Proofpoint Logs

Panther supports pulling logs directly from Proofpoint

Overview

Panther has the ability to fetch Proofpoint logs by querying the Proofpoint SIEM API.

How to onboard Proofpoint logs to Panther

To onboard Proofpoint logs, you will generate Proofpoint API credentials, then create a Proofpoint source in Panther.

Step 1: Create API credentials in Proofpoint

Log in to Proofpoint.
Navigate to Settings.
Click New Token, and generate a token.
- Save the Token Service Principal and Token Secret you generate in a secure location, as you will need them in the next step.

Step 2: Create a Proofpoint source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Proofpoint,” then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Proofpoint logs."
Click Setup.
On the Set Credentials page, enter values for the following fields:
- Proofpoint Domain: Enter the domain name of your Proofpoint instance, e.g., https://tap-api-v2.proofpoint.com.
- Token Service Principal: Enter the value you generated in Proofpoint in Step 1.
- Token Secret: Enter the value you generated in Proofpoint in Step 1.
Click Setup. You will be directed to a success screen:\
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

Supported log types

Proofpoint.Event

Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see Proofpoint's documentation.

schema: Proofpoint.Event
description: Event logs pulled from Proofpoint's API
referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
fields:
  - name: messageTime
    description: The timestamp of the log.
    isEventTime: true
    timeFormats:
      - rfc3339
    type: timestamp
  - name: messageParts
    description: JSON structure containing parts of the message.
    type: json
  - name: fromAddress
    description: Array of email addresses from which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: toAddresses
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: recipient
    description: Array of email addresses to which the message was sent.
    type: array
    element:
      type: string
      indicator: email
  - name: threatsInfoMap
    description: Array of objects containing threat information.
    type: array
    element:
      type: object
      fields:
        - name: threatUrl
          description: URL associated with the threat.
          type: string
          indicator: url
        - name: threatID
          description: Unique identifier for the threat.
          type: string
        - name: threatStatus
          description: Status of the threat.
          type: string
        - name: classification
          description: Classification type of the threat.
          type: string
        - name: threatTime
          description: Timestamp of the threat.
          type: string
          indicator:
            - timestamp
        - name: threat
          description: Details of the threat.
          type: string
        - name: campaignID
          description: Identifier for the associated campaign.
          type: string
        - name: threatType
          description: Type of threat.
          type: string
  - name: completelyRewritten
    description: Indicates whether the message was completely rewritten or not.
    type: boolean
  - name: id
    description: Unique identifier for the event.
    type: string
  - name: QID
    description: Queue identifier for the message.
    type: string
  - name: GUID
    description: Globally unique identifier for the event.
    type: string
  - name: sender
    description: Email address of the sender.
    type: string
    indicator:
      - email
  - name: senderIP
    description: IP address of the sender.
    type: string
    indicator:
      - ip
  - name: messageID
    description: Unique identifier for the message.
    type: string
  - name: spamScore
    description: Score indicating the likelihood the message is spam.
    type: int
  - name: phishScore
    description: Score indicating the likelihood the message is a phishing attempt.
    type: int
  - name: impostorScore
    description: Score indicating the likelihood the sender is an impostor.
    type: int
  - name: malwareScore
    description: Score indicating the likelihood the message contains malware.
    type: int
  - name: cluster
    description: Cluster information related to the event.
    type: string
  - name: subject
    description: Subject line of the email.
    type: string
  - name: quarantineFolder
    description: Folder where the message is quarantined.
    type: string
  - name: quarantineRule
    description: Rule applied for quarantining the message.
    type: string
  - name: policyRoutes
    description: JSON structure containing policy routing information.
    type: json
  - name: modulesRun
    description: JSON structure containing information on the modules run for processing the message.
    type: json
  - name: messageSize
    description: Size of the message in bytes.
    type: int
  - name: headerFrom
    description: Email address in the 'From' header.
    type: string
    indicator: email
  - name: headerReplyTo
    description: Email address in the 'Reply-To' header.
    type: string
    indicator: email
  - name: ccAddresses
    description: Array of email addresses in the 'CC' field.
    type: array
    element:
      type: string
      indicator: email
  - name: replyToAddress
    description: Array of email addresses in the 'Reply-To' field.
    type: array
    element:
      type: string
      indicator: email
  - name: xmailer
    description: Information about the email client or server that sent the message.
    type: string

PreviousPanther Audit Log Actions NextPush Security Logs

Last updated 11 months ago

Was this helpful?

schema: Proofpoint.Event description: Event logs pulled from Proofpoint's API referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API fields: - name: messageTime description: The timestamp of the log. isEventTime: true timeFormats: - rfc3339 type: timestamp - name: messageParts description: JSON structure containing parts of the message. type: json - name: fromAddress description: Array of email addresses from which the message was sent. type: array element: type: string indicator: email - name: toAddresses description: Array of email addresses to which the message was sent. type: array element: type: string indicator: email - name: recipient description: Array of email addresses to which the message was sent. type: array element: type: string indicator: email - name: threatsInfoMap description: Array of objects containing threat information. type: array element: type: object fields: - name: threatUrl description: URL associated with the threat. type: string indicator: url - name: threatID description: Unique identifier for the threat. type: string - name: threatStatus description: Status of the threat. type: string - name: classification description: Classification type of the threat. type: string - name: threatTime description: Timestamp of the threat. type: string indicator: - timestamp - name: threat description: Details of the threat. type: string - name: campaignID description: Identifier for the associated campaign. type: string - name: threatType description: Type of threat. type: string - name: completelyRewritten description: Indicates whether the message was completely rewritten or not. type: boolean - name: id description: Unique identifier for the event. type: string - name: QID description: Queue identifier for the message. type: string - name: GUID description: Globally unique identifier for the event. type: string - name: sender description: Email address of the sender. type: string indicator: - email - name: senderIP description: IP address of the sender. type: string indicator: - ip - name: messageID description: Unique identifier for the message. type: string - name: spamScore description: Score indicating the likelihood the message is spam. type: int - name: phishScore description: Score indicating the likelihood the message is a phishing attempt. type: int - name: impostorScore description: Score indicating the likelihood the sender is an impostor. type: int - name: malwareScore description: Score indicating the likelihood the message contains malware. type: int - name: cluster description: Cluster information related to the event. type: string - name: subject description: Subject line of the email. type: string - name: quarantineFolder description: Folder where the message is quarantined. type: string - name: quarantineRule description: Rule applied for quarantining the message. type: string - name: policyRoutes description: JSON structure containing policy routing information. type: json - name: modulesRun description: JSON structure containing information on the modules run for processing the message. type: json - name: messageSize description: Size of the message in bytes. type: int - name: headerFrom description: Email address in the 'From' header. type: string indicator: email - name: headerReplyTo description: Email address in the 'Reply-To' header. type: string indicator: email - name: ccAddresses description: Array of email addresses in the 'CC' field. type: array element: type: string indicator: email - name: replyToAddress description: Array of email addresses in the 'Reply-To' field. type: array element: type: string indicator: email - name: xmailer description: Information about the email client or server that sent the message. type: string