Collect data from Proofpoint TAP

Where the vendor is Proofpoint TAP, it's product is SIEM API. For SIEM API, right now we have the following product types/endpoints:

Inside each of those endpoints we have the YAML file to configure.

See below for All endpoints.

Overview

Proofpoint TAP SIEM API allows integration with SIEM solutions by giving administrators the ability to periodically download detailed information about several types of TAP events in a SIEM-compatible, vendor-neutral format. Currently, the following event types are exposed:

Blocked or permitted clicks to threats recognized by URL Defense
Blocked or delivered messages that contain threats recognized by URL Defense or Attachment Defense

We have those different endpoints that will return an object with a key, that will contain an array of objects. In each of those specific templates we should define that key name. If we use the /siem/all endpoint we will get all the options included, each of those, with it's own array.

Configuration

Parameters

No parameters needed

Secrets

These secrets will correspond to the username and password fields in the authentication phase.

Username (Value: pp_sp) ${secrets.pp_sp}
Password (Value: pp_secret) ${secrets.pp_secret}

To add a Secret, open the Secret fields and click New secret:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required secrets, you can choose to manually enter the fields, or simply paste the desired YAML.

Configure as YAML

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: basic
  basic:
    username: "${secrets.pp_sp}"
    password: "${secrets.pp_secret}"
withEnumerationPhase: false
collectionPhase:
  paginationType: none
  request:
    method: GET
    url: https://tap-api-v2.proofpoint.com/v2/siem/all
    headers:
      - name: Accept
        value: text/plain
    queryParams:
      - name: format
        value: json
      - name: interval
        value: ${temporalWindow.from}/${temporalWindow.to}
  output:
    select: ".clicksBlocked"
    filter: "."
    map: "."
    outputMode: element
retry:
  statusCodes: [429, 500, 502, 503, 504]
  type: fixed 
  fixed:
    interval:  5m

Manually Configure

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 5 minutes (5m) as default, adjust based on your needs.
Offset - 5m
Format - RFC3339

Authentication Phase

Toggle ON to configure the authentication parameters

Type* - basic
Username* - ${secrets.pp_sp}
Password* - ${secrets.pp_secret}

Retry

Retry type - Fixed
Interval - 5m

Enumeration Phase

OFF

Collection Phase

Pagination Type* - none
Request
- Method* - GET
- URL* - https://tap-api-v2.proofpoint.com/v2/siem/all
- Headers
  - Name - interval
  - Format - ${temporalWindow.from}/${temporalWindow.to}
  - Name - format
  - Value - json
Output
- Select - .clicksBlocked
- Map - .
- Filter - .
- Output Mode - element

PreviousCollect data from Prisma Cloud NextClicks blocked

Last updated 1 month ago

Was this helpful?

hashtagOverview

hashtagConfiguration

hashtagParameters

hashtagSecrets

hashtagConfigure as YAML

hashtagManually Configure

hashtagTemporal Window

hashtagAuthentication Phase

hashtagRetry

hashtagEnumeration Phase

hashtagCollection Phase