Versions Compared

Version Old Version 2 New Version 3
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Juan Tomás Alonso Nieto (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

...

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Blocked clicks

Fetch events for clicks to malicious URLs blocked in the specified time period

/v2/siem/clicks/blocked

clicksBlocked

mail.proofpoint.tapsiem_v2.clicksblocked

v2.1.1

Permitted clicks

Fetch events for clicks to malicious URLs permitted in the specified time period

/v2/siem/clicks/permitted

clicksPermitted

mail.proofpoint.tapsiem_v2.clickspermitted

v2.1.1

Blocked messages

Fetch events for messages blocked in the specified time period that contained a known threat.

/v2/siem/messages/blocked

messagesBlocked

mail.proofpoint.tapsiem_v2.messagesblocked

v2.1.1

Delivered message

Fetch events for messages delivered in the specified time period which contained a known threat.

/v2/siem/messages/delivered

messagesDelivered

mail.proofpoint.tapsiem_v2.messagesdelivered

v2.1.1

...

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240108-081455.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: proofpoint_tap_collector
  persistence:
    type: filesystem
    config:
      directory_name: state

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <your-ingestion-endpoint>
      port: 443
      type: SSL
      chain: chain.crt
      cert: <your_domain>.crt
      key: <your_domain>.key
inputs:
  proofpoint_tap:
    id: <short_unique_id>
    enabled: true
    credentials:
      username: <username_value>
      password: <password_value>
    services:
       clicksBlocked:
         start_time_in_utc_format: <start_time_in_utc_format>
         request_period_in_seconds: <request_period_in_seconds>
       clicksPermitted:
         start_time_in_utc_format: <start_time_in_utc_format>
         request_period_in_seconds: <request_period_in_seconds>
       messagesBlocked:
         start_time_in_utc_format: <start_time_in_utc_format> 
         request_period_in_seconds: <request_period_in_seconds>
       messagesDelivered:
         start_time_in_utc_format: <start_time_in_utc_format>
         request_period_in_seconds: <request_period_in_seconds>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range / Format

Details

<short_unique_id>

int

Mandatory

Minimum Lenght 5

Use this param to give a unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

<input_status>

bool

Mandatory

false / true

Use this param to enable or disable the given input logic when running the collector. If the value is true, the input will be run. If the value is false, it will be ignored.

<username_value>

str

Mandatory

Minimum Length 1

Provide the value of username used for authentication

<password_value>

str

Mandatory

Minimum Length 1

Provide the value of password used for authentication

<start_time_in_utc_format>

str

Mandatory

Minimum Length 1

%Y-%m-%dT%H:%M:%SZ

This configuration allows you to set a custom date as the beginning of the period to download. This allows the events but it can’t be more than 7 days in the past.

<override_tag_value>

str

Optional

A devo tag

This parameter allows to define a custom devo tag.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-proofpoint_tap_if-docker-image-2.12.10

5e276b2a1bf4257949975b0b8cc07663fcb71aa89f2eb96f49c46efec92cf06524ce4dd537882b68a395571eca3b0018fd2e6de6f2d432400c08b4228e5788e2

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors. If you want us to host this collector for you, get in touch with us and we will guide you through the configuration.

...

Release

Released on

Release type

Details

Recommendations

v2.2.0

Status
colourRed
titleBUG
Status
colourPurple
titleIMPROVEMENTS

Bug

  • Fixed the issue where the collector is unable to fetch data after a certain time period

Improvements

  • Upgraded the DCSDK docker base image version to 1.1.0

Recommended version

v2.1.1

Status
colourPurple
titleFIRST RELEASE

Released the first version of the Proofpoint TAP collector.

Recommended version