Skip to main content

Proofpoint Data Source

The Proofpoint connector enables you to access Proofpoint API endpoints to retrieve security alerts, threat intelligence, email security data, and other security-related information. This connector is particularly useful for applications that need to extract security alerts, analyze threat data, integrate security information with SIEM systems, or build security analytics and reporting solutions. Follow the instructions below to create a new data flow that ingests data from a Proofpoint source in Nexla.
proofpoint_api.png

Proofpoint

Create a New Data Flow

  1. To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Then, select the desired flow type from the list, and click the Create button.

  2. Select the Proofpoint connector tile from the list of available connectors. Then, select the credential that will be used to connect to the Proofpoint API, and click Next; or, create a new Proofpoint credential for use in this flow.

  3. In Nexla, Proofpoint data sources can be created using pre-built endpoint templates, which expedite source setup for common Proofpoint API endpoints. Each template is designed specifically for the corresponding Proofpoint API endpoint, making source configuration easy and efficient.
    • To configure this source using a template, follow the instructions in Configure Using a Template.

    Proofpoint sources can also be configured manually, allowing you to ingest data from Proofpoint API endpoints not included in the pre-built templates or apply further customizations to exactly suit your needs.
    • To configure this source manually, follow the instructions in Configure Manually.

Configure Using a Template

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Proofpoint API endpoints. Each template is designed specifically for the corresponding Proofpoint API endpoint, making data source setup easy and efficient.

Endpoint Settings

  • Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your data source for this endpoint.

    Get Messages Delivered

    This endpoint retrieves delivered message events via Proofpoint's SIEM API. Use this endpoint when you need to extract email delivery data, analyze message events, or integrate email security data with SIEM systems.

    • Enter the TAP base URL in the TAP Base URL field. This is the base URL for your Proofpoint TAP (Threat Analysis Platform) instance, typically in the format https://tap-api.proofpoint.com or your organization's TAP URL.
    • Optionally, specify the response format in the Format field. Common formats include json or jsonp. The default is typically json.
    • Optionally, specify the time range in seconds in the Since Seconds field. This retrieves messages delivered within the specified number of seconds from the current time. For example, 3600 for the last hour, 86400 for the last 24 hours.

    The Get Messages Delivered endpoint uses GET requests to retrieve delivered message events from the Proofpoint SIEM API. The endpoint returns email delivery data including message metadata, threat information, and delivery status. For more information about the Get Messages Delivered endpoint, refer to the Proofpoint SIEM API Documentation.

    Get Alerts

    This endpoint retrieves open alerts using Proofpoint's CASB API. Use this endpoint when you need to extract security alerts, analyze threat incidents, or integrate alert data with security systems.

    • Enter the CASB base URL in the CASB Base URL field. This is the base URL for your Proofpoint CASB (Cloud Access Security Broker) instance, typically in the format https://api.proofpoint.com or your organization's CASB URL.
    • Optionally, specify the maximum number of alerts to return in the Limit field. The default value varies by endpoint. You can adjust this value based on your needs and API rate limits.

    The Get Alerts endpoint uses GET requests to retrieve open security alerts from the Proofpoint CASB API. The endpoint returns alert data including threat information, incident details, and alert status. For more information about the Get Alerts endpoint, refer to the Proofpoint CASB API Documentation.

    List Blocklist Entries

    This endpoint lists sender blocklist entries via Proofpoint's TRAP API. Use this endpoint when you need to extract blocklist information, analyze blocked senders, or integrate blocklist data with email security systems.

    • Enter the TRAP base URL in the TRAP Base URL field. This is the base URL for your Proofpoint TRAP (Threat Response Auto-Pull) instance, typically in the format https://api.proofpoint.com or your organization's TRAP URL.
    • Optionally, specify the page number for pagination in the Page field. The default value is typically 1.
    • Optionally, specify the page size in the Size field. The default value varies by endpoint. You can adjust this value based on your needs.

    The List Blocklist Entries endpoint uses GET requests to retrieve blocklist entries from the Proofpoint TRAP API. The endpoint returns blocklist data including sender information and blocklist configuration. For more information about the List Blocklist Entries endpoint, refer to the Proofpoint API Documentation.

    Get Domain Intelligence

    This endpoint retrieves domain threat intelligence via Proofpoint's ETI API. Use this endpoint when you need to extract threat intelligence data, analyze domain reputation, or integrate threat intelligence with security systems.

    • Enter the ETI base URL in the ETI Base URL field. This is the base URL for your Proofpoint ETI (Emerging Threats Intelligence) instance, typically in the format https://api.proofpoint.com or your organization's ETI URL.
    • Enter the domain name to query in the Example Domain Name field. This is the domain for which you want to retrieve threat intelligence information.

    The Get Domain Intelligence endpoint uses GET requests to retrieve threat intelligence data from the Proofpoint ETI API. The endpoint returns domain reputation data, threat indicators, and intelligence information. For more information about the Get Domain Intelligence endpoint, refer to the Proofpoint ETI API documentation.

Endpoint Testing

Once the selected endpoint template has been configured, Nexla can retrieve a sample of the data that will be fetched according to the current settings. This allows users to verify that the source is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

  • If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Configure Manually

Proofpoint data sources can be manually configured to ingest data from any valid Proofpoint API endpoint. Manual configuration provides maximum flexibility for accessing endpoints not covered by pre-built templates or when you need custom API configurations.

With manual configuration, you can also create more complex Proofpoint sources, such as sources that use chained API calls to fetch data from multiple endpoints or sources that require custom authentication headers or request parameters.

API Method

  1. To manually configure this source, select the Advanced tab at the top of the configuration screen.

  2. Select the API method that will be used for calls to the Proofpoint API from the Method pulldown menu. The most common methods are:

    • GET: For retrieving data from the API (most Proofpoint endpoints use GET)

API Endpoint URL

  1. Enter the URL of the Proofpoint API endpoint from which this source will fetch data in the Set API URL field. This should be the complete URL including the protocol (https://) and any required path parameters. Proofpoint API endpoints vary by service:
    • Proofpoint Essentials: https://us1.proofpointessentials.com/api/v1/{resource}
    • Proofpoint TAP: https://tap-api.proofpoint.com/v2/{resource}
    • Proofpoint CASB: https://api.proofpoint.com/v1/{resource}
    • Proofpoint ETI: https://api.proofpoint.com/v1/{resource}

Ensure the API endpoint URL is correct and accessible with your current credentials. You can test the endpoint using the Test button after configuring the URL. The endpoint URL depends on your Proofpoint deployment type (Essentials, TAP, CASB, or ETI). Proofpoint API requires Basic Authentication with username and password.

Path to Data

Optional

If only a subset of the data that will be returned by API endpoint is needed, you can designate the part(s) of the response that should be included in the Nexset(s) produced from this source by specifying the path to the relevant data within the response. This is particularly useful when API responses contain metadata, pagination information, or other data that you don't need for your analysis.

For example, when a request call is used to fetch alerts or messages, the API will typically return data along with metadata. By entering the path to the relevant data, you can configure Nexla to extract the specific records you need.

Path to Data is essential when API responses have nested structures. Without specifying the correct path, Nexla might not be able to properly parse and organize your data into usable records. For Proofpoint API responses, common paths include $ for the entire response, $.messagesDelivered[*] for arrays of messages, or $.alerts[*] for arrays of alerts.

  • To specify which data should be treated as relevant in responses from this source, enter the path to the relevant data in the Set Path to Data in Response field.

    • For responses in JSON format enter the JSON path that points to the object or array that should be treated as relevant data. JSON paths use dot notation (e.g., $.messagesDelivered to access the messages array).
    Path to Data Example:

    If the API response is in JSON format and includes a messagesDelivered array that contains the message data, the path to the response would be entered as $.messagesDelivered[*].

Autogenerate Path Suggestions

Nexla can also autogenerate data path suggestions based on the response from the API endpoint. These suggested paths can be used as-is or modified to exactly suit your needs.

  • To use this feature, click the Test button next to the Set API URL field to fetch a sample response from the API endpoint. Suggested data paths generated based on the content & format of the response will be displayed in the Suggestions box below the Set Path to Data in Response field.

  • Click on a suggestion to automatically populate the Set Path to Data in Response field with the corresponding path. The populated path can be modified directly within the field if further customization is needed.

Request Headers

Optional

  • If Nexla should include any additional request headers in API calls to this source, enter the headers & corresponding values as comma-separated pairs in the Request Headers field (e.g., header1:value1,header2:value2). Additional headers are often required for API versioning, content type specifications, or custom authentication requirements.

    You do not need to include any headers already present in the credentials. Common headers like Authorization, Content-Type, and Accept are typically handled automatically by Nexla based on your credential configuration. For Proofpoint, the Authorization header with Basic Authentication is automatically included from your credential.

Endpoint Testing

After configuring all settings for the selected endpoint, Nexla can retrieve a sample of the data that will be fetched according to the current configuration. This allows users to verify that the source is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

  • If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Save & Activate the Source

  1. Once all of the relevant steps in the above sections have been completed, click the Create button in the upper right corner of the screen to save and create the new Proofpoint data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.