Proofpoint TAP (using Azure Functions) connector for Microsoft Sentinel

The Proofpoint Targeted Attack Protection (TAP) connector provides the capability to ingest Proofpoint TAP logs and events into Microsoft Sentinel. The connector provides visibility into Message and Click events in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.

Connector attributes

Connector attribute Description
Log Analytics table(s) ProofPointTAPClicksPermitted_CL
ProofPointTAPClicksBlocked_CL
ProofPointTAPMessagesDelivered_CL
ProofPointTAPMessagesBlocked_CL
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

Malware click events permitted

ProofPointTAPClicksPermitted_CL

| where classification_s == "malware" 

| take 10

Phishing click events blocked

ProofPointTAPClicksBlocked_CL

| where classification_s == "phish" 

| take 10

Malware messages events delivered

ProofPointTAPMessagesDelivered_CL

| mv-expand todynamic(threatsInfoMap_s)

| extend classification = tostring(threatsInfoMap_s.classification)

| where classification == "malware" 

| take 10

Phishing message events blocked

ProofPointTAPMessagesBlocked_CL

| mv-expand todynamic(threatsInfoMap_s)

| extend classification = tostring(threatsInfoMap_s.classification)

| where classification == "phish"

Prerequisites

To integrate with Proofpoint TAP (using Azure Functions) make sure you have:

Vendor installation instructions

Note

This connector uses Azure Functions to connect to Proofpoint TAP to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

STEP 1 - Configuration steps for the Proofpoint TAP API

  1. Log into the Proofpoint TAP console
  2. Navigate to Connect Applications and select Service Principal
  3. Create a Service Principal (API Authorization Key)

STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

IMPORTANT: Before deploying the Proofpoint TAP connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Proofpoint TAP API Authorization Key(s), readily available.

Next steps

For more information, go to the related solution in the Azure Marketplace.