Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Proofpoint

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API Alert Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

Rules

There are no specific rules available for Proofpoint.

Reports

There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Proofpoint".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

API

FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential.
      Device Type Proofpoint Proofpoint
      Access Protocol Proofpoint SIEM API
      Pull Interval 5 minutes
      Principal The access key for your Proofpoint instance.
      Secret The secret for Proofpoint instance.

      Confirm Secret

      Input the same secret as above for verification.

      Organization

      Choose the Organization the instance belongs to.

      Description Description about the instance.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
  5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

 

Sample Log

<! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"bruce.wayne@pharmtech.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://badguy.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]

Proofpoint

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API Alert Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

Rules

There are no specific rules available for Proofpoint.

Reports

There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Proofpoint".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

API

FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential.
      Device Type Proofpoint Proofpoint
      Access Protocol Proofpoint SIEM API
      Pull Interval 5 minutes
      Principal The access key for your Proofpoint instance.
      Secret The secret for Proofpoint instance.

      Confirm Secret

      Input the same secret as above for verification.

      Organization

      Choose the Organization the instance belongs to.

      Description Description about the instance.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
  5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

 

Sample Log

<! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"bruce.wayne@pharmtech.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://badguy.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]