Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.7.2 External Systems Configuration Guide
    6.7.2
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Proofpoint

    Proofpoint

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    API Alert Event logs Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

    Rules

    There are no specific rules available for Proofpoint.

    Reports

    There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

    1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
    2. Under Filter, select Event Attribute.
    3. In the Attribute field, select/enter "Event Type".
    4. In the Operator field, select "CONTAIN".
    5. In the Value field, enter "Proofpoint".
    6. (Optional) Click Save to save the search parameters for future related searches.
    7. Click Apply & Run.

    Configuration

    API

    FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

    Setup in FortiSIEM

    Complete these steps in the FortiSIEM UI:

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a new credential.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box:

        SettingsDescription
        NameEnter a name for the credential.
        Device TypeProofpoint Proofpoint
        Access ProtocolProofpoint SIEM API
        Pull Interval5 minutes
        PrincipalThe access key for your Proofpoint instance.
        Secret The secret for Proofpoint instance.

        Confirm Secret

        Input the same secret as above for verification.

        Organization

        Choose the Organization the instance belongs to.

        DescriptionDescription about the instance.
    3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
      1. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this configuration, it should be "tap-api-v2.proofpoint.com".
      2. Select the name of your credential from the Credentials drop-down list.
      3. Click Save.
    4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
    5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
    6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

    Sample Log

    <! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"example.user@example.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@example.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://example.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]
    Previous
    Next

    Proofpoint

    Proofpoint

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    API Alert Event logs Security Monitoring

    Event Types

    In ADMIN > Device Support > Event Types, search for "Proofpoint-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 2 event types defined.

    Rules

    There are no specific rules available for Proofpoint.

    Reports

    There are no specific reports available for Proofpoint. You can view all Proofpoint events by taking the following steps.

    1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
    2. Under Filter, select Event Attribute.
    3. In the Attribute field, select/enter "Event Type".
    4. In the Operator field, select "CONTAIN".
    5. In the Value field, enter "Proofpoint".
    6. (Optional) Click Save to save the search parameters for future related searches.
    7. Click Apply & Run.

    Configuration

    API

    FortiSIEM processes events from Proofpoint via the ProofPoint API. Configure in and obtain from the Proofpoint Portal the Principal and Secret from the API. FortiSIEM uses the ProofPoint API defined here.

    Setup in FortiSIEM

    Complete these steps in the FortiSIEM UI:

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials, click New to create a new credential.
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box:

        SettingsDescription
        NameEnter a name for the credential.
        Device TypeProofpoint Proofpoint
        Access ProtocolProofpoint SIEM API
        Pull Interval5 minutes
        PrincipalThe access key for your Proofpoint instance.
        Secret The secret for Proofpoint instance.

        Confirm Secret

        Input the same secret as above for verification.

        Organization

        Choose the Organization the instance belongs to.

        DescriptionDescription about the instance.
    3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
      1. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this configuration, it should be "tap-api-v2.proofpoint.com".
      2. Select the name of your credential from the Credentials drop-down list.
      3. Click Save.
    4. Click the Test drop-down list and select Test Connectivity to test the connection to Proofpoint.
    5. To see the jobs associated with Proofpoint, select ADMIN > Setup > Pull Events.
    6. To see the received events select ANALYTICS, then enter "Proofpoint" in the search box.

    Sample Log

    <! [CDATA[2018-09-29 17:56:00 [FSM-PROOFPOINT] [1] [clicksPermitted]:{"campaignId":"46e01b8a-c899-404d-bcd9-189bb393d1a7","classification":"MALWARE","clickIP":"192.0.2.1","clickTime":"2016-06-24T19:17:44.000Z","messageID":"8c6cfedd-3050-4d65-8c09-c5f65c38da81","recipient":"example.user@example.zz","sender":"9facbf452def2d7efc5b5c48cdb837fa@example.zz","senderIP":"192.0.2.255","threatID":"61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","threatTime":"2016-06-24T19:17:46.000Z","threatURL":"https://threatinsight.proofpoint.com/#/73aa0499-dfc8-75eb-1de8-a471b24a2e75/threat/u/61f7622167144dba5e3ae4480eeee78b23d66f7dfed970cfc3d086cc0dabdf50","url":"http://example.zz/","userAgent":"Mozilla/5.0(WindowsNT6.1;WOW64;rv:27.0)Gecko/20100101Firefox/27.0"}]
    Previous
    Next