Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From proofpoint
Guides Proofpoint Forensics and threat response for email-borne threats: auto-pull, search-and-destroy, message trace, evidence collection, and post-delivery remediation workflows.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin proofpointHow this skill is triggered — by the user, by Claude, or both
Slash command
/proofpoint:forensicsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Proofpoint Forensics provides deep investigation capabilities for email-borne threats. When a threat is detected after delivery, Proofpoint Threat Response Auto-Pull (TRAP) can automatically or manually remediate messages that have already reached user mailboxes. This skill covers evidence collection, message investigation, search and destroy operations, and incident response workflows.
Analyzes Checkpoint Harmony Email (Avanan) threats including phishing, malware, BEC, ATO; extracts IOCs, builds threat timelines, assesses severity for email security investigations.
Manages Proofpoint email quarantine: lists, searches, releases, deletes messages. Covers reasons, sender/recipient filtering, bulk operations, folders, previews.
Analyzes Abnormal Security email threats like BEC, phishing, malware, social engineering, spam, graymail, and credential theft. Covers threat types, attack vectors, severity assessment, remediation, and investigation workflows.
Share bugs, ideas, or general feedback.
Proofpoint Forensics provides deep investigation capabilities for email-borne threats. When a threat is detected after delivery, Proofpoint Threat Response Auto-Pull (TRAP) can automatically or manually remediate messages that have already reached user mailboxes. This skill covers evidence collection, message investigation, search and destroy operations, and incident response workflows.
TRAP integrates with Microsoft 365 and Google Workspace to move or delete messages from user mailboxes after delivery, closing the gap between detection and remediation.
| Action | Description | Reversible |
|---|---|---|
auto-pull | Automatic removal of delivered threats | Yes (within retention) |
search-and-destroy | Manual search and removal across mailboxes | Yes (within retention) |
move-to-junk | Move message to user's junk folder | Yes |
soft-delete | Delete message (recoverable from deleted items) | Yes |
hard-delete | Permanently delete message | No |
quarantine | Move to admin quarantine | Yes |
| Type | Description | Contents |
|---|---|---|
screenshot | Screenshot of threat page/attachment | PNG image of rendered content |
pcap | Network capture from sandbox | Full packet capture during detonation |
sample | Malware sample | Original malicious file |
headers | Email headers | Full RFC 822 headers |
urls | Extracted URLs | All URLs found in the message |
attachments | Attachment metadata | File names, hashes, sizes |
sandbox_report | Sandbox detonation report | Behavioral analysis results |
| Status | Description |
|---|---|
pending | Investigation initiated, awaiting results |
in_progress | Analysis is actively running |
completed | Investigation finished with results |
failed | Investigation could not be completed |
remediated | Threat has been remediated |
| Mode | Description |
|---|---|
automatic | Messages pulled immediately upon threat reclassification |
confirmation | Admin must confirm before pull (notification sent) |
disabled | Auto-pull is off; manual search-and-destroy only |
| Field | Type | Description |
|---|---|---|
id | string | Unique forensic report identifier |
GUID | string | Message GUID (links to TAP events) |
scope | string | online (cloud analysis) or sandbox (detonation) |
type | string | Type of forensic evidence |
name | string | Display name for the evidence |
threatTime | datetime | When the threat was classified |
engineResults | object[] | Results from analysis engines |
platforms | object[] | Platforms where evidence was collected |
| Field | Type | Description |
|---|---|---|
engine | string | Analysis engine name |
verdict | string | malicious, suspicious, benign |
score | int | Confidence score (0-100) |
details | string | Detailed analysis findings |
iocs | object[] | IOCs extracted by this engine |
| Field | Type | Description |
|---|---|---|
operationId | string | Unique operation identifier |
status | string | pending, in_progress, completed, failed |
criteria | object | Search criteria used |
matchCount | int | Number of messages matched |
remediatedCount | int | Number of messages remediated |
failedCount | int | Number of messages that failed remediation |
startTime | datetime | When the operation started |
endTime | datetime | When the operation completed |
initiatedBy | string | Who started the operation |
| Field | Type | Description |
|---|---|---|
GUID | string | Message GUID |
messageId | string | RFC 822 Message-ID header |
sender | string | Envelope sender |
recipients | string[] | All recipients |
subject | string | Message subject |
receivedTime | datetime | When Proofpoint received the message |
deliveryTime | datetime | When delivered to mailbox |
disposition | string | Final message disposition |
policyActions | string[] | Policy actions applied |
routingPath | string[] | Mail routing hops |
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_forensics_get_report | Get forensic report for a threat | threatId, GUID |
proofpoint_forensics_get_evidence | Download evidence artifacts | reportId, evidenceType |
proofpoint_forensics_search_destroy | Initiate search and destroy | sender, subject, messageId, action |
proofpoint_forensics_get_operation | Check status of a search-and-destroy | operationId |
proofpoint_forensics_list_operations | List recent operations | status, startDate, endDate |
proofpoint_forensics_message_trace | Trace a message through the system | GUID, messageId, sender, recipient |
proofpoint_forensics_auto_pull_status | Check auto-pull configuration | - |
proofpoint_forensics_get_sandbox_report | Get sandbox detonation report | threatId |
GUID and threatIDproofpoint_forensics_get_report to get the full forensic analysisproofpoint_forensics_get_evidence for screenshots and pcapsproofpoint_forensics_search_destroy with criteria and action=soft-deleteoperationId from the responseproofpoint_forensics_get_operation to monitor progressremediatedCount matches expected scopeproofpoint_forensics_get_report for the threatproofpoint_forensics_get_sandbox_report for behavioral analysisproofpoint_forensics_message_trace with sender and recipientproofpoint_forensics_auto_pull_status to check configuration| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid search criteria | At least one search criterion is required |
| 400 | Invalid action | Use soft-delete, hard-delete, move-to-junk, or quarantine |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | TRAP access not enabled | Ensure your license includes Threat Response |
| 403 | Insufficient permissions for hard-delete | Hard-delete requires elevated admin permissions |
| 404 | Forensic report not found | Report may not be available for all threats |
| 404 | Operation not found | Verify the operation ID |
| 409 | Operation already in progress | Wait for the current operation to complete |
| 429 | Rate limit exceeded | Implement backoff for search-and-destroy operations |
| Failure Reason | Resolution |
|---|---|
| Mailbox not accessible | Check Microsoft 365/Google Workspace integration credentials |
| Message already deleted | User may have deleted the message manually |
| Permission denied | Service account needs impersonation rights |
| Mailbox on hold | Legal hold prevents deletion; use move-to-junk instead |
| Timeout | Large-scope operations may timeout; use narrower criteria |