Proofpoint Forensics & Threat Response
Overview
Proofpoint Forensics provides deep investigation capabilities for email-borne threats. When a threat is detected after delivery, Proofpoint Threat Response Auto-Pull (TRAP) can automatically or manually remediate messages that have already reached user mailboxes. This skill covers evidence collection, message investigation, search and destroy operations, and incident response workflows.
TRAP integrates with Microsoft 365 and Google Workspace to move or delete messages from user mailboxes after delivery, closing the gap between detection and remediation.
Key Concepts
Remediation Actions
| Action | Description | Reversible |
|---|---|---|
auto-pull | Automatic removal of delivered threats | Yes (within retention) |
search-and-destroy | Manual search and removal across mailboxes | Yes (within retention) |
move-to-junk | Move message to user's junk folder | Yes |
soft-delete | Delete message (recoverable from deleted items) | Yes |
hard-delete | Permanently delete message | No |
quarantine | Move to admin quarantine | Yes |
Evidence Types
| Type | Description | Contents |
|---|---|---|
screenshot | Screenshot of threat page/attachment | PNG image of rendered content |
pcap | Network capture from sandbox | Full packet capture during detonation |
sample | Malware sample | Original malicious file |
headers | Email headers | Full RFC 822 headers |
urls | Extracted URLs | All URLs found in the message |
attachments | Attachment metadata | File names, hashes, sizes |
sandbox_report | Sandbox detonation report | Behavioral analysis results |
Investigation Status
| Status | Description |
|---|---|
pending | Investigation initiated, awaiting results |
in_progress | Analysis is actively running |
completed | Investigation finished with results |
failed | Investigation could not be completed |
remediated | Threat has been remediated |
Auto-Pull Modes
| Mode | Description |
|---|---|
automatic | Messages pulled immediately upon threat reclassification |
confirmation | Admin must confirm before pull (notification sent) |
disabled | Auto-pull is off; manual search-and-destroy only |
Field Reference
Forensic Report Fields
| Field | Type | Description |
|---|---|---|
id | string | Unique forensic report identifier |
GUID | string | Message GUID (links to TAP events) |
scope | string | online (cloud analysis) or sandbox (detonation) |
type | string | Type of forensic evidence |
name | string | Display name for the evidence |
threatTime | datetime | When the threat was classified |
engineResults | object[] | Results from analysis engines |
platforms | object[] | Platforms where evidence was collected |
Engine Result Fields
| Field | Type | Description |
|---|---|---|
engine | string | Analysis engine name |
verdict | string | malicious, suspicious, benign |
score | int | Confidence score (0-100) |
details | string | Detailed analysis findings |
iocs | object[] | IOCs extracted by this engine |
Search-and-Destroy Fields
| Field | Type | Description |
|---|---|---|
operationId | string | Unique operation identifier |
status | string | pending, in_progress, completed, failed |
criteria | object | Search criteria used |
matchCount | int | Number of messages matched |
remediatedCount | int | Number of messages remediated |
failedCount | int | Number of messages that failed remediation |
startTime | datetime | When the operation started |
endTime | datetime | When the operation completed |
initiatedBy | string | Who started the operation |
Message Trace Fields
| Field | Type | Description |
|---|---|---|
GUID | string | Message GUID |
messageId | string | RFC 822 Message-ID header |
sender | string | Envelope sender |
recipients | string[] | All recipients |
subject | string | Message subject |
receivedTime | datetime | When Proofpoint received the message |
deliveryTime | datetime | When delivered to mailbox |
disposition | string | Final message disposition |
policyActions | string[] | Policy actions applied |
routingPath | string[] | Mail routing hops |
MCP Tools
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_forensics_get_report | Get forensic report for a threat | threatId, GUID |
proofpoint_forensics_get_evidence | Download evidence artifacts | reportId, evidenceType |
proofpoint_forensics_search_destroy | Initiate search and destroy | sender, subject, messageId, action |
proofpoint_forensics_get_operation | Check status of a search-and-destroy | operationId |
proofpoint_forensics_list_operations | List recent operations | status, startDate, endDate |
proofpoint_forensics_message_trace | Trace a message through the system | GUID, messageId, sender, recipient |
proofpoint_forensics_auto_pull_status | Check auto-pull configuration | - |
proofpoint_forensics_get_sandbox_report | Get sandbox detonation report | threatId |
Common Workflows
Investigate a Delivered Threat
- From a TAP delivered-message event, get the
GUIDandthreatID - Call
proofpoint_forensics_get_reportto get the full forensic analysis - Review sandbox results and extracted IOCs
- Call
proofpoint_forensics_get_evidencefor screenshots and pcaps - Determine impact: how many users received the message?
- If remediation is needed, proceed with search-and-destroy
Search and Destroy Operation
- Identify the message to remediate (by sender, subject, or messageId)
- Call
proofpoint_forensics_search_destroywith criteria andaction=soft-delete - Note the
operationIdfrom the response - Call
proofpoint_forensics_get_operationto monitor progress - Verify
remediatedCountmatches expected scope - Document the operation for incident records
Post-Incident Evidence Collection
- Call
proofpoint_forensics_get_reportfor the threat - Download all evidence types: screenshots, pcaps, samples
- Call
proofpoint_forensics_get_sandbox_reportfor behavioral analysis - Extract IOCs from the forensic report
- Cross-reference IOCs with threat intelligence
- Package evidence for incident report
Message Trace Investigation
- User reports a suspicious message they received
- Call
proofpoint_forensics_message_tracewith sender and recipient - Review the routing path and policy actions applied
- Check if TAP flagged the message and what disposition was applied
- If the message was delivered and is malicious, initiate search-and-destroy
- If the message was blocked, confirm with the user
Auto-Pull Verification
- Call
proofpoint_forensics_auto_pull_statusto check configuration - Verify auto-pull is enabled for the organization
- Review the auto-pull mode (automatic vs. confirmation)
- Check recent auto-pull operations for success rate
- Adjust configuration if messages are not being pulled as expected
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid search criteria | At least one search criterion is required |
| 400 | Invalid action | Use soft-delete, hard-delete, move-to-junk, or quarantine |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | TRAP access not enabled | Ensure your license includes Threat Response |
| 403 | Insufficient permissions for hard-delete | Hard-delete requires elevated admin permissions |
| 404 | Forensic report not found | Report may not be available for all threats |
| 404 | Operation not found | Verify the operation ID |
| 409 | O |