I'm trying to integrate the ProofPoint TAP API into NetWitness using the instructions located here - Proofpoint Targeted Attack Protection Event Source Configuration
I don't think it's properly working. I keep getting errors when attempting to test the connection.
One thing that makes me think it's not working correctly is that in the configuration it asks for a username and password, however ProofPoint TAP uses API credentials with a service principal and a secret. Now this could translate to username and password within NetWitness but the documentation doesn't appear to do that.
I've confirmed that the URL for the API endpoint is correct, well the base url of https://tap-api-v2.proofpoint.com/v2/siem that the configuration defaults to returns an error. I'm not sure if I'm supposed to be specifying an endpoint that is documented here, SIEM API - Proofpoint, Inc.
Has anyone got this to work?