Proofpoint TAP
Copy link

Proofpoint Targeted Attack Prevention (TAP) is a SIEM cloud technology that analyzes and blocks threats coming through email. You can send SIEM logs to SIEM (InsightIDR) through the Proofpoint API. SIEM (InsightIDR) captures click and message events from Proofpoint TAP.

SIEM (InsightIDR) only generates alerts for message events when the value for the imposterScore field, phishScore field, or malwareScore field is greater than 60. SIEM (InsightIDR) does not generate alerts for spam messages, even if the spamScore field is greater than 60. SIEM (InsightIDR) also does not generate alerts for the messagesBlocked field as there is no user action required.

To learn more about Proofpoint TAP, visit their API documentation at: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API

⚠️

Proofpoint TAP Query Limits

Due to Proofpoint TAP API restrictions, the collector will only attempt to retrieve logs created within the past 7 days. The collector will then make multiple requests to collect historical data until it’s caught up, gathering up to 1 hour of log data at a time.

The event types that SIEM (InsightIDR) can parse from this event source are:

  • Web Proxy events
  • Third Party Alerts

There are two ways to send data from your Proofpoint TAP account to SIEM (InsightIDR); event collection through the Cloud or through an on-premises Rapid7 Collector.

ℹ️

Cloud event sources are being phased in from December 2023

SIEM (InsightIDR) is adding cloud event collection capabilities to a select number of supported event sources; this one is included. This will be a phased release, so if your environment is not yet displaying the Run on Cloud option, please be patient–your environment will update shortly.

To set up the Proofpoint TAP event source, complete these steps:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Proofpoint TAP to send data to SIEM (InsightIDR).
  3. Configure SIEM (InsightIDR) to receive data from the event source.
  4. Verify the configuration works.

Requirements
Copy link

For collector-based configurations, ensure that your collector can access tap-api-v2.proofpoint.com by configuring any necessary firewall or web proxy rules.

Configure Proofpoint TAP to send data to SIEM (InsightIDR)
Copy link

To send Proofpoint TAP logs to SIEM (InsightIDR), you must set up a credential in your Proofpoint TAP dashboard.

SIEM (InsightIDR) collects data from Proofpoint TAP by making an API call to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT1H/<DATE_PLACEHOLDER>.

To authenticate with the Proofpoint API, SIEM (InsightIDR) uses a Principal ID and Secret Key that you can create by setting up a credential in your TAP dashboard.

To create a credential in Proofpoint TAP:

  1. Login to your Proofpoint TAP dashboard.
  2. Click the Settings tab.
  3. On the left side of the screen, click Connected Applications. The Service credentials section will open.
  4. In the Name section, select Create New Credential.
  5. Type the name <xyz.corp> and click the Generate button.
  6. In the Generated Service Credential pop-up, the Service Principal and Secret values are shown. Record these values to enter later in SIEM (InsightIDR).

Configure SIEM (InsightIDR) to receive data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Proofpoint TAP
Copy link

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Proofpoint Targeted Attack Protection in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Proofpoint Targeted Attack Protection event source tile.

Task 2: Set up your collection method
Copy link

There are two methods of collecting data from Proofpoint TAP: through a cloud connection or through a collector.

ℹ️

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

Use the Cloud Connection method

  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Proofpoint TAP.
  3. Optionally, select the option to send unparsed data.
  4. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  5. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  6. Select an attribution source.
  7. Click Add a New Connection.
  8. In the Create a Cloud Connection screen, enter a name for the new connection.
  9. In the Secret field, add a new credential:
    1. Name your credential.
    2. Describe your credential.
    3. Select the credential type.
    4. Enter the Proofpoint TAP Secret you obtained in Configure Proofpoint TAP to send data to SIEM (InsightIDR).
    5. Specify the product access for this credential.
  10. In the Service Principal field, add a new credential:
    1. Name your credential.
    2. Describe your credential.
    3. Select the credential type.
    4. Enter the Proofpoint TAP Service Principal you obtained in Configure Proofpoint TAP to send data to SIEM (InsightIDR).
    5. Specify the product access for this credential.
  11. Click Save Connection.
  12. Click Save.

Use the Collector method

  1. In the Add Event Source panel, select Run On Collector.
  2. Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Proofpoint TAP.
  3. Optionally, select the option to send unparsed data.
  4. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  5. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  6. Select an attribution source.
  7. Select your Proofpoint TAP credentials or, optionally, create a new credential. For new credentials enter the Service Principal and Secret values that you generated earlier.
  8. Click Save.

Test the configuration
Copy link

The event types that SIEM (InsightIDR) parses from this event source are:

  • Web Proxy
  • Third Party Alert

To test that event data is flowing into SIEM (InsightIDR):

  1. View the raw logs.
    • From the Data Collection Management page, click the Event Sources tab.
    • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to SIEM (InsightIDR).
  2. Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
    • From the left menu, go to Log Search.
    • In the Log Search filter, search for the new event source you created
    • Select the log sets and the log names under each log set.
    • Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into SIEM (InsightIDR) in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs
Copy link

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the Web Proxy and Third Party Alert log sets.

To help you visualize the event logs that this event source generates, here are some sample logs:

{ "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", "classification": "MALWARE", "clickIP": "192.0.2.1", "clickTime": "2016-06-24T19:17:44.000Z", "messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81", "recipient": "bruce.wayne@pharmtech.zz", "sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz", "senderIP": "192.0.2.255", "threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", "threatTime": "2020-03-01T12:17:46.000Z", "threatURL": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50", "url": "http://badguy.zz/", "userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0", "eventTypeString": "ClicksPermitted" }
"{" GUID ":" c26dbea0 - 80 d5 - 463 b - b93c - 4e8 b708219ce "," QID ":" r2FNwRHF004109 "," ccAddresses ":[" bruce.wayne @university - of -education.zz "]," clusterId ":" pharmtech_hosted "," completelyRewritten ":" true "," fromAddress ":" badguy @evil.zz "," headerCC ":"\ "Bruce Wayne\" <bruce.wayne@university-of-education.zz>", "headerFrom": "\"A. Badguy\" <badguy@evil.zz>", "headerReplyTo": null, "headerTo": "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>", "impostorScore": 0, "malwareScore": 100, "messageID": "20160624211145.62086.mail@evil.zz", "xmailer": "Spambot v2.5", "messageParts": [{ "contentType": "text/plain", "disposition": "inline", "filename": "text.txt", "md5": "008c5926ca861023c1d2a36653fd88e2", "oContentType": "text/plain", "sandboxStatus": "unsupported", "sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281" }, { "contentType": "application/pdf", "disposition": "attached", "filename": "Invoice for Pharmtech.pdf", "md5": "5873c7d37608e0d49bcaa6f32b6c731f", "oContentType": "application/pdf", "sandboxStatus": "threat", "sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" }], "messageTime": "2020-03-01T12:59:38.000Z", "modulesRun": ["pdr", "sandbox", "spam", "urldefense"], "phishScore": 46, "policyRoutes": ["default_inbound", "executives"], "quarantineFolder": "Attachment Defense", "quarantineRule": "module.sandbox.threat", "recipient": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "replyToAddress": null, "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz", "senderIP": "192.0.2.255", "spamScore": 4, "subject": "Please find a totally safe invoice attached.", "threatsInfoMap": [{ "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", "classification": "MALWARE", "threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", "threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca", "threatStatus": "active", "threatTime": "2016-06-24T21:18:38.000Z", "threatType": "ATTACHMENT", "threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca" }, { "campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7", "classification": "MALWARE", "threat": "badsite.zz", "threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa", "threatTime": "2016-06-24T21:18:07.000Z", "threatType": "URL", "threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa" }], "toAddresses": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "eventTypeString": "MessagesBlocked" } "