Proofpoint On-Demand¶
Proofpoint On-Demand provides email protection from spam, malware, and non-malware threats which can be monitored to detect initial access.
Cyderes supports the ingestion of Proofpoint events using their On-Demand Log API.
Chronicle Data Types¶
- PROOFPOINT_ON_DEMAND
Caveats / Known Limitations¶
-
A Proofpoint Add-on license is required to enable the On-Demand Streaming API.
-
Proofpoint On-Demand Log API does not allow use of the same token for more than one session at the same time. If there is a need to open more than one simultaneous connection to receive the same type of data, additional token(s) must be requested.
-
When the connection between the client and the service is dropped and restored within one hour, the data will be sent from the moment of time when the previous session had dropped, so there is no need to perform any additional action from the client side.
-
In the case where the client was connected to the PoD Log service and disconnected for more than one hour, after a new session is established, the client will start receiving the accumulated data starting from the last one hour of the new session.
Requirements¶
- Proofpoint E-mail Protection version >= 8.10
- Proofpoint On-Demand streaming API must be enabled (additional license required)
Configuration¶
- a customer support ticket must be opened with Proofpoint to enable the streaming API
Gather Information¶
- Proofpoint customer cluster identifier
- Proofpoint API token