Panther supports pulling logs directly from Proofpoint
Overview
Proofpoint log ingestion is in open beta starting with Panther version 1.108, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther has the ability to fetch Proofpoint logs by querying the Proofpoint SIEM API.
How to onboard Proofpoint logs to Panther
To onboard Proofpoint logs, you will generate Proofpoint API credentials, then create a Proofpoint source in Panther.
Step 1: Create API credentials in Proofpoint
Log in to Proofpoint.
Navigate to Settings.
Click New Token, and generate a token.
Save the Token Service Principal and Token Secret yougenerate in a secure location, as you will need them in the next step.
Step 2: Create a Proofpoint source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Proofpoint,” then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Proofpoint logs."
Click Setup.
On the Set Credentials page, enter values for the following fields:
Proofpoint Domain: Enter the domain name of your Proofpoint instance, e.g., https://tap-api-v2.proofpoint.com.
Token Service Principal: Enter the value you generated in Proofpoint in Step 1.
Token Secret: Enter the value you generated in Proofpoint in Step 1.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Proofpoint.Event
Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see Proofpoint's documentation.
schema:Proofpoint.Eventdescription:Event logs pulled from Proofpoint's APIreferenceURL:https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_APIfields: - name:messageTimedescription:The timestamp of the log.isEventTime:truetimeFormats: - rfc3339type:timestamp - name:messagePartsdescription:JSON structure containing parts of the message.type:json - name:fromAddressdescription:Array of email addresses from which the message was sent.type:arrayelement:type:stringindicator:email - name:toAddressesdescription:Array of email addresses to which the message was sent.type:arrayelement:type:stringindicator:email - name:recipientdescription:Array of email addresses to which the message was sent.type:arrayelement:type:stringindicator:email - name:threatsInfoMapdescription:Array of objects containing threat information.type:arrayelement:type:objectfields: - name:threatUrldescription:URL associated with the threat.type:stringindicator:url - name:threatIDdescription:Unique identifier for the threat.type:string - name:threatStatusdescription:Status of the threat.type:string - name:classificationdescription:Classification type of the threat.type:string - name:threatTimedescription:Timestamp of the threat.type:stringindicator: - timestamp - name:threatdescription:Details of the threat.type:string - name:campaignIDdescription:Identifier for the associated campaign.type:string - name:threatTypedescription:Type of threat.type:string - name:completelyRewrittendescription:Indicates whether the message was completely rewritten or not.type:boolean - name:iddescription:Unique identifier for the event.type:string - name:QIDdescription:Queue identifier for the message.type:string - name:GUIDdescription:Globally unique identifier for the event.type:string - name:senderdescription:Email address of the sender.type:stringindicator: - email - name:senderIPdescription:IP address of the sender.type:stringindicator: - ip - name:messageIDdescription:Unique identifier for the message.type:string - name:spamScoredescription:Score indicating the likelihood the message is spam.type:int - name:phishScoredescription:Score indicating the likelihood the message is a phishing attempt.type:int - name:impostorScoredescription:Score indicating the likelihood the sender is an impostor.type:int - name:malwareScoredescription:Score indicating the likelihood the message contains malware.type:int - name:clusterdescription:Cluster information related to the event.type:string - name:subjectdescription:Subject line of the email.type:string - name:quarantineFolderdescription:Folder where the message is quarantined.type:string - name:quarantineRuledescription:Rule applied for quarantining the message.type:string - name:policyRoutesdescription:JSON structure containing policy routing information.type:json - name:modulesRundescription:JSON structure containing information on the modules run for processing the message.type:json - name:messageSizedescription:Size of the message in bytes.type:int - name:headerFromdescription:Email address in the 'From' header.type:stringindicator:email - name:headerReplyTodescription:Email address in the 'Reply-To' header.type:stringindicator:email - name:ccAddressesdescription:Array of email addresses in the 'CC' field.type:arrayelement:type:stringindicator:email - name:replyToAddressdescription:Array of email addresses in the 'Reply-To' field.type:arrayelement:type:stringindicator:email - name:xmailerdescription:Information about the email client or server that sent the message.type:string
