Panther has the ability to fetch Proofpoint logs by querying the .
How to onboard Proofpoint logs to Panther
To onboard Proofpoint logs, you will generate Proofpoint API credentials, then create a Proofpoint source in Panther.
Step 1: Create API credentials in Proofpoint
Log in to Proofpoint.
Navigate to Settings.
Click New Token, and generate a token.
Save the Token Service Principal and Token Secret yougenerate in a secure location, as you will need them in the next step.
Step 2: Create a Proofpoint source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Proofpoint,” then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Proofpoint logs."
Click Setup.
On the Set Credentials page, enter values for the following fields:
Proofpoint Domain: Enter the domain name of your Proofpoint instance, e.g., https://tap-api-v2.proofpoint.com.
Token Service Principal: Enter the value you generated in Proofpoint in Step 1.
Token Secret: Enter the value you generated in Proofpoint in Step 1.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more .
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Proofpoint.Event
schema: Proofpoint.Event
description: Event logs pulled from Proofpoint's API
referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
fields:
- name: messageTime
description: The timestamp of the log.
isEventTime: true
timeFormats:
- rfc3339
type: timestamp
- name: messageParts
description: JSON structure containing parts of the message.
type: json
- name: fromAddress
description: Array of email addresses from which the message was sent.
type: array
element:
type: string
indicator: email
- name: toAddresses
description: Array of email addresses to which the message was sent.
type: array
element:
type: string
indicator: email
- name: recipient
description: Array of email addresses to which the message was sent.
type: array
element:
type: string
indicator: email
- name: threatsInfoMap
description: Array of objects containing threat information.
type: array
element:
type: object
fields:
- name: threatUrl
description: URL associated with the threat.
type: string
indicator: url
- name: threatID
description: Unique identifier for the threat.
type: string
- name: threatStatus
description: Status of the threat.
type: string
- name: classification
description: Classification type of the threat.
type: string
- name: threatTime
description: Timestamp of the threat.
type: string
indicator:
- timestamp
- name: threat
description: Details of the threat.
type: string
- name: campaignID
description: Identifier for the associated campaign.
type: string
- name: threatType
description: Type of threat.
type: string
- name: completelyRewritten
description: Indicates whether the message was completely rewritten or not.
type: boolean
- name: id
description: Unique identifier for the event.
type: string
- name: QID
description: Queue identifier for the message.
type: string
- name: GUID
description: Globally unique identifier for the event.
type: string
- name: sender
description: Email address of the sender.
type: string
indicator:
- email
- name: senderIP
description: IP address of the sender.
type: string
indicator:
- ip
- name: messageID
description: Unique identifier for the message.
type: string
- name: spamScore
description: Score indicating the likelihood the message is spam.
type: int
- name: phishScore
description: Score indicating the likelihood the message is a phishing attempt.
type: int
- name: impostorScore
description: Score indicating the likelihood the sender is an impostor.
type: int
- name: malwareScore
description: Score indicating the likelihood the message contains malware.
type: int
- name: cluster
description: Cluster information related to the event.
type: string
- name: subject
description: Subject line of the email.
type: string
- name: quarantineFolder
description: Folder where the message is quarantined.
type: string
- name: quarantineRule
description: Rule applied for quarantining the message.
type: string
- name: policyRoutes
description: JSON structure containing policy routing information.
type: json
- name: modulesRun
description: JSON structure containing information on the modules run for processing the message.
type: json
- name: messageSize
description: Size of the message in bytes.
type: int
- name: headerFrom
description: Email address in the 'From' header.
type: string
indicator: email
- name: headerReplyTo
description: Email address in the 'Reply-To' header.
type: string
indicator: email
- name: ccAddresses
description: Array of email addresses in the 'CC' field.
type: array
element:
type: string
indicator: email
- name: replyToAddress
description: Array of email addresses in the 'Reply-To' field.
type: array
element:
type: string
indicator: email
- name: xmailer
description: Information about the email client or server that sent the message.
type: string
Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see .
