Skip to main content

Proofpoint

Proofpoint is a comprehensive cybersecurity platform that provides threat detection, email security, and security analytics solutions. The Proofpoint connector enables you to access Proofpoint API endpoints to retrieve security alerts, threat intelligence, email security data, and other security-related information. This connector is particularly useful for applications that need to extract security alerts, analyze threat data, integrate security information with SIEM systems, or build security analytics and reporting solutions.

Proofpoint icon

Power end-to-end data operations for your Proofpoint API with Nexla. Our bi-directional Proofpoint connector is purpose-built for Proofpoint, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Proofpoint or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Proofpoint workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

Before creating a Proofpoint credential, you'll need to obtain authentication credentials (username and password or API key) from your Proofpoint account. Proofpoint provides API credentials for programmatic access to their security platform through the Proofpoint admin console.

To obtain Proofpoint API credentials:

  1. Log in to your Proofpoint admin console. The URL depends on your Proofpoint deployment type:

    • Proofpoint Essentials: https://us1.proofpointessentials.com or your region-specific URL
    • Proofpoint TAP (Threat Analysis Platform): Your organization's Proofpoint TAP URL
    • Proofpoint CASB: Your organization's Proofpoint CASB URL
  2. Navigate to Settings > API or Administration > API Access section in the admin console.

  3. In the API settings, locate the API key management area. Proofpoint uses username/password or API key authentication depending on your deployment type.

  4. If you're using Proofpoint Essentials, you'll typically use your admin username and password for Basic Authentication.

  5. If you're using Proofpoint TAP or other Proofpoint services, you may need to generate API credentials or use service account credentials.

  6. Copy the Username (or API Key) and Password immediately. Store them securely, as you'll need them to authenticate API requests.

Proofpoint authentication methods vary by deployment type. Proofpoint Essentials typically uses Basic Authentication with username and password. Proofpoint TAP and other services may use different authentication methods. Ensure you have the correct credentials for your specific Proofpoint deployment type.

For detailed information about Proofpoint API authentication and credential management, refer to the Proofpoint SIEM API Documentation.

Authenticate

Credentials required

A standard authentication method that requires sending encoded username and password credentials along with the requests for Proofpoint

FieldRequiredSecretDescription
Username Or API KeyYesNoYour username or personal API Key for Proofpoint
PasswordYesYesYour password for Proofpoint

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – Proofpoint

ProofpointCred.png
  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  2. In the Username Or API Key field, enter your Proofpoint username or API key. This is used for Basic Authentication to access the Proofpoint API.

  3. In the Password field, enter your Proofpoint password. This is used for Basic Authentication along with the username.

    The password is sensitive information and should be kept secure. If you've lost your password, you'll need to reset it in your Proofpoint admin console. For Proofpoint Essentials, use your admin account credentials. For other Proofpoint services, use the appropriate service account or API credentials.

  4. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.

Use as a data source

To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Proofpoint connector tile, then select the credential that will be used to connect to the Proofpoint API, and click Next; or, create a new Proofpoint credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Proofpoint API endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.

Get Messages Delivered

This endpoint retrieves delivered message events via Proofpoint's SIEM API. Use this endpoint when you need to extract email delivery data, analyze message events, or integrate email security data with SIEM systems.

  • Enter the TAP base URL in the TAP Base URL field. This is the base URL for your Proofpoint TAP (Threat Analysis Platform) instance, typically in the format https://tap-api.proofpoint.com or your organization's TAP URL.
  • Optionally, specify the response format in the Format field. Common formats include json or jsonp. The default is typically json.
  • Optionally, specify the time range in seconds in the Since Seconds field. This retrieves messages delivered within the specified number of seconds from the current time. For example, 3600 for the last hour, 86400 for the last 24 hours.

The Get Messages Delivered endpoint uses GET requests to retrieve delivered message events from the Proofpoint SIEM API. The endpoint returns email delivery data including message metadata, threat information, and delivery status. For more information about the Get Messages Delivered endpoint, refer to the Proofpoint SIEM API Documentation.

Get Alerts

This endpoint retrieves open alerts using Proofpoint's CASB API. Use this endpoint when you need to extract security alerts, analyze threat incidents, or integrate alert data with security systems.

  • Enter the CASB base URL in the CASB Base URL field. This is the base URL for your Proofpoint CASB (Cloud Access Security Broker) instance, typically in the format https://api.proofpoint.com or your organization's CASB URL.
  • Optionally, specify the maximum number of alerts to return in the Limit field. The default value varies by endpoint. You can adjust this value based on your needs and API rate limits.

The Get Alerts endpoint uses GET requests to retrieve open security alerts from the Proofpoint CASB API. The endpoint returns alert data including threat information, incident details, and alert status. For more information about the Get Alerts endpoint, refer to the Proofpoint CASB API Documentation.

List Blocklist Entries

This endpoint lists sender blocklist entries via Proofpoint's TRAP API. Use this endpoint when you need to extract blocklist information, analyze blocked senders, or integrate blocklist data with email security systems.

  • Enter the TRAP base URL in the TRAP Base URL field. This is the base URL for your Proofpoint TRAP (Threat Response Auto-Pull) instance, typically in the format https://api.proofpoint.com or your organization's TRAP URL.
  • Optionally, specify the page number for pagination in the Page field. The default value is typically 1.
  • Optionally, specify the page size in the Size field. The default value varies by endpoint. You can adjust this value based on your needs.

The List Blocklist Entries endpoint uses GET requests to retrieve blocklist entries from the Proofpoint TRAP API. The endpoint returns blocklist data including sender information and blocklist configuration. For more information about the List Blocklist Entries endpoint, refer to the Proofpoint API Documentation.

Get Domain Intelligence

This endpoint retrieves domain threat intelligence via Proofpoint's ETI API. Use this endpoint when you need to extract threat intelligence data, analyze domain reputation, or integrate threat intelligence with security systems.

  • Enter the ETI base URL in the ETI Base URL field. This is the base URL for your Proofpoint ETI (Emerging Threats Intelligence) instance, typically in the format https://api.proofpoint.com or your organization's ETI URL.
  • Enter the domain name to query in the Example Domain Name field. This is the domain for which you want to retrieve threat intelligence information.

The Get Domain Intelligence endpoint uses GET requests to retrieve threat intelligence data from the Proofpoint ETI API. The endpoint returns domain reputation data, threat indicators, and intelligence information. For more information about the Get Domain Intelligence endpoint, refer to the Proofpoint ETI API documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.

Manual configuration

Proofpoint data sources can also be manually configured to ingest data from any valid Proofpoint API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.

Proofpoint API endpoint URLs vary by deployment type: Proofpoint Essentials (https://us1.proofpointessentials.com/api/v1/{resource}), Proofpoint TAP (https://tap-api.proofpoint.com/v2/{resource}), Proofpoint CASB (https://api.proofpoint.com/v1/{resource}), and Proofpoint ETI (https://api.proofpoint.com/v1/{resource}). For the response data path, use $.messagesDelivered[*] to extract arrays of messages, $.alerts[*] to extract arrays of alerts, or $ for the entire response. Additional request headers are rarely needed since the Authorization header for Basic Authentication (username/password) is automatically included from your credential. For complete information about Proofpoint API endpoints, refer to the Proofpoint SIEM API Documentation.

Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Proofpoint data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.