Proofpoint SIEM

The Proofpoint SIEM API Collector uses a pull-based mechanism which provides a robust framework for collecting security event data from Proofpoint's Targeted Attack Protection (TAP) platform. The collector sends HTTP requests to the Proofpoint SIEM API endpoint at regular intervals, retrieving current threat intelligence data including email security events, malicious URLs, and user interactions with potentially dangerous content.

Purpose

The purpose of the Proofpoint SIEM API Collector in Observo AI is to enable the platform to actively retrieve security event data from Proofpoint's SIEM API endpoint by polling at configured intervals. It pulls threat intelligence data (messages delivered, messages blocked, clicks permitted, and clicks blocked) in JSON format from Proofpoint TAP into Observo AI for security analysis and monitoring. This integration supports streamlined security data pipelines, real-time threat detection, and security analytics, allowing organizations to enhance their security posture and incident response capabilities by proactively fetching threat data from Proofpoint's email security platform.

Prerequisites

Before configuring the Proofpoint SIEM API Collector in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

  • Proofpoint TAP Subscription:

    • An active Proofpoint Targeted Attack Protection (TAP) subscription with SIEM API access enabled.

    • Access to the Proofpoint SIEM API v2 endpoint: https://tap-api-v2.proofpoint.com/v2/siem/all

  • Authentication:

    • API Token: Obtain a Proofpoint SIEM API token from your Proofpoint administrator or through the Proofpoint portal.

    • The token must have read permissions for the SIEM API endpoint and access to all event types (messages and clicks).

    • Authentication is handled via HTTP Basic Authentication, configured through the Authentication section in Observo AI.

  • API Limitations:

    • The Proofpoint SIEM API only returns data from the last 3600 seconds (1 hour).

    • Initial checkpoint (SINCE_TIME) must be set to a value less than 1 hour ago.

    • The API does not provide historical data older than 1 hour.

  • Network and Connectivity:

    • Ensure Observo AI can communicate with tap-api-v2.proofpoint.com over HTTPS (port 443).

    • Check for proxy settings, firewall rules, or network policies that may affect connectivity to the Proofpoint API endpoint.

Prerequisite
Description
Notes

Proofpoint TAP Subscription

Active TAP subscription with SIEM API access

Contact Proofpoint administrator to enable SIEM API access

Authentication

Proofpoint SIEM API credentials (username and password/token)

Credentials must have read permissions for all SIEM event types

API Time Window

Data available for last 1 hour only

Set SINCE_TIME to less than 3600 seconds ago; no historical data available

Network

HTTPS connectivity to tap-api-v2.proofpoint.com

Check VPC endpoints, proxies, and firewalls for port 443 access

Integration

The Integration section outlines the configurations for the Proofpoint SIEM API Collector source. To configure the Proofpoint SIEM API Collector as a source in Observo AI, follow these steps to set up and test the data flow:

  1. Log in to Observo AI:

    • Navigate to the Sources tab.

    • Click the Add Source button and select Create New.

    • Choose Proofpoint SIEM API Collector from the list of available sources to begin configuration.

  2. General Settings:

    • Name: A unique identifier for the source, such as proofpoint-siem-collector.

    • Description: (Optional): Provide a description for the source, such as "Proofpoint TAP security events ingestion".

    • Config: Configuration parameters for the Proofpoint SIEM API.

      | Key (Default) | Value (Default) | Description | | ------------------ | --------------------------------------------------- | --------------------------------------------------------------------------- | | PROOFPOINT_URL | https://tap-api-v2.proofpoint.com/v2/siem/all | The Proofpoint SIEM API endpoint URL |

    • Checkpoints: Checkpoints to seed the script with and maintain state between executions. The collector automatically updates these values after each successful run.

      | Key (Default) | Value (Default) | Description | |---------------|----------------------|---------------------------------------------------------------------------------------------------------| | SINCE_TIME | 2025-10-01T00:00:00Z | Starting point for data collection in ISO format. Must be less than 3600 seconds (1 hour) ago. |

    • Time in seconds to pause between script executions: 300 seconds (5 minutes)

      • Recommended value for near real-time threat detection while respecting API rate limits.

  3. Authentication:

    • Authentication Strategy: Basic Authentication.

    • Principal: Username for Proofpoint SIEM API authentication.

    • Secret: Password or API token for Proofpoint SIEM API authentication.Obtain this from your Proofpoint administrator or through the Proofpoint portal.

Data Types Collected

The Proofpoint SIEM API Collector ingests four primary security event types from Proofpoint TAP:

Messages Delivered

Email messages that were delivered to recipients' inboxes, including:

  • Message metadata (sender, recipient, subject, message ID)

  • Threat classification details and scores

  • Delivery timestamps

  • URL and attachment analysis results

Messages Blocked

Email messages that were blocked before delivery due to identified threats:

  • Threat type, category, and severity level

  • Sender and intended recipient information

  • Quarantine details and location

  • Block reason, timestamp, and threat intelligence

Clicks Permitted

User clicks on URLs that were allowed (non-malicious or low-risk):

  • URL details and classification

  • User identification and campaign information

  • Click timestamp and threat score

  • Sender and message context

Clicks Blocked

User clicks on malicious or suspicious URLs that were blocked:

  • Malicious URL information and threat category

  • User details and threat intelligence

  • Block timestamp and threat score

  • Sender and message context

Error Handling

The Proofpoint SIEM API Collector implements comprehensive error handling for various scenarios:

HTTP Status Codes

Status Code
Error Type
Collector Response
Recovery Action

200

Success

Processes all events, enriches with event type, emits individual logs, updates checkpoint

Automatic - continues normal operation

400

Bad Request

Updates checkpoint to current UTC time, emits error log with details

Automatic - prevents collector from getting stuck

401

Unauthorized

Emits error log indicating authentication failure

Manual - update PROOFPOINT_TOKEN with valid credentials

429

Rate Limit Exceeded

Emits rate limit warning, leverages built-in retry mechanism

Automatic - retries after backoff period

500

Server Error

Advances checkpoint to current UTC time, emits error log to avoid infinite loops

Automatic - continues collection on next interval

Other

Unknown Error

Emits detailed error log with status code, response body, and request timestamp

Review logs and investigate issue

Automatic Retry Mechanism

  • Enabled via retry = true parameter in the fetch call

  • Implements exponential backoff for transient failures

  • Automatically retries failed requests for status codes 429 and 500

Checkpoint Management

  • Uses get_chkpt("SINCE_TIME") to retrieve the last successful collection timestamp

  • Uses set_chkpt("SINCE_TIME", value) to update checkpoint after successful collection

  • Prevents data loss during collector restarts or failures

  • Ensures no duplicate data collection by tracking query end time

Monitoring Recommendations

  • Monitor rate limit warnings (429 status code) and adjust collection interval if needed

  • Review error logs regularly to identify patterns or persistent issues

  • Track checkpoint progression to ensure continuous data collection

PreviousProofpoint LogsNextSalesforce Event Monitoring

Last updated

Was this helpful?