topic Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance? in Getting Data In

How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

daniel_augustyn — Tue, 24 May 2016 21:58:45 GMT

Has anyone done Splunk and Proofpoint Cloud instance integration? I am looking for help to pull the logs from Proofpoint via APIs or any other methods from the Proofpoint cloud instance.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

daniel_augustyn — Fri, 24 Jun 2016 22:53:12 GMT

Was anyone able to figure this out yet?

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

ChrisBell04 — Sun, 26 Jun 2016 17:03:17 GMT

Proofpoint POD has an additional license "remote syslog forwarding" one can purchase to send logs from the cloud to onprem via TLS syslog stream. Then their TA https://splunkbase.splunk.com/app/3080/ can be utilized.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

daniel_augustyn — Wed, 29 Jun 2016 23:18:53 GMT

I finally got a call from them and that's exactly what they said.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

bthommes — Fri, 18 Nov 2016 23:05:53 GMT

Alternatively, if you're only looking for the threat data from their Targeted Attack Protection service, there's the following APIs:
https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/Campaign_API
https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/Forensics_API

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

ChrisBell04 — Fri, 18 Nov 2016 23:22:29 GMT

After finally getting the infra set up to receive the TLS encrypted syslogs.... ran into some serious issues with their TA_PPS app. Support engaged. Waiting on response for what's next or a new release.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

awurster — Mon, 28 Nov 2016 22:50:31 GMT

literally the worst.. can't believe it's not API driven.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

ChrisBell04 — Tue, 29 Nov 2016 00:55:00 GMT

Those APIs are handy, but wont provide the granular details for every message/filter/rules/policy routes/sender/host/message IDs/etc which are not originally identified as a threat. IMO, only the "filter" and "MTA" syslog streams have this detailed level of info. This also gets around Proofpoint POD ~7 min smart search indexing delay, as splunk is near real time 🙂

The Proofpoint case is progressing. They're meeting with Splunk engineers this week to enhanced their TA_PPS app.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

awurster — Tue, 29 Nov 2016 01:09:16 GMT

will believe it when i see it. API being handy is debatable, since it only shows blocked stuff. and it's pretty limited in how you can query it versus other services i've worked with.

we no longer use TAs natively in splunk, so we write all our ingestion in lambda first. i'll post my code here when done.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

JimGat_SSI — Tue, 29 Nov 2016 22:30:10 GMT

how did you overcome requirement for PFS in the tls cipher? Did you use an intermediary syslog server? or adjust the splunk TCP ssl input encryption cipher?

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

ChrisBell04 — Tue, 29 Nov 2016 22:42:32 GMT

Logs flow to an intermediate RedHat server running rsyslog (which this version only supports up to TLS 1.1, but still can receive the logs from POD). Splunk UF picks up the syslog files and forwards onto the indexers.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

MattSmith129 — Thu, 20 Jul 2017 14:22:06 GMT

As identified, Secure syslog is supported and following guidance from Splunk we utilized a intermediary syslog server with syslog-ng before forwarding to a Splunk Indexer.

The TA is not needed, fairly straight forward to construct your own parser for the MTA log information. Have not used the APIs yet for the threat information, but will be valuable to have alongside the raw MTA information.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

amalkapuram — Mon, 14 Aug 2017 20:42:03 GMT

Hi @awurster! Did you get a chance to work on this?

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

awurster — Tue, 15 Aug 2017 21:11:42 GMT

I will try and post it soon, but yes it's working currently. I'd prefer however to rewrite it for docker and clean it up a bit before publishing.

Here's the snippet which is mostly working code. Haven't really cleaned / tested it much, so YMMV.

https://bitbucket.org/snippets/asecurityteam/xLpqgr

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

eckolp2003 — Mon, 09 Oct 2017 21:33:21 GMT

Hello folks,

Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:

https://splunkbase.splunk.com/app/3727/#/details

Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

ayelala — Thu, 14 Jun 2018 03:24:47 GMT

Hi folks,

I'm new splunk! can you please describe the various steps involved to send Proofpoint logs to splunk via syslog

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

eckolp2003 — Wed, 29 Aug 2018 17:06:33 GMT

Point taken. We are moving to an API driven TA and app for our next release. Look for the beta to come our around .Conf18

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

eckolp2003 — Wed, 29 Aug 2018 17:08:40 GMT

If you ingest the filter logs from your Protection server with remote syslog, you can see every action taken on all messages.

You are correct that the TAP data is a more limited set and includes 4 eventTypes: messagesBlocked messagesDelivered clicksPermitted clicksBlocked

Thanks

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

eckolp2003 — Wed, 29 Aug 2018 17:08:52 GMT

Please follow this guide:

https://splunkbase.splunk.com/app/3727/#/details

Re: How to pull logs into Splunk from Proofpoint via APIs or any other methods from a Proofpoint Cloud instance?

santoshneelam — Mon, 31 May 2021 07:45:15 GMT

Hi Chris,

Can u assist with the steps (troubleshooting efforts) you have taken to integrate the proofpoint cloud logs