Ingest Logs from Proofpoint Targeted Attack Protection

Ingest logs from Proofpoint Targeted Attack Protection (TAP).
Ingesting Logs from Proofpoint Targeted Attack Protection requires a Cortex XDR Pro per TB license.
To receive logs from Proofpoint Targeted Attack Protection (TAP), you must first configure TAP service credentials in the TAP dashboard, and then the Collection Integrations settings in Cortex XDR based on your Proofpoint TAP configuration. After you set up data collection, Cortex XDR begins receiving new logs and data from the source.
When Cortex XDR begins receiving logs, the app creates a new dataset (
proofpoint_tap_raw
) that you can use to initiate XQL Search queries. For example queries, refer to the in-app XQL Library.
Configure the Proofpoint TAP collection in Cortex XDR.
  1. Generate TAP Service Credentials in Proofpoint TAP.
    TAP service credentials can be generated in the TAP Dashboard, where you will receive a Proofpoint Service Principal for authentication and Proofpoint API Secret for authentication. Record these credentials as you will need to provide them when configuring the
    Proofpoint Targeted Attack Protection
    data collector in Cortex XDR. For more information on generating TAP service credentials, see Generate TAP Service Credentials.
  2. Configure the Proofpoint TAP collection in Cortex XDR.
    1. Select
      Settings ( )
      Configurations
      Data Collection
      Collection Integrations
      .
    2. In the
      Proofpoint Targeted Attack Protection
      configuration, click the
      here
      link to begin a new configuration.
    3. Set these parameters.
      • Name
        —Specify a descriptive name for your log collection configuration.
      • Proofpoint Endpoint
        —All Proofpoint endpoints are available on the
        tap-api-v2.proofpoint.com
        host. You can leave the default configuration or specify another host.
      • Service Principal
        —Specify the Proofpoint Service Principal for authentication. TAP service credentials can be generated in the TAP Dashboard as explained in Generate TAP Service Credentials in Proofpoint TAP.
      • API Secret
        —Specify the Proofpoint API Secret for authentication. TAP service credentials can be generated in TAP Dashboard as explained in Generate TAP Service Credentials in Proofpoint TAP.
    4. Click
      Test
      to validate access, and then click
      Enable
      .
      Once events start to come in, a green check mark appears underneath the
      Proofpoint Targeted Attack Protection
      configuration with the amount of data received.
  3. (
    Optional
    ) Manage your
    Proofpoint Targeted Attack Protection
    data collector.
    After you enable the
    Proofpoint Targeted Attack Protection
    data collector, you can make additional changes as needed.
    You can perform any of the following.
    • Edit
      the
      Proofpoint Targeted Attack Protection
      data collector settings.
    • Disable
      the
      Proofpoint Targeted Attack Protection
      data collector.
    • Delete
      the
      Proofpoint Targeted Attack Protection
      data collector.

Recommended For You