# Proofpoint Logs

## Overview

Panther has the ability to fetch Proofpoint logs by querying the [Proofpoint SIEM API](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API).

## How to onboard Proofpoint logs to Panther

To onboard Proofpoint logs, you will generate Proofpoint API credentials, then create a Proofpoint source in Panther.

### Step 1: Create API credentials in Proofpoint

1. Log in to Proofpoint.
2. Navigate to **Settings.**
3. Click **New Token**, and generate a token.
   * Save the **Token Service Principal** and **Token Secret** you generate in a secure location, as you will need them in the next step.

### Step 2: Create a Proofpoint source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New.**
3. Search for “Proofpoint,” then click its tile.
4. In the slide-out panel, click **Start Setup**.
5. Enter a descriptive **Name** for the source, e.g., "My Proofpoint logs."
6. Click **Setup**.
7. On the **Set Credentials** page, enter values for the following fields:
   * **Proofpoint Domain**: Enter the domain name of your Proofpoint instance, e.g., `https://tap-api-v2.proofpoint.com`.
   * **Token Service Principal**: Enter the value you generated in Proofpoint in Step 1.
   * **Token Secret**: Enter the value you generated in Proofpoint in Step 1.
8. Click **Setup**. You will be directed to a success screen:\\

   <figure><img src="/files/lJCvylZLzgzxBKPB2fyE" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

     <figure><img src="/files/Qjs5L2RqoxDEnhUcjTYh" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

## Supported log types

### Proofpoint.Event

Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see [Proofpoint's documentation](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API).

```yaml
schema: Proofpoint.Event
description: Event logs pulled from Proofpoint's API
referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
fields:
  - name: messageTime
    description: The timestamp of the log.
    isEventTime: true
    timeFormats:
      - rfc3339
    type: timestamp
  - name: messageParts
    description: JSON structure containing parts of the message.
    type: json
  - name: fromAddress
    description: Array of email addresses from which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: toAddresses
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: recipient
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: threatsInfoMap
    description: Array of objects containing threat information.
    type: array
    element:
      type: object
      fields:
        - name: threatUrl
          description: URL associated with the threat.
          type: string
          indicator: url
        - name: threatID
          description: Unique identifier for the threat.
          type: string
        - name: threatStatus
          description: Status of the threat.
          type: string
        - name: classification
          description: Classification type of the threat.
          type: string
        - name: threatTime
          description: Timestamp of the threat.
          type: string
          indicator:
            - timestamp
        - name: threat
          description: Details of the threat.
          type: string
        - name: campaignID
          description: Identifier for the associated campaign.
          type: string
        - name: threatType
          description: Type of threat.
          type: string
  - name: completelyRewritten
    description: Indicates whether the message was completely rewritten or not.
    type: boolean
  - name: id
    description: Unique identifier for the event.
    type: string
  - name: QID
    description: Queue identifier for the message.
    type: string
  - name: GUID
    description: Globally unique identifier for the event.
    type: string
  - name: sender
    description: Email address of the sender.
    type: string
    indicator:
      - email
  - name: senderIP
    description: IP address of the sender.
    type: string
    indicator:
      - ip
  - name: messageID
    description: Unique identifier for the message.
    type: string
  - name: spamScore
    description: Score indicating the likelihood the message is spam.
    type: int
  - name: phishScore
    description: Score indicating the likelihood the message is a phishing attempt.
    type: int
  - name: impostorScore
    description: Score indicating the likelihood the sender is an impostor.
    type: int
  - name: malwareScore
    description: Score indicating the likelihood the message contains malware.
    type: int
  - name: cluster
    description: Cluster information related to the event.
    type: string
  - name: subject
    description: Subject line of the email.
    type: string
  - name: quarantineFolder
    description: Folder where the message is quarantined.
    type: string
  - name: quarantineRule
    description: Rule applied for quarantining the message.
    type: string
  - name: policyRoutes
    description: JSON structure containing policy routing information.
    type: json
  - name: modulesRun
    description: JSON structure containing information on the modules run for processing the message.
    type: json
  - name: messageSize
    description: Size of the message in bytes.
    type: int
  - name: headerFrom
    description: Email address in the 'From' header.
    type: string
    indicator: email
  - name: headerReplyTo
    description: Email address in the 'Reply-To' header.
    type: string
    indicator: email
  - name: ccAddresses
    description: Array of email addresses in the 'CC' field.
    type: array
    element:
      type: string
      indicator: email
  - name: replyToAddress
    description: Array of email addresses in the 'Reply-To' field.
    type: array
    element:
      type: string
      indicator: email
  - name: xmailer
    description: Information about the email client or server that sent the message.
    type: string
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/proofpoint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.