Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Proofpoint

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API Alert Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

Rules

There are no specific rules available for Proofpoint.

Reports

There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Proofpoint".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

API

FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeProofpoint Proofpoint
      Access ProtocolProofpoint SIEM API
      Pull Interval5 minutes
      PrincipalThe access key for your Proofpoint instance.
      Secret The secret for Proofpoint instance.

      Confirm Secret

      Input the same secret as above for verification.

      Organization

      Choose the Organization the instance belongs to.

      DescriptionDescription about the instance.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
  5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

 

Sample Log

<! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"bruce.wayne@pharmtech.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://badguy.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]

Proofpoint

 

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API Alert Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

Rules

There are no specific rules available for Proofpoint.

Reports

There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Proofpoint".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

API

FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

Setup in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeProofpoint Proofpoint
      Access ProtocolProofpoint SIEM API
      Pull Interval5 minutes
      PrincipalThe access key for your Proofpoint instance.
      Secret The secret for Proofpoint instance.

      Confirm Secret

      Input the same secret as above for verification.

      Organization

      Choose the Organization the instance belongs to.

      DescriptionDescription about the instance.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
  5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

 

Sample Log

<! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"bruce.wayne@pharmtech.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@badguy.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://badguy.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]