# Collect data from Proofpoint TAP

Where the vendor is **Proofpoint TAP,** it's product is **SIEM API.** For SIEM API, right now we have the following product types/endpoints:

* [Clicks blocked](/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-proofpoint-tap/clicks-blocked.md)
* [Clicks permitted](/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-proofpoint-tap/clicks-permitted.md)
* [Messages blocked](/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-proofpoint-tap/messages-blocked.md)
* [Messages delivered](/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-proofpoint-tap/messages-delivered.md)

Inside each of those endpoints we have the YAML file to configure.

See below for **All** endpoints.

## Overview

Proofpoint TAP SIEM API allows integration with SIEM solutions by giving administrators the ability to periodically download detailed information about several types of TAP events in a SIEM-compatible, vendor-neutral format. Currently, the following event types are exposed:

* Blocked or permitted clicks to threats recognized by URL Defense
* Blocked or delivered messages that contain threats recognized by URL Defense or Attachment Defense

We have those different endpoints that will return an object with a key, that will contain an array of objects. In each of those specific templates we should define that key name. If we use the `/siem/all` endpoint we will get all the options included, each of those, with it's own array.

## Configuration

### Parameters

No parameters needed

### Secrets

These secrets will correspond to the username and password fields in the authentication phase.

* **Username** (Value: `pp_sp`) `${secrets.pp_sp}`
* **Password** (Value: `pp_secret) ${secrets.pp_secret}`

To add a Secret, open the **Secret** fields and click **New secret**:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the secret corresponding to the value.
* Click **Save**.

{% hint style="info" %}
Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}

You can now select the secret you just created in the corresponding fields.

After entering the required secrets, you can choose to manually enter the fields, or simply paste the desired YAML.

### Configure as YAML

```yaml
withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: basic
  basic:
    username: "${secrets.pp_sp}"
    password: "${secrets.pp_secret}"
withEnumerationPhase: false
collectionPhase:
  paginationType: none
  request:
    method: GET
    url: https://tap-api-v2.proofpoint.com/v2/siem/all
    headers:
      - name: Accept
        value: text/plain
    queryParams:
      - name: format
        value: json
      - name: interval
        value: ${temporalWindow.from}/${temporalWindow.to}
  output:
    select: ".clicksBlocked"
    filter: "."
    map: "."
    outputMode: element
retry:
  statusCodes: [429, 500, 502, 503, 504]
  type: fixed 
  fixed:
    interval:  5m
```

### **Manually Configure**

#### **Temporal Window**

Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

* **Duration -** 5 minutes (`5m`) as default, adjust based on your needs.
* **Offset -** `5m`
* **Format** - `RFC3339`

#### **Authentication Phase**

Toggle **ON** to configure the authentication parameters

* **Type**<mark style="color:red;">**\***</mark>**&#x20;-** `basic`
* **Username**<mark style="color:red;">**\***</mark>**&#x20;-** `${secrets.pp_sp}`
* **Password**<mark style="color:red;">**\***</mark>**&#x20;-** `${secrets.pp_secret}`

#### **Retry**

* **Retry type -** `Fixed`
* **Interval** **-** `5m`

#### **Enumeration Phase**

**OFF**

#### **Collection Phase**

* **Pagination Type**<mark style="color:red;">**\***</mark>**&#x20;-** `none`
* &#x20;**Request**&#x20;
  * **Method**<mark style="color:red;">**\***</mark>**&#x20;-** `GET`
  * **URL**<mark style="color:red;">**\***</mark>**&#x20;-** `https://tap-api-v2.proofpoint.com/v2/siem/all`&#x20;
  * **Headers**&#x20;
    * **Name -** `interval`
    * **Format** - `${temporalWindow.from}/${temporalWindow.to}`
    * **Name** - `format`
    * **Value -** `json`
* **Output**&#x20;
  * **Select -** `.clicksBlocked`
  * **Map -** `.`
  * **Filter -** `.`
  * **Output Mode** - `element`<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/the-workspace/listeners/listener-integrations/pull-data-from-http-endpoints/collect-data-from-proofpoint-tap.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.