Proofpoint Email Security Integration
Overview
Proofpoint provides advanced email security with threat protection, URL defense, and targeted attack protection. KYRA MDR collects Proofpoint threat data via the SIEM API for email threat detection and incident response.
Prerequisites
- A KYRA MDR Collector installed and running
- Proofpoint protection tenant with administrative access
- SIEM API credentials (service principal and secret)
- Proofpoint TAP (Targeted Attack Protection) license
Configuration
Configure Proofpoint SIEM API integration:
- Contact Proofpoint support to enable SIEM API access
- Obtain the Service Principal and Secret
- Configure the KYRA MDR collector:
sources: - type: proofpoint api_url: https://tap-api-v2.proofpoint.com service_principal: <service-principal> secret: <secret> poll_interval: 300s- Restart the collector service
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Messages Delivered | Emails delivered to users | Threat monitoring |
| Messages Blocked | Emails blocked by policies | Email security effectiveness |
| Clicks Permitted | URL clicks allowed | User risk assessment |
| Clicks Blocked | Malicious URL clicks blocked | Phishing protection |
| TAP Alerts | Targeted attack detections | Advanced threat detection |
| Impostor | Business email compromise detections | BEC prevention |
Troubleshooting
No API data: SIEM API access must be explicitly enabled by Proofpoint support.
Missing TAP alerts: TAP alerts require a Targeted Attack Protection license.
Data granularity: The SIEM API provides data in time-based batches. Set the poll interval to 300 seconds.
Contact kyra@seekerslab.com for support.