Proofpoint TAP

Proofpoint Targeted Attack Prevention (TAP) is a SIEM cloud technology that analyzes and blocks threats coming through email. You can send SIEM logs to InsightIDR through the Proofpoint API. InsightIDR captures click and message events from Proofpoint TAP.

InsightIDR only generates alerts for message events when the value for the imposterScore field, phishScore field, or malwareScore field is greater than 60. InsightIDR does not generate alerts for spam messages, even if the spamScore field is greater than 60. InsightIDR also does not generate alerts for the messagesBlocked field as there is no user action required.

To learn more about Proofpoint TAP, see their API: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API

Proofpoint TAP Query Limits

Due to Proofpoint TAP API restrictions, the collector will only attempt to retrieve logs created within the past 7 days. The collector will then make multiple requests to collect historical data until it’s caught up, gathering up to 1 hour of log data at a time.

To set up Proofpoint TAP, you’ll need to:

  1. Review Before You Begin and note any requirements.
  2. Configure Proofpoint TAP to send data to your collector.
  3. Set up the Proofpoint TAP event source in InsightIDR.
  4. Verify the configuration works.

Before you begin

Before you can send Proofpoint TAP logs to InsightIDR, you must ensure that your collector can access tap-api-v2.proofpoint.com by configuring any necessary firewall or web proxy rules.

Configure Proofpoint TAP to send data to your collector

To send Proofpoint TAP logs to InsightIDR, you must set up a credential in your Proofpoint TAP dashboard. InsightIDR collects data from Proofpoint TAP by making an API call to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT1H/<DATE_PLACEHOLDER>. To authenticate with the Proofpoint API, InsightIDR uses a Principal ID and Secret Key that you can create by setting up a credential in your TAP dashboard.

To create a credential in Proofpoint TAP:

  1. Login to your Proofpoint TAP dashboard.
  2. Click the Settings tab.
  3. On the left side of the screen, click Connected Applications. The Service credentials section will open.
  4. In the Name section, select Create New Credential.
  5. Type the name <xyz.corp> and click the Generate button.
  6. In the Generated Service Credential pop-up, the Service Principal and Secret values are shown. Take note of these values for later configuration in InsightIDR.

Set Up Proofpoint TAP in InsightIDR

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Proofpoint Targeted Attack Protection in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Proofpoint Targeted Attack Protection event source tile.
  4. Select your collector and Proofpoint Targeted Attack Protection from the event source dropdown.
  5. Enter the name of your event source.
  6. Optionally choose to send unparsed logs, if you are sending additional events beyond alerts.
  7. Select an attribution source.
  8. Select your Proofpoint TAP credentials or optionally create a new credential. For new credentials enter the Service Principal and Secret values that you generated earlier.
  9. Click Save.

Attribution source options

Proofpoint TAP product logs can contain information about hosts and accounts. When setting up Proofpoint TAP as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Proofpoint TAP” if you did not name the event source. Proofpoint TAP logs flow into these Log Sets:

  • Web Proxy
  • Third Party Alert

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example input logs:

json
1
{
2
	"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
3
	"classification": "MALWARE",
4
	"clickIP": "192.0.2.1",
5
	"clickTime": "2016-06-24T19:17:44.000Z",
6
	"messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81",
7
	"recipient": "bruce.wayne@pharmtech.zz",
8
	"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
9
	"senderIP": "192.0.2.255",
10
	"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
11
	"threatTime": "2020-03-01T12:17:46.000Z",
12
	"threatURL": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
13
	"url": "http://badguy.zz/",
14
	"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0",
15
	"eventTypeString": "ClicksPermitted"
16
}
json
1
"{"
2
GUID ":"
3
c26dbea0 - 80 d5 - 463 b - b93c - 4e8 b708219ce ","
4
QID ":"
5
r2FNwRHF004109 ","
6
ccAddresses ":["
7
bruce.wayne @university - of -education.zz "],"
8
clusterId ":"
9
pharmtech_hosted ","
10
completelyRewritten ":"
11
true ","
12
fromAddress ":"
13
badguy @evil.zz ","
14
headerCC ":"\
15
"Bruce Wayne\" <bruce.wayne@university-of-education.zz>", "headerFrom": "\"A. Badguy\" <badguy@evil.zz>", "headerReplyTo": null, "headerTo": "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>", "impostorScore": 0, "malwareScore": 100, "messageID": "20160624211145.62086.mail@evil.zz", "xmailer": "Spambot v2.5", "messageParts": [{
16
	"contentType": "text/plain",
17
	"disposition": "inline",
18
	"filename": "text.txt",
19
	"md5": "008c5926ca861023c1d2a36653fd88e2",
20
	"oContentType": "text/plain",
21
	"sandboxStatus": "unsupported",
22
	"sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281"
23
}, {
24
	"contentType": "application/pdf",
25
	"disposition": "attached",
26
	"filename": "Invoice for Pharmtech.pdf",
27
	"md5": "5873c7d37608e0d49bcaa6f32b6c731f",
28
	"oContentType": "application/pdf",
29
	"sandboxStatus": "threat",
30
	"sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
31
}], "messageTime": "2020-03-01T12:59:38.000Z", "modulesRun": ["pdr", "sandbox", "spam", "urldefense"], "phishScore": 46, "policyRoutes": ["default_inbound", "executives"], "quarantineFolder": "Attachment Defense", "quarantineRule": "module.sandbox.threat", "recipient": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "replyToAddress": null, "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz", "senderIP": "192.0.2.255", "spamScore": 4, "subject": "Please find a totally safe invoice attached.", "threatsInfoMap": [{
32
	"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
33
	"classification": "MALWARE",
34
	"threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
35
	"threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
36
	"threatStatus": "active",
37
	"threatTime": "2016-06-24T21:18:38.000Z",
38
	"threatType": "ATTACHMENT",
39
	"threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
40
}, {
41
	"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
42
	"classification": "MALWARE",
43
	"threat": "badsite.zz",
44
	"threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
45
	"threatTime": "2016-06-24T21:18:07.000Z",
46
	"threatType": "URL",
47
	"threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
48
}], "toAddresses": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "eventTypeString": "MessagesBlocked"
49
}
50
"