{ "name": "proofpoint_tap", "title": "Proofpoint TAP", "version": "1.30.0", "release": "ga", "description": "Collect logs from Proofpoint TAP with Elastic Agent.", "type": "integration", "download": "/epr/proofpoint_tap/proofpoint_tap-1.30.0.zip", "path": "/package/proofpoint_tap/1.30.0", "icons": [ { "src": "/img/proofpoint_tap-logo.svg", "path": "/package/proofpoint_tap/1.30.0/img/proofpoint_tap-logo.svg", "title": "Proofpoint TAP logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.4 || ~9.0.7 || ^9.1.4" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "email_security" ], "signature_path": "/epr/proofpoint_tap/proofpoint_tap-1.30.0.zip.sig", "format_version": "3.3.2", "readme": "/package/proofpoint_tap/1.30.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/proofpoint_tap-screenshot.png", "path": "/package/proofpoint_tap/1.30.0/img/proofpoint_tap-screenshot.png", "title": "Proofpoint TAP blocked clicks dashboard screenshot", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/proofpoint_tap/1.30.0/LICENSE.txt", "/package/proofpoint_tap/1.30.0/changelog.yml", "/package/proofpoint_tap/1.30.0/manifest.yml", "/package/proofpoint_tap/1.30.0/validation.yml", "/package/proofpoint_tap/1.30.0/docs/README.md", "/package/proofpoint_tap/1.30.0/img/proofpoint_tap-logo.svg", "/package/proofpoint_tap/1.30.0/img/proofpoint_tap-screenshot.png", "/package/proofpoint_tap/1.30.0/kibana/tags.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/manifest.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/sample_event.json", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/manifest.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/sample_event.json", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/manifest.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/sample_event.json", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/manifest.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/sample_event.json", "/package/proofpoint_tap/1.30.0/kibana/dashboard/proofpoint_tap-3ad578f0-b5a6-11ec-a9d0-e94ed15a14b9.json", "/package/proofpoint_tap/1.30.0/kibana/dashboard/proofpoint_tap-770903b0-b5aa-11ec-a9d0-e94ed15a14b9.json", "/package/proofpoint_tap/1.30.0/kibana/dashboard/proofpoint_tap-9899aae0-b5ad-11ec-a9d0-e94ed15a14b9.json", "/package/proofpoint_tap/1.30.0/kibana/dashboard/proofpoint_tap-ee5bc100-b5c8-11ec-a9d0-e94ed15a14b9.json", "/package/proofpoint_tap/1.30.0/kibana/search/proofpoint_tap-00dd5660-af9b-11ec-bf43-c372803d141d.json", "/package/proofpoint_tap/1.30.0/kibana/search/proofpoint_tap-717803c0-b130-11ec-8e58-3fc548a48fe4.json", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/fields/agent.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/fields/base-fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/fields/fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/fields/agent.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/fields/base-fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/fields/fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/fields/agent.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/fields/base-fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/fields/fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/fields/agent.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/fields/base-fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/fields/fields.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/agent/stream/httpjson.yml.hbs", "/package/proofpoint_tap/1.30.0/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/agent/stream/httpjson.yml.hbs", "/package/proofpoint_tap/1.30.0/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/agent/stream/httpjson.yml.hbs", "/package/proofpoint_tap/1.30.0/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/agent/stream/httpjson.yml.hbs", "/package/proofpoint_tap/1.30.0/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "Proofpoint TAP", "title": "Proofpoint_TAP logs", "description": "Collect proofpoint_tap logs.", "inputs": [ { "type": "httpjson", "vars": [ { "name": "url", "type": "text", "title": "URL", "description": "Proofpoint TAP URL. Find URL in the console dashboard at the beginning of the web address. The URL should not include any trailing slash. For example, `https://tap-api-v2.proofpoint.com`.", "multi": false, "required": true, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false }, { "name": "principal", "type": "text", "title": "Principal", "description": "Principal for the Basic Authentication.", "multi": false, "required": true, "show_user": false }, { "name": "secret", "type": "password", "title": "Secret Key", "description": "Secret Key for the Basic Authentication.", "multi": false, "required": true, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Proofpoint TAP logs via API", "description": "Collecting Proofpoint TAP logs via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "proofpoint_tap.clicks_blocked", "title": "Clicks Blocked", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "proofpoint_tap-clicks_blocked" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Proofpoint_TAP Clicks Blocked logs", "description": "Collect Proofpoint TAP Clicks Blocked logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "proofpoint_tap", "path": "clicks_blocked" }, { "type": "logs", "dataset": "proofpoint_tap.clicks_permitted", "title": "Clicks Permitted", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks permitted endpoint allows 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, the interval should be at least 1m. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "proofpoint_tap-clicks_permitted" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Proofpoint_TAP Clicks Permitted logs", "description": "Collect Proofpoint TAP Clicks Permitted logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "proofpoint_tap", "path": "clicks_permitted" }, { "type": "logs", "dataset": "proofpoint_tap.message_blocked", "title": "Message Blocked", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "proofpoint_tap-message_blocked" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Proofpoint_TAP Message Blocked logs", "description": "Collect Proofpoint TAP Message Blocked logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "proofpoint_tap", "path": "message_blocked" }, { "type": "logs", "dataset": "proofpoint_tap.message_delivered", "title": "Message Delivered", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Interval to fetch data from Proofpoint TAP API. The Proofpoint API applies a rolling 24 hour request limit to users of the API. The clicks blocked, messages delivered and messages blocked endpoints allow a pooled 1800 requests over a 24 hour period. After that requests will be throttled. See details [here](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API#Throttle_Limits). To avoid throttling, assuming all data streams are being ingested, the interval should be at least 2m30s. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the tap data from the Proofpoint TAP API (The initial interval should be a maximum of 7 days). NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "proofpoint_tap-message_delivered" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "Proofpoint_TAP Message Delivered logs", "description": "Collect Proofpoint TAP Message Delivered logs via API.", "enabled": true, "ingestion_method": "API" } ], "package": "proofpoint_tap", "path": "message_delivered" } ] }