined the reported email is malicious and has quarantined the email. This is a way to encourage and positively acknowledge the reporter’s situational awareness in reporting a phishing email and improving the security posture of the organization.

Improved incident views for better prioritization of Abuse incidents

  • The Incident List Filter has added controls for filtering incidents based on their enrichments to known threats:
    • Host Reputation source:
      • Emerging Threats
      • Proofpoint (URIBL)
    • Webroot
    • Campaign Name
    • Campaign ID

TRAP actions and Abuse Mailbox incident correlation

  • A new option to “Close email-related incidents” has been added to the “Move email to quarantine” response action. If enabled, a successful quarantine of an email from an alert will result in any other alerts referencing the same recipient/message ID pairing will be closed automatically. This is useful to help close user-reported incidents from the Abuse Mailbox where Threat Response has already quarantined the message based on a TAP alert.

Enhanced severity settings for Abuse incidents where the source of the reported email is Wombat PhishAlarm Analyzer

  • Incidents will be assigned the following severities in Threat Response based on PhishAlarm Analyzer’s confidence in the email being a Phish:
    • Unlikely a phish: Informational
    • Suspicious: Minor
    • Likely a phish: Major

Support for Match Conditions to automate response actions

  • The following response types are available:
    • Move email to quarantine
      • Quarantine related emails
      • Close incident after successful quarantine
    • Custom Response
    • Set Incident Team
    • Set incident field

Platform Features & Enhancements

Modern Auth for Office 365

  • Customers using Office 365 for email quarantine now have the option of specifying Azure AD (“Modern Auth”) for authentication for the API calls into O365 and Exchange

Email Notifications for Stale Incidents

  • A new email notification type has been added to allow for automated notifications when an incident hasn’t been updated in a configurable period of time

Incident Classification Filter for Email Notifications

  • Customers can now define email notifications that include a filter for Incident Classification. Any classifications defined in Custom Fields can be used in the notification definition

Ability to Configure Email Notifications for Certain Teams Only

  • Customers now can exclude the recipients for whom they don’t want to trigger notifications using a newly provided “Exclude recipients” field

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.2.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.2.0.ova

Threat Response 4.2.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.2.0.img

4.1.0 - (August 2018)

Summary of 4.1.0 Release

Threat Response 4.1.0 is a minor release that brings support for IBM Domino into the main code line. It also improves upon the platform’s bulk action capabilities, and provides additional bugfixes.

Download this Document

Platform Features & Enhancements

IBM Domino Integration

  • As of 4.1.0 support for IBM Domino has been integrated into the main code line. Customers running IBM Domino can upgrade to this version and then follow the regular update path in the future.

Threat Response Auto-Pull (TRAP) Enhancements

Quarantine Summary Dashboard

  • The “Successful Quarantines by Mail Provider” chart has been modified to show “Successful Quarantines by Mail Server”. The mail server’s name, rather than type, will now be displayed.

Incident and Investigation Enhancements

Incident List Improvements

  • A new Bulk Response item has been added to perform the “Bulk Quarantine” action across multiple incidents at once from the Incident List View

Additional Features & Enhancements

  • Added additional fields to the search index:
    • Campaign ID
    • Actor ID
    • Malware ID
    • Exploit Kit ID
  • Changed the method used to reboot when Threat Response has been setup as a cluster. Upon clicking “reboot” user will now be redirected to the “Cluster Status” page where they will be able to choose which node(s) to reboot.

Bugfixes

The following issues have been resolved:

  • Corrected username discrepancy in syslog entries for LOGIN events
  • User-created custom fields can again be added as “Incident Close Requirements”.
  • Corrected an issue affecting IBM Notes integration whereby copies of received emails were not getting quarantined.
  • Corrected an issue that would sometimes cause all incidents not to display upon scrolling down after sorting incidents in the incident list page

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.1.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.1.0.ova

Threat Response 4.1.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.1.0.img

4.0.0 - (July 2018)

Summary of 4.0.0 Release

Threat Response 4.0.0 adds significant features and capabilities to Threat Response and TRAP, API enhancements, and additional bugfixes.

Download this Document

Platform Features & Enhancements

Extensibility to PTR Platform via Python Scripting

  • Custom integrations using Alert ETL ingestion through Python Scripting. This allows for custom Extract-Transform-Load (ETL) operations to be performed by consuming events from arbitrary sources and transforming them into PTR native events for ingestion purposes.
  • Scripted Poller Source: Allows for an ETL script to be set to query a custom source at set intervals to import alert data.
  • Scripted Listener Source: Allows for an ETL script to be triggered by an outside source sending alert data into Threat Response.
  • This feature also adds script management functionality to debug scripts in test mode before promoting them to production.

LDAP Authentication Improvements

  • Group Membership Sync: User Access can now be granted based upon their AD/LDAP group membership for non-administrators.

Syslog Enhancements

  • Syslog has been improved to now include Threat Response’s Audit log. Previously only system events were available via syslog. This change introduces new incident-specific events to syslog as seen below. As before, syslog can still be sent via UDP to remote destination.
  • Incident Activity Type is now included in the structured data section of the syslog:
    • state_change
    • comment
    • attachment
    • response
    • auto_response
    • undo_quarantine
    • event_linked
    • collection_started
    • collection_finished
    • incident_field_changed
    • team_changed
    • investigation_link_changed
    • summary_changed
    • target_host_changed
    • attacker_host_changed
    • target_user_changed
    • attacker_user_changed
    • event_reviewed
    • list_members_added
    • list_members_removed

  • Example text of new incident syslog output:

    [PTRAuditData username="admin" event="MODIFY" identity="Incident(1327)"][incident_data incident_id="1327" updated_at="2018-05-30T10:41:08.079Z" old_assignee="Unassigned" new_assignee="admin" old_status="open" new_status="open" summary="Deadpool"][custom_fields classification="Impostor" severity="Informational" attack_vector="Web"] admin MODIFY Incident(1327) notification_sent=no description=

Threat Response Auto-Pull (TRAP) Enhancements

Abuse Mailbox Improvements

  • Integration with Wombat: Abuse Mailbox Monitor now supports messages reported by Wombat’s PhishAlarm plugin directly into a configured Abuse Mailbox. This integration needs PhishAlarm plugin as well as PhishAlarm Analyzer to be present in addition to Threat Response. Please note that at this point reporting via Exchange (Thick Client Plugin) and O365 (Web Client Plugin) are supported.

Quarantine Summary Dashboard

  • A new Quarantine Summary has been added to the Dashboard overview to provide additional quarantine details.
    • Quarantine results (successes and failures)
    • Recent Attempts
    • Server Health
    • Top Recipients
    • Quarantines by mail environment (Exchange, Gmail)

Incident and Investigation Enhancements

Incident List Improvements

  • A new Bulk Response item has been added to perform the “Undo Quarantine” action across multiple incidents at once from the Incident List View
  • Incident List View now includes a summary of successful and failed quarantine status on the Incident summary.

Proofpoint Threat Response API Enhancements

Threat Response’s Incidents API now includes the following updates:

  • Custom response JSON changes:
    • Added custom fields
    • Now able to distinguish from Target/Attacker/CNC IP addresses
  • Incident API Changes:
    • Added fields for Email Read, Quarantine Undone, and Quarantine Details.
    • Improved “Incident Retrieval” API query to include “updated_before” and “updated_after” fields for detecting changes in Incidents.

Additional Features & Enhancements

  • Tanium query can now be performed by hostname instead of requiring the entire FQDN.
  • Quarantine from Exchange Online Archive (EOA)
  • Ability to bypass proxy settings when connecting to on-premises Exchange servers
  • Increased the size of Incident Investigation description dialogue box
  • Clicking “Test” no longer resets the password field when connecting services.

Bugfixes

The following issues have been resolved:

  • When clicking on related incidents for a given hostname, results now correctly search based upon that hostname instead of the incident ID
  • Resolved an issue that caused timeout errors after 5 minutes when using the match condition field “Suppress Incident Creation”
  • User last login time now correctly displays after login. Previously would only show after user logged out and back in again.
  • Fixed a bug that caused the incorrect results to be displayed when entering custom day: dates for the Email Quarantine Report
  • Fixed a bug that caused Full Access service accounts in Office365 to occasionally fail to quarantine from “recoverable items”
  • Fixed a bug that caused the Abuse Mailbox Monitor to incorrectly display target/attacker information when abuse message was submitted as an attachment.
  • Improved memory allocation to reduce “Out of Memory” issues that could cause certain backend services to fail.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 4.0.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-4.0.0.ova

Threat Response 4.0.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-4.0.0.img

3.6.0 - (June 2018)

Summary of 3.6.0 Release

Threat Response 3.6.0 adds support for email quarantine in IBM Domino environments.

Only customers running IBM Domino should upgrade to this version.

Download this Document

Threat Response Auto Pull (TRAP) Enhancements

The following improvements have been made to the Threat Response Auto Pull (TRAP) capabilities:

IBM Domino Support

This release adds support for integration with IBM Domino mail servers to enable email quarantine capability. Threat Response provides the ability to manually or automatically remove malicious emails from a user’s mailbox.

Feature set:

Supported

  • Basic auto and manual quarantine
  • Undo quarantine
  • Distribution list expansion

Not Supported

  • Forward following
  • Search & Quarantine (when message-ID is missing in TAP alert)
  • Abuse mailbox

Distribution List Expansion

Threat Response only supports expansion for members of distribution lists that have SMTP addresses

Download instructions

Download instructions

Installation files are available upon request.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

3.5.1 - (April 2018)

Summary of 3.5.1 Release

Threat Response 3.5.1 improves upon the platform’s TRAP capabilities, QoL Improvements, additional bugfixes, and security patches.

Download this Document

Threat Response Auto Pull (TRAP) Enhancements

The following improvements have been made to the Threat Response Auto Pull (TRAP) capabilities:

  • Undo Quarantine now more accurately represents that the quarantine will be undone for all messages pulled within the response action.
  • Resolved UI issue that caused the Quarantine in Progress icon to stay spinning after the action had completed.
  • Abuse Mailbox Monitor now displays both the URL Defense rewritten and decoded links
  • Abuse Mailbox Monitor now correctly evaluates a decoded URL’s reputation against all available threat enrichment sources.

Additional Enhancements and Improvements

The following bugs have been resolved:

  • Users were allowed to assign an incident to a disabled user during manual incident creation
  • When multiple LDAP servers were configured, if one had an invalid search base Threat Response would not attempt to query any other available servers.

Security and Vulnerability Patches

  • Various httpd vulnerabilities that could allow for “click-jacking” have been resolved for all Chrome and Firefox
  • XSS httpd vulnerability resolved for Chrome
  • Spectre Variant 1 patched
  • Spectre Variant 2 patched

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 3.5.1 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-3.5.1.ova

Threat Response 3.5.1 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-3.5.1.img

3.5.0 - (March 2018)

Summary of 3.5.0 Release

Threat Response 3.5.0 provides additional features and capabilities as well as continues streamlining the platform’s performance and efficiency.

Download this Document

IOC Collection Enhancements

Support for Carbon Black EDR as IOC collector

This release adds support for Carbon Black Endpoint Detection & Response (EDR) Platform for IOC (Indicator Of Compromise) collection as an alternative to the native Proofpoint Threat Response PC Data Collection agent.

Supported Carbon Black Versions

Threat Response supports Carbon Black server versions 5.x and 6.x for peforming IOC collection.

IOC Items collected

Using the Carbon Black server APIs, Threat Response collects the following IOC data:

  • File system changes

  • Network activity

  • Processes

  • Registry changes

Infection Analysis

Threat Response uses the IOCs collected from Carbon Black to identify any IOCs that match forensics event data resulting in an IOC Confidence score

Updated SMB version for native Threat Response IOC collection agent

Starting in v3.5, Threat Response now supports SMBv2 as the default protocol for distributing the IOC collection agent from the appliance to endpoints. Optionally, Threat Response can be configured to use SMBv1 if SMBv2 is not available.

Also starting with v3.5, the Threat Response IOC collection agent uses TLSv1.2 as the default for communicating between the agent and the Threat Response server with the ability to fallback to TLSv1 or TLSv1.1 (as a configurable option).

These optional fallback mechanisms allow Proofpoint to continue to provide support for those customers using Windows Server 2003, XP, and older devices. Note that Windows XP only supports SMB v1 and TLS v1.0.

Threat Response Auto Pull (TRAP) Enhancements

The following improvements have been made to the Threat Response Auto Pull (TRAP) capabilities:

Abuse Mailbox Support

Threat Response Auto Pull (TRAP) now includes a new feature for managing Abuse Mailboxes. This allows security analysts to use Threat Response to monitor an abuse mailbox to quickly understand the context around user reported potentially malicious emails. Abuse mailboxes on MS Exchange, Office 365 and Gmail are supported.

  • Support for multiple mailboxes and folders: Each mailbox and folder combination can be configured as an independent “Abuse Mailbox” Source.

  • Automatic Enrichment: For any messages that are found in an abuse mailbox, PTR will automatically create an incident or link to an existing incident (linked via the message-ID of the original message), and enrich with Proofpoint’s email threat intelligence including information such as campaign, URL and file hash reputation.

  • Email Quarantine: For any messages that were deemed to be malicious by the security Analyst (as forward-delivered to the abuse mailbox), the user can choose to manually quarantine that message.

Email address Quarantine Whitelist

This release includes the ability to whitelist specific mailboxes to exempt them from any email quarantine actions. This is especially needed in the case of forwards to avoid quarantining specific email addresses from quarantining action.

  • Before initiating an email quarantine, TRAP will first check the target email address against the whitelist to make sure that there are no matches prior to processing any quarantine logic.

  • For Whitelisting purposes, DLs (Distribution Lists) and Google Groups are both just treated as email addresses. So if the Whitelisting matching logic finds the email associated with the DL or group, we will exempt that list from quarantining actions.

  • All abuse mailbox entries are automatically (internally) treated as whitelisted mailboxes to ensure that messages forwarded to an abuse mailbox are not automatically quarantined and thus removed from the abuse mailbox.

Advanced Gmail TRAP features

Support for Gmail via TRAP was introduced in Threat Response v3.4. Beginning with v3.5 release multiple advanced features are included that provide parity with email quarantine for Exchange and O365 environments.

Newly introduced features for Gmail include the following:

  • Forward Following: Allows for recursive following of emails that were forwarded versions of the original email, in order to quarantine all mails in the forwarded chain containing the latent threats

  • Missing Message-ID: When the message-ID is missing in the alert search for matching emails using attributes of the original message.

  • DL Expansion for Google Groups: Expand any recipients that map to Google Groups to create a list of all actual recipients for email quarantine actions.

Support for quarantining from recoverable items

Starting in v3.5 email quarantine actions will include looking for messages that have been moved to a user’s Dumpster / Recoverable Items folder.

Warning

Threat Response has a limitation at this time quarantining from the Recoverable Items folder on Office 365 if Full Mailbox Access permissions are being used by the service account.

Incident and Investigation Enhancements

Incident Enhancements - Explicit Linking Logic for JSON events

With this release JSON events can be explicitly linked to an Incident based on a field in the JSON event. Events submitted to Threat Response can now optionally include a field in the JSON event to indicate what field the Alert should be linked by. Providing this field bypasses normal Incident linking logic and instead links exclusivlely based on the supplied field.

The JSON event can include one of the following fields as the field to link on:

  • “target_ip_address”

  • “target_hostname”

  • “target_machine_name”

  • “target_user”

  • “target_mac_address”

  • “attacker_ip_address”

  • “attacker_hostname”

  • “attacker_machine_name”

  • “attacker_user”

  • “attacker_mac_address”

  • “email_recipient”

  • “email_sender”

  • “email_subject”

  • “message_id”

  • “threat_filename”

  • “threat_filehash”

CSV upload Source

Threat Response v3.5 introduces a new Even Source that can be used to initiate a quarantine action for the Message-ID and recipient pairs supplied in the uploaded CSV file. Expected format is for the first entry to contain the message-ID and the second entry to include the recipient. This source helps to achieve manual quarantine against all types of mail servers (Exchange, O365 and Gmail)

Platform Enhancements and Improvements

Multiple Team Membership

Starting with this release Threat Response Users can now be configured to belong to more than one team. User privileges for users that are members of multiple teams are the union of the permissions available from each of the teams the use is a member of.

Additional actions added to audit history log

We now log additional actions in the audit history. Following is a list of the additional actions that were added to the audit log:

  • Audit records for Investigation Activities (linking/unlinking incidents, adding comments, adding attachments).

  • Audit records for Incident Activities (Severity changed, Team changed, added comment, added attachment, incident field changed, target/attacker host/user changed)

  • Audit records for Incident (Description changed, Assignee changed)

  • Added username of the account that initiated manual PC Data Collection to the audit records.

Additional Enhancements and Improvements

The following improvements are included in this release.

Customer provided VirusTotal API Keys

Starting in v3.5 Threat Response administrators can optionally supply their own VirusTotal (VT) API key. This allows customers to use their own API key for VT queries.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specifications.

Threat Response 3.5.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-3.5.0.ova

Threat Response 3.5.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-3.5.0.img

3.4.2 - (January 2018)

Summary of 3.4.2 Release

Threat Response 3.4.2 is a maintenance release that provides security updates for a Spectre and Meltdown vulnerability. For more information about Meltdown and Spectre please refer to https://www.kb.cert.org/vuls/id/584653 .

Download this Document

Platform Performance Enhancements

Platform improvements and bug fixes have been made in the following areas:

Rogue Data Cache Load CVE-2017-5754 (Meltdown, Variant 3) For more detailed information please refer to: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754

Bounds-Check-Bypass CVE-2017-5753 (Spectre, Variant 1) For more detailed information please refer to: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

Threat Response 3.4.2 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-3.4.2.ova

Threat Response 3.4.2 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-3.4.2.img

3.4.1 - (December 2017)

Summary of 3.4.1 Release

Threat Response 3.4.1 is a maintenance release that provides internal process streamlining to increase the platforms performance and efficiency.

Download this Document

Platform Performance Enhancements

Platform improvements and bug fixes have been made in the following areas:

Re-Open Incident Confirmation Dialog:

When a user clicks to “re-open” an incident there is now a dialog box that will prompt the user for conformation prior to re-open the incident.

Display Long Email Addresses:

Email addresses over a specific length were being displayed shortened using ellipsis so that they would fit certain areas (for example in “Target Information” and “Attacker Information” in the “Incident Overview”. The full email address is now shown with line wrapping as needed.

FireEye EX Alerts Missing MessageID in Brackets:

Some FireEye EX alerts do not include opening and closing brackets (<>) around the messageID which resulted in failed quarantine attempts for those alerts. The platform will now accept alerts without the messageID enclosed in brackets and will add the brackets when attempting quarantines.

FireEye 8.x Limiting Post URL Size to 65 Characters:

Starting with FireEye 8.x the length of the POST URL for HTTP notifications is limited to 65 characters. The POST URL has been shortened to fall within the 65 character limit.

Email Notifications when Team or Assignee is Updated:

Email notifications are now generated when a Team or Assignee was updated.

Impersonation Quarantine Issue:

In some instances performing an email quarantine action using impersonation would result in the email being forwarded to the quarantine mailbox but not removed from the recipient’s mailbox. This issue has been resolved.

Distribution List Quarantine Inconsistent:

In some cases when there were multiple Exchange servers configured including a mix of O365 and on-premise Exchange quarantines for Distribution List members worked inconsistently. This issue has been resolved.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

Threat Response 3.4.1 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-3.4.1.ova

Threat Response 3.4.1 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-3.4.1.img

3.4.0 - (November 2017)

Summary of 3.4.0 Release

Threat Response 3.4.0 is a significant release that provides additional features and capabilities as well as continues streamlining the platforms performance and efficiency.
1. Incident and Investigations
2. Threat Response Auto Pull (TRAP) Enhancements
3. Additional Enhancements and Improvements
4. Download Instructions

Download this Document

Investigation Enhancements

Investigations are groups of Incidents that share something in common and have a common set of investigation workflow activities that need to be performed. This release includes multiple improvements to streamline the complete Investigation lifecycle.

New Bulk Action for Investigation Linking:

There is a new Bulk Action called “Link Investigation” that can be used anywhere Bulk Actions are available to add the selected Incidents to an Investigation.

Bulk Actions are now Available for Search Results:

Users can select some, or all, of the Incidents that have been included in the search results and perform any available Bulk Action to the selected Incidents.

Custom Fields for Investigations:

Any Custom Fields that have been defined will now show up in both Incidents and Investigations. If a Custom Field is changed at the Investigation level users will have the option to have that change cascaded to all linked Incidents. Closing an Investigation will also require that any mandatory Custom Fields be set prior to closing.

Close Investigation & Linked Incidents:

There is now an option to close all linked Incidents when an Investigation is closed. If any of the linked Incidents have mandatory fields that have not been set the user will get a message that the Investigation can’t be closed until the mandatory fields are set. Closing comments will be included in both the Investigation and all linked Incidents (if the user chose to close linked Incidents).

Aggregate Incident Activity History in Investigation:

When viewing an Investigation there is now an option to see the Activity History including Comments and Attachments from all linked Incidents.

Incident Management Workflow Improvements

The following improvements to Incident Management workflows have been introduced:

TAP Dashboard Link for TAP Alerts:

For Proofpoint TAP Alerts the Incident Summary and Alert Details pages now display a link that will take the user directly to the TAP Dashboard page for that threat.

SmartSearch Match Conditions:

The SmartSearch Alert Source no longer requires including an asterisk “*” in the category section of a Match Condition.

Support for Custom Fields in Splunk and JSON Alert Sources:

Alerts received from Splunk 2.0 or JSON alert sources that include Custom Fields will set the Incident Custom Fields to the value provided in the Alert, but only if the Custom Field does not currently have a value set. If there is a value already set in the Incident the value provided in the Alert will be ignored.

Threat Response Auto Pull (TRAP) Enhancements

Support for Email Quarantining in Google G-Suite:

Threat Response Auto Pull (TRAP) now supports quarantining messages that were delivered to a G-Suite mailbox. The following capabilities are available:

Quarantine Original Recipient:

Using either Match Conditions or through a manual user action, the original email recipient email can be quarantined.

Undo Quarantine Action:

For any messages that were quarantined in a G-Suite mailbox the ‘Undo Quarantine’ action is available in the Incident Activities screen. This will result in the message being returned to the original recipient’s mailbox.

Status Flag:

The Read/Unread status flag is used to indicate if the message was read or not

Quarantine Action Already Taken:

If an automated quarantine attempt has already taken place for a message ID and recipient pair no further automated quarantine action will be attempted after the first quarantine attempt.

Email Notifications:

An email notification can be configured to be sent when an email quarantine action has been completed. This notification will include details on the action such as start and end times, incident number, message recipient and whether the quarantine action succeeded or failed.

Incident API Includes Quarantine Actions:

The Incident API responses now include details on email quarantine actions. Information such as start and end times, alert source, messageID, message recipient and whether the quarantine action succeeded or failed.

Auto Close:

Match Conditions can now be configured to automatically close an Incident if all quarantine attempts were successful.

Concurrent Attempts Settings:

There is a new configuration section called “Quarantine Settings”. On this page admins can configure the maximum number of concurrent quarantine actions to perform. The default value is “20”.

Email Quarantine Report:

The Email Quarantine Report will now include the reason for a failed quarantine attempt. This information is shown when clicking on the blue ‘Failed’ status under Quarantine Status.

Additional Enhancements and Improvements

The following improvements are included in this release.

Time Zones:

Users can now configure their preferred time zone in their user profile settings. Changing this value will convert all displayed timestamps to the specified time zone.

Device and Alert Source Configuration Control:

Only users that are members of the Admin team can perform Create, Update and Delete actions for Alert Sources and Devices configurations.

Support for Negation in Match Conditions for LDAP Attributes:

Match Conditions can now be configured with ‘does not equal’ for LDAP attribute matching. In this case the Match Condition will trigger when the user identified in the Alert does not belong to the identified LDAP group.

Severity Labels:

Administrators can configure an alternate Severity label to be displayed throughout the UI and API responses.

IoC Process Collection:

The IoC collector now shows the SHA256 hash for the Process that has been identified.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

NOTE: Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

Threat Response 3.4.0 – OVA File (Fresh Installs only):

Proofpoint_Threat_Response_Installer-3.4.0.ova

Threat Response 3.4.0 – IMG File (Upgrades only):

Proofpoint_Threat_Reponse_Update-3.4.0.img

3.3.1 - (September 2017)

Summary of 3.3.1 Release

Threat Response 3.3.1 is a maintenance release that provides internal process streamlining to increase the platforms performance and efficiency.
1. Platform Performance Enhancements
2. Download Instructions
3. Logging

Download this Document

Platform Performance Enhancements

Email Quarantine Process:
The method for iterating through a target mailbox was streamlined to enable faster searching and reporting.

Exchange Result Reporting:
The status message from EWS being displayed was refined to better reflect the result.

Logging:
Instrumentation was added to the platform to increase information collection for support and troubleshooting.

Download instructions

Download instructions

Use your Proofpoint CTS credentials to access download images.

Starting in Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

3.3.0 - (August 2017)

Summary of 3.3.0 Release

Threat Response 3.3.0 provides performance enhancements as well as significant product improvements and enhancements across the following product areas:
1. Workflows and Incident Management
2. Integrations
3. Reporting
4. Platform Performance

Download this Document

New Features and Updates

Email Quarantine (TRAP) Workflow Improvements:
The following improvements to Threat Response Auto Pull (TRAP) workflow has been introduced:

  • Retry Attempts: Increased quarantine retry attempts.

  • Retry Time Delay: Implemented a new back-off algorithm to increase the time between retry attempts.

Incident Management Workflow Improvements:
The following improvements to Incident Management workflows have been introduced:

  • “Unassigned” Incident Filter: A quick filter was added to the Incident List page to enable viewing of “Unassigned” incidents.

  • Splunk/JSON Alert Custom Field Mapping: Alert data received via the Splunk 2.0 or a JSON alert source that contain custom fields that match custom incident fields configured in systems settings will be matched and displayed at the incident level. Values are only updated if the custom field value is empty.

Integration Additions and Enhancements:

  • Palo Alto Network Systems Improvements and Expansions:
    The following improvements and expansions to the Palo Alto Networks Systems integrations have been introduced:

    • Panorama Support: Support for Panorama has been adopted through the current version 8.0.2. This includes support as both an alert source and device member.

    • External Dynamic Lists Support – Host/IP Lists: The dynamic list URL for host/IP lists hosted by Threat Response has been updated to support the new requirements for the external dynamic lists.

    • External Dynamic List Support – URL Lists: Threat Response URL lists that have been published now include a URL under “Show published URL…” that is able to be leveraged by external dynamic lists.

    • AutoFocus and MineMeld TAXII Integration: AutoFocus can provide intelligence data to Threat Response through MineMeld. MineMeld is used to create a TAXII output node that Threat Response can subscribe to.

  • Splunk Integration Expansion:
    Following updates were made to Threat Response integration ecosystem:

    • Customer JSON Response Enhancement: The custom JSON response can now be configured to authenticate to Spunk’s HTTP Event Collector(HEC). When used within a match condition this response will include an overview of the alert and related incident data.

Reporting Enhancements:
The following are some of the reporting enhancements have been introduced:

  • Export to CSV: All reports listed under ‘Reports’ are now able to be exported in comma-separated values (CSV) format.

Platform Performance Enhancements:

Page load times have been improved in the following areas:

  • Reports: Multiple reports have been improved to reduce the page load time.

  • Incident Alerts: The Alerts view in Incidents was adjusted to provide faster load times.

  • Incident Identity: In incidents where a user might be associated with a large number of incidents the load times have been improved.

  • Incident Overview: The Incident Overview page was enhanced to improve the loading time.

  • Incident Hosts: The Hosts page was modified to improve load times.

  • Threat Intel: Some Threat Intel pages have been enhanced to improve load times.

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

Starting Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

3.2.2 - (June 2017)

Summary of 3.2.2 release

Threat Response 3.2.2 is a patch release that delivers a fix for an upgrade issue.

Updates

Issue(s) Fixed:

  • TC-16793: Quarantine not working in hybrid env with office 365 and on-prem exchange
  • TC-16792: Quarantining not working for non primary SMTP email address (SMTP alias)
  • TC-16778, TC-16795: Search & quarantine should work with hashed sender email address
  • TC-16764: Redis cannot downgrade from PTR 3.2 to an earlier version
  • TC-16839: Splunk alert dropped
  • TC-16835: Duplicate incidents in Incident Overview > Related Incidents table
  • TC-16838: Search does not search text in Incident Description

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

Starting Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

3.2.1 - (June 2017)

Summary of 3.2.1 release

Threat Response 3.2.1 is a patch release that delivers a fix for an upgrade issue.

Updates

Issue(s) Fixed:

  • Upgrade Error: In some cases where an organization has modified the value list for standard incident fields such as “classification” and “attack vector”, the upgrade process fails.

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

Starting Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

3.2.0 - (May 2017)

Summary of 3.2.0 release

Threat Response 3.2.0 release delivers significant product improvements across major product areas and functions:

    1. We have added new features to Email Quarantine (TRAP) playbook such as support for Distribution Lists, Proofpoint Smart Search integration, Undo Quarantine, and more.
    2. We have made multiple improvements to the Incident Management workflows including selectable endpoint IOC Collection & custom script execution, automatic setting of incident field values using Match Conditions, improvements to incident link logic, and more.
    3. To support even larger deployments, we have made updates to virtual appliance platform to improve scalability and performance of the solution. This includes the move from 32-bit to 64-bit appliance to enable processes to scale by consuming more memory where needed.
    4. As with every release, we are growing our integration ecosystem by integrating with NAC vendors such as ForeScout, Bradford, Cisco, and more. This release includes minor API improvements as well.

NEW FEATURES

Email Quarantine (TRAP) Features

We have added following features and improvements to the email quarantine playbook (TRAP) to support additional use cases:

  • Support for Exchange Distribution Lists: If an email threat is delivered to a Distribution List (DL), Threat Response will automatically expand the DL (including DLs embedded inside a top level DL), extract member email addresses, search each mailbox and quarantine the malicious message across all those mailboxes.
  • Smart Search Integration: Threat Response has added a new alert source to manually import the results from Proofpoint Smart Search using a CSV export that includes one or more messages that need to be quarantined. Threat Response reads the CSV file, imports each message delivered to an individual as an alert and then based on Match Condition configured on this alert source, automate actions such as email quarantine. Note: Smart Search search results dont have classification for the type of email threat. As a result, Threat Response sets the category field to “UNKNOWN”. In order to make Match Conditions for this alert source work, you will need to set the category field in Match Conditions to “*”.
  • Undo Email Quarantine: We have added support for undoing the email quarantine action performed manually or automatically by Threat Response system. This feature enables the security teams to handle False Positive alerts from TAP, FireEye EX or custom JSON alert. Note: In this release, a user can perform undo quarantine action only once.
  • Exchange Message Read Status: When quarantining an email from Exchange, Threat Response checks the “IsRead” flag for a given email on Exchange Server and records it as part of the quarantine action summary on Incident Activity page. This flag can have following states: a) Read, b) Not Read, c) Unknown (in the case of Exchange errors).
  • Proofpoint TAP Alert Source Improvements: We have made multiple improvements to the Proofpoint Targeted Attack Protection (TAP)alert source:
    • Support for imposter (BEC) alerts
    • Updated mapping of TAP alert data
      • Alert severity: Permitted Click alerts –> Critical, Delivered Attachment threat –> High/Major, Delivered URL threat (unprotected) –> High/Major, Delivered URL threat (re-written) –> Informational, Delivered Imposter email –> High/Major
      • Sender IP: Sender IP in the SIEM API alert is now mapped to Attacker IP address
      • Forensics: Only indicators labeled as malicious in TAP Forensics is imported into Threat Response and are assigned a new role called “forensics” (note: host/URL roles as of 3.1.x are Target, Attacker, and C&C)
    • Support for collecting Unprotected (not re-written) URL threats delivered to user mailboxes
    • Support for quarantining an email when the message_id field is not provided by TAP SIEM API in certain cases. When the message_id field is missing in the alert, Threat Response automatically switches to search mode where it tries to identify the corresponding malicious message by using recipient email address, and, URL threat delivered. Note: This feature works only in case of URL threats.
  • Email Quarantine Summary Report: This release delivers a new report that summarizes the email quarantine action performed by Threat Response across all incidents.

Incident Workflow Improvements

We have made improvements to Incident Management workflows. We have delivered the following capabilities:

  • Endpoint IOC Collection: When performing endpoint IOC collection using Threat Response IOC Collector, analysts can now pick and choose from a list of predefined collection types (processes, network connections, etc.), or custom scripts.
  • Match Condition Improvements: Users can leverage Match Conditions per alert source to automatically set incident fields (standard and custom) when certain conditions are met.
  • Incident Link Logic: Two major changes were made in this area:
    • Admin can select additional criteria for linking incoming alerts - a) Link resolvable hostnames only, b) Link by target data in raw alert (Splunk Only)
    • Reason for linking alerts to an existing incident is now shown in the Incident Details > Alerts page
  • Review Alerts Before Closing Incidents: Since Threat Response can group multiple alerts to an existing incident, sometimes an analyst can miss a new alert that was linked to an incident he already investigated and accidentally close that incident without reviewing the new alert. Starting this release, SOC Managers can enforce their analysts to review all alerts before closing the incident by acknowledging each linked alert to an incident. Once this feature is enabled (optional), Threat Response will prevent the analyst from closing an incident with two or more linked alerts if at least one alert was not acknowledged.
  • Search Improvements: Users can now search across standard and custom alert field values across all incidents.
  • Incident Filter Improvements: Incident Summary field is now available as incident filtering criteria.

Performance Improvements

We have made improvements in the Threat Response virtual appliance platform to enhance scalability and performance. We have delivered the following capabilities:

  • The Threat Response appliance is now a 64-bit appliance to support deployments that need a large memory footprint. Note: The minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for more details.
  • Incident List and Incident Details page UI load time has been reduced by 2-3x
  • Threat Intel List (3rd party STIX/TAXII data) page UI load time has been reduced by 2-3x

Integrations

Following updates were made to Threat Response integration ecosystem:

  • Support for synchronizing hosts to AD Security Group for computer accounts.
  • Support for top 10 leading NAC vendor offerings such as Forescout, Cisco ICE, Bradford Networks, Aruba and more.
  • Minor update to JSON alert source to support upload of custom icon (max size: 512 x 512 px)

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

Starting Threat Response v3.2.0, the minimum specification of the virtual appliance has been updated. Please review the Virtual Machine requirements section for updated minimum specification.

3.1.1 - (February 2017)

Summary of 3.1.1 release

Threat Response 3.1.1 is the patch release that delivers integration with the new Threat Response Online Documentation Portal. The portal is located at https://ptr-docs.proofpoint.com.

We have migrated all existing Threat Response collateral to online documentation portal. The portal can be accessed through web browser (Chrome, Safari, and Firefox are supported), and also supports all modern mobile devices, such as Apple IPad and IPhone.

To access Threat Response Documentation portal:

  • Log in to Threat Response
  • Click on the ? at the top of the Threat Response menu
  • You will be seamlessly redirected to Threat Response documentation portal

Threat Response online documentation portal offers wide range of collateral and functionality, including but not limited to:

  • Installation, Administration, and User guides
  • Integrations summary and detailed integration guides
  • Detailed API documentation with curl and Python examples, as well as sample PowerShell scripts
  • Historical release notes with all the product updates
  • Search functionality by keywords and major topics
  • TRAP collateral

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

3.1.0 - (January 2017)

Summary of 3.1.0 release

Threat Response 3.1.0 release delivers significant product improvements across major product areas and functions:

    1. Threat Response 3.1.0 offers various custom workflow capabilities, so that users and admins can customize Threat Response to their needs, whereby enabling more complex and data rich workflows. This is achieved through features such as teams, investigations, custom fields support, and email notifications.
    2. We have expanded JSON Alert Source to support additional arrays, objects, and fields, and also updated existing version of Splunk alert source.
    3. Today Threat Response provides rich integrations ecosystem support out of the box. In this release, we have added support for over 10 new integrations including, Carbon Black, OneLogin, Okta, RSA SecureID, Duo Security and more.
    4. Expanded our endpoint IOC collection capabilities through custom PowerShell scripts, where users can upload their own scripts to Threat Response and collect additional IOCs such as list of installed drivers or list of start-up programs.

NEW FEATURES

Investigations

Investigations allow analysts to group related incidents together as an investigation. For example, if there is a malware outbreak within the enterprise, analysts can group related incidents together, since the root cause of the outbreak can be the same. Therefore, an investigation is a new top-level Threat Response concept that represents a group of incidents that are related in some way.

(Learn more)

JSON Alert Source Improvements

We have updated and extended our JSON Alert source so that it is easier to integrate Threat Response with 3rd party alert sources and process more contextual data from those alert sources. We have delivered the following capabilities:

  • Supports for over 30 attributes across different object types. See JSON alert source documentation for more details.
  • Introduced two new objects within the alerts JSON schema:
    • Detector object: Lets users to define context around the source of alerts. For example, if a Firewall sent an alert to a SIEM which then sent an alert into Threat Response, you can now clearly identify the system that detected the threat and specify its IP address, vendor, event_category, or the action it took.
    • Custom fields object: Lets users define arbitrary key:value pairs of type “string” to provide additional metadata for the alert that is not currently defined within the Threat Response JSON alert schema.

(Learn more)

Splunk Enterprise 2.0 Alert Source

In this release, we have updated the Splunk alert source - Splunk Enterprise 2.0, that supports all available JSON alert fields, and offers richer integration between Splunk and Threat Response. Previous Splunk integration supported only 5-6 alert attributes at the time of ingestion. Now, the Splunk Enterprise 2.0 alert source supports over 30 attributes including custom fields.

(Learn more)

Introducing team-based queues

Starting with Threat Response 3.1.0, users can create teams and assign users to them. This mirrors closely the existing workflows of the Security Operations Center, where each customer has multiple teams, such as Tier-1, Tier-2, and Tier-3 analysts. Threat Response provides the following major functionality for working with teams:

  • Create teams and assign users to them
  • Choose the default team for incidents that are not assigned to a specific team
  • Incident list includes the new view called “My team queue” for an IR analyst to pick new incidents from his team’s queue.
  • SOC Managers and admins can set team automatically using match condition
  • New report that shows incidents by team (new, open, closed)
  • Individually or as part of bulk action assign an incident or list of incidents to a team
  • Filter incidents by team (from incident list page)

(Learn more)

Team-based permissions

Threat Response 3.1.0 provides the capability to set team-side permission and enforce them for users operating Threat Response. For example, Tier-3 team analysts can isolate hosts using Carbon Black, while Tier-1 analysts cannot perform this action.

(Learn more)

Flexible email notifications

As part of Threat Response 3.1.0 we have expanded the capabilities for email-based notifications. Users have flexibility in choosing what notifications they want to receive, who to send the notifications to, as well as what to include in the notifications information.

(Learn more)

Carbon Black “Host Isolation”

Threat Response 3.1.0 now offers integration with Carbon Black endpoint detection and response product. As part of this release, customers can integrate with Carbon Black and isolate hosts when responding to incidents.

(Learn more)

Extended IOC Collection from Endpoints using Custom PowerShell scripts

Threat Response 3.1.0 allows users to upload one or more custom PowerShell scripts and run them to perform certain actions or collect data from Windows endpoints. Each PowerShell script is executed by the Threat Response IOC Collection each time an endpoint IOC Collection is performed. The results of execution will also be captured and displayed by Threat Response.

(Learn more)

Updates to Standard & Custom Incident Fields

Threat Response 3.1.0 enhances the security workflow capabilities and delivers the following enhancements to incident fields:

  • Standard fields now include: Attack Vector, Classification, and Severity.
  • Values for standard fields can be adjusted. For example, users can specify what values they want to define for the Classification field.
  • Ordering of values for standard fields or custom fields can be adjusted as well.
  • Customers can adjust and add custom fields in order to meet the desired use cases. Out of the box we provide the following custom fields: Confirmation, Detection Source, Impact, and Workflow stage.

(Learn more)

Required Incident Fields

Threat Response 3.1.0 enables admins to select one or more standard or custom incident fields, and mark them as required fields. Once configured, Threat Response will prevent the analysts from closing the incident until the required fields are set with appropriate values. For e.g. as a SOC Manager, you may want all analysts to set the incident classification and attack vector fields before closing the incidents so that your weekly reports are accurate.

(Learn more)

Manual Incident Improvements

Threat Response allows users to create incidents manually and also edit the fields for that incident. In 3.1.0 we have expanded the number of fields that can be set or updated manually during or post incident creation.

(Learn more)

Incident Activity Notifications

Threat Response now provides a Facebook-like activity notification for each incident owner to notify him of changes that were made to their incidents. These changes include the following activities:

  • New alerts were added to an incident
  • An endpoint IOC collection for a given incident finished Incident analyst and team assignments are updated
  • Incident attributes are updated (such as severity, classification, attack vector, etc. etc.)
  • Response action was taken for the incident

We have introduced a new “inbox” icon in the top menu bar of the Threat Response UI, so that it is easier to notice and identify how many notifications are awaiting in the queue.

(Learn more)

User profile and preferences

This feature lets Threat Response users/analysts set their personal preferences for the following configuration settings:

  • Default landing page (dashboard, incident list, CTI list) - that means that when user logs in, he will be redirected to a preconfigured page
  • Configurable window for session timeout - sets the time for when Threat Response will log out due to user inactivity

(Learn more)

Updated PC data collection configuration settings

PC data collection settings have been updated, so that users have capabilities to adjust PC data collection parameters in the System Settings:

  • Enable or disable cross-incident malware correlation
  • Enable/disable automatic PC data collection for all incidents
  • Set the incident severity threshold for which automatic PC data collection will be triggered

(Learn more)

New report: Incident Age by Severity

For Threat Response 3.1 we have introduced the new report - Incidents Age by Severity. For that report we group incidents into buckets that represent time since creation (0-2d, 3-7d, 8-15d, 16-30d, 30 d+), and then within each bucket we show incidents by severity.

(Learn more)

New report: Incident by Team

For Threat Response 3.1 we have introduced the new report - Incidents by Team, which shows the incident count by team membership. This new report provides great immediate visibility into the team load.

(Learn more)

Updated report: Incident by Assignment

For Threat Response 3.1 we have introduced the new report - Incidents by Assignment. That report shows us incident count by assignment (user who is assigned the incident to). At the top of that chart we always show “Unassigned” bucket (count of all incidents that are unassigned).

(Learn more)

Additional Integrations

In this release, we are adding support for the following integrations:

  • Identity Management and Web SSO
    • Okta
    • OneLogin
    • Ping Identity
    • Centrify
    • Microsoft Azure SSO
  • Multi-Factor Authentication
    • Duo Security
    • RSA SecureID
    • SafeNet
    • Symantec 2FA

Please, refer to the integration summary page to learn more about each integration.

Threat Response Integrations summary

BUG FIXES

Threat Response 3.1.0 delivers multiple bug fixes. The list below represents some of the major items:

  • TC-15360: Test settings deletes password after validating, requiring user to enter it again.
  • TC-15258: Nomenclature of Objects added in JSON alert source is not consistent with previous objects
  • TC-15676: Incident Attacker geolocation map is not showing the “dot/marker” for location.
  • TC-13011: LDAP status displays error state even though server connection is restored and testing LDAP server shows that server is verified

DOWNLOAD LINKS

Download instructions

Use your Proofpoint CTS credentials to access download images.

3.0.5 - (December 2016)

Summary of 3.0.5 release

Proofpoint Threat Response 3.0.5 (“Threat Response”) is a patch release delivering multiple improvements.

ENHANCEMENTS

  • Dirty Cow Linux Kernel CVE-2016-5195 Security Vulnerability: On October 19, 2016, a privilege escalation vulnerability in the Linux kernel was disclosed. The bug is nicknamed Dirty COW because the underlying issue was a race condition in the way kernel handles copy-on-write (COW). Dirty COW has existed for a long time — at least since 2007, with kernel version 2.6.22 — so the vast majority of servers are at risk. More information about this vulnerability is available here CVE-2016-5195. Threat Response 3.0.5 release includes updates to the Virtual Appliance Linux kernel so that the appliance software is not vulnerable to CVE-2016-5195.
  • TAP Integration Enhancement - URL Threats Checkbox: Starting 3.0.5 release, Threat Response provides the flexibility to collect delivered message alerts for URL threats in addition to alerts for permitted clicks and delivered attachment threats.
    • NOTE: After the upgrade, you will continue to receive alerts for permitted clicks and delivered attachment threats. However, you will need to enable the checkbox for collecting delivered URL threats by going to Main Navigation Menu > Sources > Proofpoint TAP settings.
  • Configurable search refresh interval: Threat Response administrators can choose the frequency of search index updates (5 min to 2 hours). It is recommended that the interval is set to 10 min (default) or longer.
  • Performance improvements.

BUG FIXES

This release delivers following bug fixes:

  • Performance improvements.
  • Alerts sent to Threat Response were timing out in some cases

3.0.3 - (November 2016)

Summary

Proofpoint Threat Response 3.0.3 (“Threat Response”) is a patch release delivering multiple bug fixes and some minor improvements.

ENHANCEMENTS

Following enhancements have been made in this release:

  • Tanium Support: We now support Tanium version 6.5.
  • Primary & Secondary User Targets: Starting this release, users identified as part of the alert itself (e.g. message recipient) are called the “primary user(s)” while inferred users based on user-to-IP mapping are called “secondary user(s)”. The Identity page within incident details will now show primary and secondary users separate from each other. Also, primary and secondary users are available as part of alert Match Condition options when configuring a response action to add user(s) to a user list.

BUG FIXES

This release delivers following bug fixes:

  • Single Email quarantine action is tracked in Incident Activity even though there are multiple Emails quarantined
  • View or assignment of an incident with a lot of alerts (1000 or more) takes more than a minute and in some cases, leads to UI freeze.
  • Test servlet sets the wrong “accept” header when testing PAC file retrieval
  • User role filtering is broken for Match Conditions
  • Error page is observed in the threat intel page when user tried to perform multiple filters one with empty value

3.0.2 - (October 2016)

Summary of 3.0.2 release

Proofpoint Threat Response 3.0.2 (“Threat Response”) is a patch release delivering multiple bug fixes and some minor improvements.

ENHANCEMENTS

Following enhancements have been made in this release:

  • Threat Response now supports Web Proxy PAC configuration.
  • Audit log live filtering performance has been improved.

BUG FIXES

This release delivers following bug fixes:

  • Not able to poll local Soltra TAXII server over SSL. Local and self-signed certs are not supported by Threat Response TAXII client.
  • PC Data collection activity is timing out while finding correlations
  • Appliance becomes unresponsive after downloading attachment from an incident
  • No validation message is displayed upon adding invalid quarantine mailbox
  • Campaign count in incident list is not matching with the count in incident overview
  • Successful message quarantine count showing in Incident Activity does not count forwarded messages correctly.
  • Manual PC data collection fails on new version of Tanium (esp. Tanium 6.5 and 7.0)
  • Automatic PC data collection is not triggered due to timeout
  • PC Data collection timing while finding correlations
  • Threat Response 2.5.6 to 3.0.0 upgrade failed
  • 500 Internal Server error shown while accessing Alerts tab in few incidents
  • User is unable to add alert source with source location details
  • Previously viewed external threat intelligence observable is missing in the UI upon clicking on another observable.
  • Threat Response email quarantine feature was not quarantining sent messages from deleted folder.
  • Windows binaries (e.g. DC agent) are signed using deprecated SHA1 hash
  • Device mapping details are not recorded in audit logs
  • Query Tanium is not enabled when set target is changed to internal IP
  • Tanium query start time and end time are identical during and after queries

3.0.1 - (September 2016)

Summary of 3.0.1 release

Proofpoint Threat Response 3.0.1 (“Threat Response”) is a patch release delivering multiple bug fixes and some minor improvements.

FEATURE ENHANCEMENTS

Exchange Quarantine Enhancement

Following enhancements have been made to the email quarantine feature:

  • Threat Response will automatically identify all mailboxes that received the malicious messages from the initial recipient of the malicious message (email forwarded internally or users added to a replied message) and quarantine the malicious message across all those mailboxes. The details of this quarantine activity are tracked in the Incident Activity page.
  • Threat Response now supports “Application Impersonation” role besides the existing Full Access permissions in Exchange.

TAP SIEM API v2.0

Threat Response 3.0.1 supports Proofpoint TAP SIEM API v2.0. In order to integration TAP alerts with Threat Response, you will need to generate to the API keys and configure them in Threat Response by navigating to Sources > Proofpoint TAP alert source. You need to provide the following values:

  • Service principal
  • Secret

PC Data Enhancements

PC Data Collection feature has received following improvements:

  • When running a collection manually, you can test if the host is reachable by clicking the “Test” button.
  • If the target host has not been set, Threat Response UI provides a link to configure it.
  • Start Collection pop-up now supports entering a different host name or IP besides the targeted host in the incident.
  • The Host Information section is now part of the respective collection details.

BUG FIXES

Threat Response 3.0.1 delivers following bug fixes:

  • User information of a manual incident is not recorded in user incident volume report
  • Incident overview page does not show the right Username of email recipient
  • Error page is displayed upon performing global search using MD5 hash
  • Comment added while quarantining an email is not tracked in incident activity page
  • Security alerts count at the header is not matching the actual alerts count
  • PC Data collection hangs while collecting General Host Info.
  • “Connection Pending” status is displayed always, upon re-adding a Splunk source

3.0.0 - (August 2016)

Summary of 3.0.0 release

Proofpoint Threat Response 3.0.0 (“Threat Response”) is a major release delivering new features and multiple product improvements.

NEW FEATURES

Threat Intelligence Management

Threat Response provides methods to import third-party threat intelligence feeds to enable the following use cases:

  • Enrich incidents, alerts, and PC data collection with threat intelligence data. (All matches are clearly highlighted in the UI.)
  • Proactively block malicious IPs, hosts, domains, URLs, and file hashes received in a threat intelligence feed by pushing them to supported devices, such as firewalls and Web security solutions.
  • Manage collected threat intelligence. Security analysts can take action on one or more observables by enabling/disabling observables, changing confidence, adding observables, and adding a comment.

Threat Response supports the following methods for importing threat intelligence from external sources:

  • Automated: Threat Response can automatically import threat intelligence feeds for any source that supports STIX and TAXII, e.g. Soltra Edge and HailaTaxii.com.
  • Manual: Security analysts can import one or more (bulk) observables (CybOX) using the following methods:
    • Import a STIX file.
    • Copy/paste one or more observables in the Threat Response UI.

In this release, Threat Response supports the following types of observables:

  • IP Address
  • Domain
  • Host
  • URL
  • MD5
  • SHA256

Proofpoint Threat Graph

With this release, Threat Response provides integrated threat intelligence from Proofpoint:

  • Proofpoint Email Campaign Intelligence: Threat Response will now display Proofpoint campaign details for linked IOCs (IP, Host, Domain, URL, file hash) reported in security alerts and PC data collections. Security analysts can take action from the UI by:
    • Reading campaign write-ups which include the following details:
      • Campaign Description
      • Active Timeframes
      • Actors
      • Malware Families
      • Exploit Kits
    • Launching into Proofpoint Targeted Attack Protection (TAP) 2.0 dashboard to gain context of the campaign.
  • **Emerging Threats Intelligence (“ET”): We have improved this integration in this release. The indicators (IP/Host/Domain) that are on ET Rep List will be automatically highlighted with links to launch into ET Intel Portal for more details on the malicious entity, including up to five years of history.

Note

Threat Response will enrich indicators in an incident to Proofpoint email campaigns and/or ET Intelligence even if you are not a licensed user of Proofpoint TAP or ET Intelligence products. However, in order to launch ET Intel or Proofpoint Targeted Attacked Protection (TAP) UI in context from Threat Response UI, you would need a valid license for them.

Dashboards & Reports

Threat Response delivers the following new dashboards and reports:

  • Dashboards
    • Incident Summary: The Incident Summary dashboard provides a quick overview of all the incidents in Threat Response, including widgets, such as “Incidents by Status, “ “Incidents by Assignee,” and “Incident Timeline.”
    • Threat Summary: The Threat Summary dashboard provides a quick overview of all the active threats linked to incidents and collected third-party threat intelligence.
    • System Status: The System Status dashboard summarizes the overall health of the Threat Response appliance, including configured alert sources, devices, and DC agents.
  • Reports
    • Top 10 Campaigns
    • Top 10 Malware Families
    • Threat Intel – Volume
    • Threat Intel – Summary
    • Matched Indicator Types

Incident Workflow Improvements

Numerous enhancements have been made to the incident management workflow:

  • Filtered Views: Apply a set of filters to quickly locate incidents in the system.
  • Bulk Actions: Bulk-execute actions, such as assignment, commenting, and closing.
  • New PC Data: User accounts (local and domain) and DNS cache data have been added to the collection.
  • Attachments: Attach files (25 MB max) to incidents.
  • Enhanced Response Controls: Responses can now be executed from any page in an incident.

Custom Event Source

The JSON Event source used to send custom events in Threat Response has been extended to support the following new fields:

  • Attacker Port
  • Target Port
  • Result (the resulting action by the detection system—e.g. drop packet, reset connection)

User Experience and UI Improvements

We want users to have a great experience using Threat Response. To that effect and to name but a few, the design for the following pages has been significantly improved:

  • Incident List page
  • Incident > Alerts page
  • Incident > PC Data page
  • Incident > Hosts page
  • Incident > Detail dialogues
  • Tanium query page
  • Search
  • System Settings

Integrations

The following integrations have been added to this release:

  • Soltra Edge: Threat Response supports a STIX/TAXII-based collection of third-party intelligence feeds from Soltra Edge. Soltra Edge is used by industry ISACs, such as FS-ISAC and NH-ISAC.
  • Palo Alto Panorama: Threat Response now leverages Palo Alto Panorama to publish lists of IPs, domains, hosts, and URLs to Palo Alto NG-Firewalls devices by using device groups defined in Panorama.
  • CyberArk: Threat Response can block or limit access of privileged users to sensitive servers and hosts using CyberArk Enterprise Vault.
  • Imperva: Threat Response can block or limit access of users to sensitive databases, web applications, and files by integrating with Imperva SecureSphere.
  • Tanium: All collections performed via Tanium are now saved in Threat Response.