Monitor and investigate Proofpoint Targeted Attack Protection (TAP) email threat activity in Coralogix. This managed integration ingests delivered and blocked messages, plus permitted and blocked URL clicks, from the Proofpoint TAP SIEM API — so you can alert on, dashboard, and correlate them with your other security logs.

## What you need

- A Proofpoint TAP tenant with SIEM API access.
- A Coralogix account with permission to create managed integrations.

## Mint a Service Principal and Secret in Proofpoint

1. Log in to the **Proofpoint Threat Insight Dashboard (TID)**.
1. Navigate to **Settings > Connected Applications**.
1. Click **Create New Credential**.
1. Copy the **Service Principal** identifier and the **Service Secret** value.

Note

The Service Secret is shown only once at creation time. Copy it immediately and store it securely. If you lose it, you must mint a new Service Principal.

## Create the integration in Coralogix

1. In the Coralogix UI, go to **Integrations**.
1. Select **Proofpoint** from the list.
1. Click **Add New**.
1. Enter configuration parameters according to your requirements:
   - **Integration Name** - A descriptive name for the integration. Defaults to `Proofpoint`.
   - **Application Name** - The application name the integration will be used with.
   - **Subsystem Name** - The subsystem name the integration will be used with. Defaults to `Proofpoint`.
   - **Event Type** - One or more Proofpoint event categories to ingest. Defaults to `All events`. Options:
     - `All events` - Everything: messages delivered and blocked, clicks permitted and blocked. Mutually exclusive with all other options.
     - `Issues (delivered messages + permitted clicks)` - The threats that "got through". Mutually exclusive with `Delivered messages` and `Permitted clicks`.
     - `Delivered messages` - Messages delivered to users with known threats.
     - `Blocked messages` - Messages blocked by Proofpoint with known threats.
     - `Permitted clicks` - Clicks on URLs that were later identified as threats.
     - `Blocked clicks` - Clicks on URLs already known to be threats.
   - **Threat Status** - Multi-select; default `[Active, Cleared, False Positive]`. Filter on which Proofpoint threat statuses to ingest. At least one must be selected:
     - `Active` - active threats Proofpoint is tracking.
     - `Cleared` - Threats Proofpoint previously identified that are no longer active.
     - `False Positive` - Items initially flagged but later determined not to be threats.
   - **Service Principal** - Paste the Service Principal identifier from Proofpoint TID.
   - **Service Secret** - Paste the Service Secret from Proofpoint TID. The field is masked.
1. Click **Save**.

The integration is validated against Proofpoint with a single test API call and appears in the integrations list with `Active` status.

Event timestamps reflect Proofpoint SIEM ingestion time, not the original event time

Logs land in Coralogix at Proofpoint's SIEM ingestion time, not at the original message-send or click time.

Proofpoint's SIEM produces events when it ingests them into the SIEM index, which may happen **days after** the original message was sent or the click occurred. In particular, when Proofpoint retroactively flags a URL as malicious (for example, an email delivered Monday whose URL becomes a known threat Thursday), the event appears in Coralogix on **Thursday**, with the log `timestamp` reflecting Thursday's ingestion time.

The original event times are preserved in the log body for correlation:

- `messageTime` - when the message was delivered or quarantined.
- `clickTime` - when the user clicked the URL.
- `threatsInfoMap[].threatTime` - when Proofpoint identified the threat.

Use the log `timestamp` for "alert on what's new" queries. Use the body fields for correlating retroactive detections back to the original action times.

## Troubleshooting

### `401 Unauthorized` - credentials rejected

- **Symptom**: the integration moves to `Failed` or `Degraded` state with a message like "Proofpoint rejected Service Principal/Secret: ...".
- **Fix**: re-mint the Service Principal and Secret in Proofpoint TID, then update the credentials in the Coralogix integration.

### `403 Forbidden` - insufficient API permissions

- **Symptom**: the integration moves to `Failed` state with "Service Principal lacks SIEM API access: ...".
- **Fix**: in Proofpoint TID, grant SIEM API access to the Service Principal.

### `429 Too Many Requests` - rate limit exhausted

- **Symptom**: the integration enters extended back-off and events lag behind real-time.
- **Cause**: Proofpoint's SIEM API rate-limit is **1800 requests per rolling 24 hours per endpoint group, per credential**. Multiple integrations against the same TAP tenant using the same Service Principal share this budget.
- **Fix**: reduce the number of concurrent integrations on this Service Principal, or wait until the rolling 24-hour budget refreshes.

## Reference

- [Proofpoint TAP SIEM API documentation](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API)