Proofpoint TAP

Proofpoint Targeted Attack Prevention (TAP) is a SIEM cloud technology that analyzes and blocks threats coming through email. You can send SIEM logs to InsightIDR through the Proofpoint API. InsightIDR captures click and message events from Proofpoint TAP.

For message events, InsightIDR only generates alerts when the value for the imposterScore field, phishScore field, or malwareScore field is greater than 60. InsightIDR does not generate alerts for spam messages even if the spamScore field is greater than 60.

To learn more about Proofpoint TAP, see their API: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API

Proofpoint TAP Query Limits

Due to Proofpoint TAP API restrictions, the collector will only attempt to retrieve logs created within the past 7 days. The collector will then make multiple requests to collect historical data until it’s caught up, gathering up to 1 hour of log data at a time.

To set up Proofpoint TAP, you’ll need to:

  1. Review Before You Begin and note any requirements.
  2. Configure Proofpoint TAP to send data to your collector.
  3. Set up the Proofpoint TAP event source in InsightIDR.
  4. Verify the configuration works.

Before you begin

Before you can send Proofpoint TAP logs to InsightIDR, you must ensure that your collector can access tap-api-v2.proofpoint.com by configuring any necessary firewall or web proxy rules.

Configure Proofpoint TAP to send data to your collector

To send Proofpoint TAP logs to InsightIDR, you must set up a credential in your Proofpoint TAP dashboard. InsightIDR collects data from Proofpoint TAP by making an API call to https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT1H/<DATE_PLACEHOLDER>. To authenticate with the Proofpoint API, InsightIDR uses a Principal ID and Secret Key that you can create by setting up a credential in your TAP dashboard.

To create a credential in Proofpoint TAP:

  1. Login to your Proofpoint TAP dashboard.
  2. Click the Settings tab.
  3. On the left side of the screen, click Connected Applications. The Service credentials section will open.
  4. In the Name section, select Create New Credential.
  5. Type the name <xyz.corp> and click the Generate button.
  6. In the Generated Service Credential pop-up, the Service Principal and Secret values are shown. Take note of these values for later configuration in InsightIDR.

Set Up Proofpoint TAP in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Cloud Service icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unfiltered logs checkbox.
  6. Enter the Service Principal and Secret values that you generated when setting up a credential in your TAP dashboard.
  7. Click Save.

Verify the configuration

From the left menu, click Log Search to view your raw logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Proofpoint TAP” if you did not name the event source. Proofpoint TAP logs flow into these Log Sets:

  • Web Proxy
  • Third Party Alert

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example input logs:

json
1
{
2
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
3
"classification": "MALWARE",
4
"clickIP": "192.0.2.1",
5
"clickTime": "2016-06-24T19:17:44.000Z",
6
"messageID": "8c6cfedd-3050-4d65-8c09-c5f65c38da81",
7
"recipient": "bruce.wayne@pharmtech.zz",
8
"sender": "9facbf452def2d7efc5b5c48cdb837fa@badguy.zz",
9
"senderIP": "192.0.2.255",
10
"threatID": "61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
11
"threatTime": "2020-03-01T12:17:46.000Z",
12
"threatURL": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50",
13
"url": "http://badguy.zz/",
14
"userAgent": "Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0",
15
"eventTypeString": "ClicksPermitted"
16
}
json
1
"{"
2
GUID ":"
3
c26dbea0 - 80 d5 - 463 b - b93c - 4e8 b708219ce ","
4
QID ":"
5
r2FNwRHF004109 ","
6
ccAddresses ":["
7
bruce.wayne @university - of -education.zz "],"
8
clusterId ":"
9
pharmtech_hosted ","
10
completelyRewritten ":"
11
true ","
12
fromAddress ":"
13
badguy @evil.zz ","
14
headerCC ":"\
15
"Bruce Wayne\" <bruce.wayne@university-of-education.zz>", "headerFrom": "\"A. Badguy\" <badguy@evil.zz>", "headerReplyTo": null, "headerTo": "\"Clark Kent\" <clark.kent@pharmtech.zz>; \"Diana Prince\" <diana.prince@pharmtech.zz>", "impostorScore": 0, "malwareScore": 100, "messageID": "20160624211145.62086.mail@evil.zz", "xmailer": "Spambot v2.5", "messageParts": [{
16
"contentType": "text/plain",
17
"disposition": "inline",
18
"filename": "text.txt",
19
"md5": "008c5926ca861023c1d2a36653fd88e2",
20
"oContentType": "text/plain",
21
"sandboxStatus": "unsupported",
22
"sha256": "85738f8f9a7f1b04b5329c590ebcb9e425925c6d0984089c43a022de4f19c281"
23
}, {
24
"contentType": "application/pdf",
25
"disposition": "attached",
26
"filename": "Invoice for Pharmtech.pdf",
27
"md5": "5873c7d37608e0d49bcaa6f32b6c731f",
28
"oContentType": "application/pdf",
29
"sandboxStatus": "threat",
30
"sha256": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
31
}], "messageTime": "2020-03-01T12:59:38.000Z", "modulesRun": ["pdr", "sandbox", "spam", "urldefense"], "phishScore": 46, "policyRoutes": ["default_inbound", "executives"], "quarantineFolder": "Attachment Defense", "quarantineRule": "module.sandbox.threat", "recipient": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "replyToAddress": null, "sender": "e99d7ed5580193f36a51f597bc2c0210@evil.zz", "senderIP": "192.0.2.255", "spamScore": 4, "subject": "Please find a totally safe invoice attached.", "threatsInfoMap": [{
32
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
33
"classification": "MALWARE",
34
"threat": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
35
"threatId": "2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca",
36
"threatStatus": "active",
37
"threatTime": "2016-06-24T21:18:38.000Z",
38
"threatType": "ATTACHMENT",
39
"threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/2fab740f143fc1aa4c1cd0146d334c5593b1428f6d062b2c406e5efe8abe95ca"
40
}, {
41
"campaignId": "46e01b8a-c899-404d-bcd9-189bb393d1a7",
42
"classification": "MALWARE",
43
"threat": "badsite.zz",
44
"threatId": "3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa",
45
"threatTime": "2016-06-24T21:18:07.000Z",
46
"threatType": "URL",
47
"threatUrl": "https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/3ba97fc852c66a7ba761450edfdfb9f4ffab74715b591294f78b5e37a76481aa"
48
}], "toAddresses": ["clark.kent@pharmtech.zz", "diana.prince@pharmtech.zz"], "eventTypeString": "MessagesBlocked"
49
}
50
"