Skip to content

Proofpoint Targeted Attack Protection (TAP) Integration Guide🔗

The following instructions are for configuring Proofpoint Targeted Attack Protection (TAP) to facilitate log ingestion into Secureworks® Taegis™ XDR.

Proofpoint Requirements🔗

An active Proofpoint TAP account with privileges to create service credentials is required to integrate with XDR.

Note

Not all Proofpoint subscriptions include TAP.

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
Proofpoint   HTTP Email

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Generate Proofpoint TAP Service Credentials🔗

  1. Follow the instructions in the Proofpoint documentation, Generate TAP Service Credentials.

  2. Note the Service Principal and Secret for the next steps.

Add Integration in XDR🔗

  1. From the Taegis Menu, select Integrations → Cloud APIs.

  2. Select Add an Integration from the top of the page.

    Add an Integration

  3. From the Optimized tab, select Proofpoint.

    Creating a new Proofpoint Integration

  4. Enter the following fields — Obtained in the first step:

    • Service Principal
    • Secret
    • Name — This serves as a unique name for your integration; it can include any valid values up to 100 characters.

  5. Select Done. The Cloud API Integrations page is displayed with the successfully added Proofpoint integration.

Once the above steps are completed, Proofpoint integration details are available on the Cloud APIs page. From the Taegis Menu, select Integrations → Cloud APIs.

Advanced Search using the Query Language🔗

Proofpoint Advanced Search

Example Query Language Searches🔗

To search for Proofpoint email events from the last 24 hours:

FROM email WHERE sensor_type = 'ProofPoint' and EARLIEST=-24h

To search for Proofpoint email events classified as phishing attempts:

FROM email WHERE sensor_type = 'ProofPoint' AND threats.classification = 'phish'

To search for Proofpoint email events that were NOT blocked:

FROM email WHERE sensor_type = 'ProofPoint' AND status != 'blocked'

Event Details🔗

Proofpoint Event Details

Data Normalized by XDR🔗

Proofpoint Normalized Data

Alert Details🔗

Proofpoint Alert Details