Proofpoint On Demand

Proofpoint on Demand (PoD) is a cloud-based email security platform that protects organizations from advanced threats, phishing attacks, malware, and compliance violations through comprehensive email filtering and threat intelligence.

This document provides comprehensive, step-by-step instructions for configuring the Observo AI WebSocket Source to ingest real-time log data from Proofpoint on Demand (PoD) Logging Service, enabling continuous security monitoring, advanced threat detection, compliance reporting, and unified visibility into email security events across the organization.

Prerequisites

Before configuring the Proofpoint on Demand(PoD) WebSocket source in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

• WebSocket Server Configuration:

  • Identify the WebSocket URI endpoint where the source will connect.

  • Ensure the WebSocket server is configured to accept connections from Observo AI.

  • Verify the WebSocket server supports the required protocol.

• Authentication:

  • Prepare authentication credentials as required by the WebSocket server:

    • Bearer Token: Obtain a JWT (JSON Web Token) or OAuth2 bearer token from the service provider.

  • For Proofpoint PoD Logging:

    • Obtain the bearer token from Proofpoint. The token is uniquely generated for your customer cluster.

    • Note your Cluster ID (displayed in the upper-right corner of the Proofpoint management interface) - this is needed when requesting the bearer token from Proofpoint.

• Network and Connectivity:

  • Ensure Observo AI can establish outbound connections to the Proofpoint on Demand(PoD) endpoint.

  • Check for firewall rules, proxy settings, or network policies that may affect connectivity.

  • Verify DNS resolution for the WebSocket server hostname.

Integration

The Integration section outlines the configurations for the WebSocket source. To configure the Proofpoint on Demand logs source in Observo AI, follow these steps to set up and test the data flow:

1. Log in to Observo AI:

   • Navigate to the Sources tab.

   • Click the Add Source button and select Create New.

   • Choose WebSocket from the list of available sources to begin configuration.

2. General Settings:

   • Name: A unique identifier for the source, such as proofpoint-on-Demand-Logs-1.

   • Description (Optional): Provide a description for the source.

   • WebSocket URI: The WebSocket server endpoint to connect to.

     Example

     wss://logstream.proofpoint.com/v1/stream?cid=<CLUSTER_ID>&type=m

3. Authentication:

   • Authentication Strategy: Select the Bearer Token Authentication method required by Proofpoint.

     Options

     Basic Authentication

     Bearer Token Authentication

   • Bearer Token: Authentication token (OAuth2, JWT, etc.). Only used when strategy is set to bearer. (Masked field)

4. Connection Settings (Optional, ):

   • Initial Message: Optional message to send upon connection, such as subscription commands.

   • Initial Message Timeout (seconds): Timeout while waiting for reply to initial message. Default: 2

   • Connection Timeout (seconds): Timeout while establishing the WebSocket connection. Default: 30

   • Ping Interval (seconds): Interval between sending keepalive pings. If not set, pings are not sent automatically.

   • Ping Timeout (seconds): Time to wait for pong response before reconnecting. Only used if Ping Interval is set.

   • Custom Ping Message: Application-level ping message. If not set, standard WebSocket ping frames are used.

5. Decoding:

   • Decoding Codec: The codec for decoding incoming events. Default: Raw Bytes

     Options

     Raw Bytes

     JSON

     GELF

     Syslog (RFC 3164 or RFC 5424)

     Native JSON

   • Framing Method: The method for framing messages. Default: Raw Bytes (not delimited)

     Options

     Raw Bytes (not delimited)

     Newline Delimited

     Character Delimited

     Length Delimited (32-bit prefix)

     Octet Counting

   • Character Delimiter: The delimiter character when using character-delimited framing.

6. TLS Configuration (Required for Proodpoint on Demand):

   • Enable TLS: Toggle to Enable. Required for Proodpoint on Demand(PoD) protocol.

   • CA Certificate File: Absolute path to an additional CA certificate file in DER or PEM (X.509) format.

   • Client Certificate File: Absolute path to a client certificate file for mutual TLS authentication in DER, PEM (X.509), or PKCS#12 format.

   • Client Private Key File: Absolute path to the private key file in DER or PEM (PKCS#8) format.

   • Private Key Password: Passphrase to unlock the encrypted key file, if applicable. (Masked field)

   • Verify Server Certificate: Toggle to enable verification of the server's certificate. If enabled, certificates must not be expired and must be issued by a trusted issuer.

   • Verify Server Hostname: Toggle to enable verification that the server hostname matches the certificate.

   • Server Name (SNI): Server name for Server Name Indication, typically auto-detected from URI.

7. Parser Config:

   • Enable Source Log Parser: Toggle to enable parser configuration.

   • Recommended for Proofpoint: Enable the JSON Parser to properly parse JSON-formatted log events from Proofpoint.

   • Source Log Parser: Select parser from dropdown (e.g., JSON Parser).

     • Parser Configuration Options:

       • Bypass Transform: Toggle to bypass transformation.

       • Add Filter Conditions: Toggle to add filtering conditions.

       • Parser-Specific Settings (for JSON Parser):

         • Enabled: Toggle to enable the parser.

         • Fields to Parse:

           • Field Name: The JSON field to parse.(e.g. message)

           • New Field Name: Optional new name for the parsed field.

           • Keep Old Field: Toggle to retain the original field.

           • Explode Array Events: Toggle to create separate events for array elements.

8. Save and Test Configuration:

   • Click Save to store the configuration settings in Observo AI.

   • Monitor the source connection status and verify log ingestion by checking the Analytics tab in the Observo AI pipeline for event counts and data throughput from Proofpoint.

Notes:

• Bearer Token: The JWT token is uniquely generated by Proofpoint for Customer cluster and must be kept confidential. Tokens should be rotated periodically according to security policies.

• Cluster ID: The Cluster ID is used when obtaining the bearer token from Proofpoint but is not configured separately in the WebSocket source, as the token already contains the cluster identity.

• TLS Configuration: TLS must be enabled for Proofpoint on Demand protocol. Certificate verification settings are enabled for production-grade security to prevent man-in-the-middle attacks.

• Connection Management: Ping interval and timeout settings ensure the WebSocket connection remains active and automatically reconnects if the connection becomes stale.

• JSON Parser: Enabling the JSON Parser in Parser Config is recommended for Proofpoint as it sends JSON-formatted log events. This ensures proper parsing and field extraction from the log data.

• Network Requirements: Verify DNS resolution for the Proofpoint endpoint.

• Authentication: The bearer token format follows JWT standards. Ensure system time is synchronized for proper token validation.

• Troubleshooting: If connection issues occur, verify the WebSocket URI, bearer token validity, and TLS settings. Check Observo AI logs for authentication errors or connection failures, as per the Troubleshooting section.

• Resources: Refer to Observo AI documentation and Proofpoint PoD Log API documentation for additional guidance on configuration and API usage.

Troubleshooting

• Common Error Messages:

  • "Connection refused": The WebSocket server is not reachable or not listening. Verify the Proofpoint on Demand(PoD) endpoint and check network connectivity.

  • "Authentication failed": The bearer token is invalid or expired. Verify token validity.

  • "TLS handshake failed": TLS configuration issue. Verify TLS is enabled and certificates are valid.

  • "Connection timeout": The connection attempt exceeded the configured timeout. Check network latency and adjust timeout settings if needed.

  • "Ping timeout": Server didn't respond to keepalive pings. Connection will automatically reconnect.

• Monitor Logs and Data:

  • Monitor the Analytics tab in the targeted Observo AI pipeline for data volume and throughput.

  • Review Observo AI logs for errors, warnings, or reconnection attempts related to the WebSocket source.

Resources

For additional guidance and detailed information, refer to the following resources:

• External Documentation:

  • WebSocket Protocol (RFC 6455)

  • What is WebSocket?

  • What is TLS (Transport Layer Security)?

  • JSON Web Tokens (JWT) Introduction

  • WebSocket Security Best Practices