🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Proofpoint Targeted Attack Protection (TAP) Integration Guide

cloud integrations proofpoint


The following instructions are for configuring Proofpoint Targeted Attack Protection (TAP) to facilitate log ingestion into Secureworks® Taegis™ XDR.

Proofpoint Requirements

An active Proofpoint TAP account with privileges to create service credentials is required to integrate with Secureworks® Taegis™ XDR.

Note

Not all Proofpoint subscriptions include TAP.

Data Provided from Integration

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
Proofpoint             D        

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Generate Proofpoint TAP Service Credentials

  1. Follow the instructions in the Proofpoint documentation, Generate TAP Service Credentials.

  2. Note the Service Principal and Secret for the next steps.

Add Integration in Secureworks® Taegis™ XDR

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
  2. Choose Set up Proofpoint.

Creating a new Proofpoint integration

Creating a new Proofpoint integration

  1. Enter the following fields — Obtained in the first step:

    • Service Principal
    • Secret
    • Name — This serves as a unique name for your integration; it can include any valid values up to 100 characters.
  2. Select Done. The Cloud API Integrations page is displayed with the successfully added Proofpoint integration.

Once the above steps are completed, Proofpoint integration details are available on the Cloud APIs page. From the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Cloud APIs.

Advanced Search using the Query Language

Proofpoint Advanced Search

Proofpoint Advanced Search

Example Query Language Searches

To search for Proofpoint email events from the last 24 hours:

FROM email WHERE sensor_type = 'ProofPoint' and EARLIEST=-24h

To search for Proofpoint email events classified as phishing attempts:

FROM email WHERE sensor_type = 'ProofPoint' AND threats.classification = 'phish'

To search for Proofpoint email events that were NOT blocked:

FROM email WHERE sensor_type = 'ProofPoint' AND status != 'blocked'

Event Details

Proofpoint Event Details

Proofpoint Event Details

Data Normalized by Taegis™ XDR

Proofpoint Normalized Data

Proofpoint Normalized Data

Alert Details

Proofpoint Alert Details

Proofpoint Alert Details

 

On this page: