# Proofpoint Logs

## Overview

Panther has the ability to fetch Proofpoint logs by querying the [Proofpoint SIEM API](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API).

## How to onboard Proofpoint logs to Panther

To onboard Proofpoint logs, you will generate Proofpoint API credentials, then create a Proofpoint source in Panther.

### Step 1: Create API credentials in Proofpoint

1. Log in to Proofpoint.
2. Navigate to **Settings.**
3. Click **New Token**, and generate a token.
   * Save the **Token Service Principal** and **Token Secret** you generate in a secure location, as you will need them in the next step.

### Step 2: Create a Proofpoint source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New.**
3. Search for “Proofpoint,” then click its tile.
4. In the slide-out panel, click **Start Setup**.
5. Enter a descriptive **Name** for the source, e.g., "My Proofpoint logs."
6. Click **Setup**.
7. On the **Set Credentials** page, enter values for the following fields:
   * **Proofpoint Domain**: Enter the domain name of your Proofpoint instance, e.g., `https://tap-api-v2.proofpoint.com`.
   * **Token Service Principal**: Enter the value you generated in Proofpoint in Step 1.
   * **Token Secret**: Enter the value you generated in Proofpoint in Step 1.
8. Click **Setup**. You will be directed to a success screen:\\

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e55cedf82c6a6adc66ec5c14ebdcb164c3b1dcca%2FScreenshot%202023-08-03%20at%204.33.30%20PM.png?alt=media" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

     <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c48119abd559990173004bde99ff4907fdd2ded2%2FScreenshot%202023-08-03%20at%204.26.54%20PM.png?alt=media" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

## Supported log types

### Proofpoint.Event

Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see [Proofpoint's documentation](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API).

```yaml
schema: Proofpoint.Event
description: Event logs pulled from Proofpoint's API
referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
fields:
  - name: messageTime
    description: The timestamp of the log.
    isEventTime: true
    timeFormats:
      - rfc3339
    type: timestamp
  - name: messageParts
    description: JSON structure containing parts of the message.
    type: json
  - name: fromAddress
    description: Array of email addresses from which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: toAddresses
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: recipient
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: threatsInfoMap
    description: Array of objects containing threat information.
    type: array
    element:
      type: object
      fields:
        - name: threatUrl
          description: URL associated with the threat.
          type: string
          indicator: url
        - name: threatID
          description: Unique identifier for the threat.
          type: string
        - name: threatStatus
          description: Status of the threat.
          type: string
        - name: classification
          description: Classification type of the threat.
          type: string
        - name: threatTime
          description: Timestamp of the threat.
          type: string
          indicator:
            - timestamp
        - name: threat
          description: Details of the threat.
          type: string
        - name: campaignID
          description: Identifier for the associated campaign.
          type: string
        - name: threatType
          description: Type of threat.
          type: string
  - name: completelyRewritten
    description: Indicates whether the message was completely rewritten or not.
    type: boolean
  - name: id
    description: Unique identifier for the event.
    type: string
  - name: QID
    description: Queue identifier for the message.
    type: string
  - name: GUID
    description: Globally unique identifier for the event.
    type: string
  - name: sender
    description: Email address of the sender.
    type: string
    indicator:
      - email
  - name: senderIP
    description: IP address of the sender.
    type: string
    indicator:
      - ip
  - name: messageID
    description: Unique identifier for the message.
    type: string
  - name: spamScore
    description: Score indicating the likelihood the message is spam.
    type: int
  - name: phishScore
    description: Score indicating the likelihood the message is a phishing attempt.
    type: int
  - name: impostorScore
    description: Score indicating the likelihood the sender is an impostor.
    type: int
  - name: malwareScore
    description: Score indicating the likelihood the message contains malware.
    type: int
  - name: cluster
    description: Cluster information related to the event.
    type: string
  - name: subject
    description: Subject line of the email.
    type: string
  - name: quarantineFolder
    description: Folder where the message is quarantined.
    type: string
  - name: quarantineRule
    description: Rule applied for quarantining the message.
    type: string
  - name: policyRoutes
    description: JSON structure containing policy routing information.
    type: json
  - name: modulesRun
    description: JSON structure containing information on the modules run for processing the message.
    type: json
  - name: messageSize
    description: Size of the message in bytes.
    type: int
  - name: headerFrom
    description: Email address in the 'From' header.
    type: string
    indicator: email
  - name: headerReplyTo
    description: Email address in the 'Reply-To' header.
    type: string
    indicator: email
  - name: ccAddresses
    description: Array of email addresses in the 'CC' field.
    type: array
    element:
      type: string
      indicator: email
  - name: replyToAddress
    description: Array of email addresses in the 'Reply-To' field.
    type: array
    element:
      type: string
      indicator: email
  - name: xmailer
    description: Information about the email client or server that sent the message.
    type: string
```