AnsweredAssumed Answered

ProofPoint Targeted Attack Protection (TAP) Integration

Question asked by Jeremy Kerwin on Jul 19, 2020
Latest reply on Jul 29, 2020 by Jeremy Kerwin

Like • Show 0 Likes0
Comment • 5

I'm trying to integrate the ProofPoint TAP API into NetWitness using the instructions located here - Proofpoint Targeted Attack Protection Event Source Configuration

I don't think it's properly working. I keep getting errors when attempting to test the connection.

One thing that makes me think it's not working correctly is that in the configuration it asks for a username and password, however ProofPoint TAP uses API credentials with a service principal and a secret. Now this could translate to username and password within NetWitness but the documentation doesn't appear to do that.

I've confirmed that the URL for the API endpoint is correct, well the base url of https://tap-api-v2.proofpoint.com/v2/siem that the configuration defaults to returns an error. I'm not sure if I'm supposed to be specifying an endpoint that is documented here, SIEM API - Proofpoint, Inc.

Has anyone got this to work?

No one else has this question

Outcomes

Aaron Martin

Jul 20, 2020 7:20 AM

Your observations are correct. We are using different nomenclature for the same thing. If you don't supply anything for the URL, as it were, it should default to what you really need.

What I have found when working with this integration is if you had just deployed it from Live, you need to restart the log collector you deployed it to. If it still doesn't work, I'd recommend you open a case with RSA Support at that point and provide us the /var/log/messages from the collector, if possible.

Actions

Jeremy Kerwin @ Aaron Martin on Jul 20, 2020 7:25 AM

Great, thanks for that, that was one thing I didn't do was restart the log collector. I'll give that a shot.

Actions

Jeremy Kerwin @ Aaron Martin on Jul 26, 2020 9:25 PM

I've tried to get it to work, restarted the log collector, it doesn't appear to work.

Whenever i test the connection I get the following error. I've set the debug to verbose but don't see where anything is being logged. I don't see anything in /var/log/messages

Test connection failed:Got error while making API call. Status Code: 404

Actions

Aaron Martin

@ Jeremy Kerwin on Jul 27, 2020 7:52 AM

404 would indicate bad authentication on whatever web server you are hitting. Based on my reading of the script, we are ultimately running something similar to the following so if you understand curl well enough, you can use something like this to test. If this doesn't seem to be your problem, then I must suggest you open a case with RSA Support/Proofpoint. Whoever seems at fault here.

curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2016-05-01T12:30:00Z" --user "$PRINCIPAL:$SECRET"

Actions

Jeremy Kerwin @ Aaron Martin on Jul 29, 2020 7:07 AM

executing the curl command from the command line works as expected. yes I configured the plugin to use a proxy

curl -x X.X.X.X:8080 --user "$PRINCIPAL:$SECRET" "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2020-07-29T03:00:00Z"

{"queryEndTime" : "2020-07-29T03:00:00Z", "clicksPermitted" : [], "clicksBlocked" : [], "messagesDelivered" : [], "messagesBlocked" : [{"spamScore":100,"phishScore":100,"threatsInfoMap":..............................

Actions

5 Replies

Aaron Martin Jul 20, 2020 7:20 AM
Mark Correct
Correct Answer
Your observations are correct. We are using different nomenclature for the same thing. If you don't supply anything for the URL, as it were, it should default to what you really need.

What I have found when working with this integration is if you had just deployed it from Live, you need to restart the log collector you deployed it to. If it still doesn't work, I'd recommend you open a case with RSA Support at that point and provide us the /var/log/messages from the collector, if possible.
Like • Show 0 Likes0
Actions
- Jeremy Kerwin @ Aaron Martin on Jul 20, 2020 7:25 AM
  Mark Correct
  Correct Answer
  Great, thanks for that, that was one thing I didn't do was restart the log collector. I'll give that a shot.
  Like • Show 0 Likes0
  Actions
- Jeremy Kerwin @ Aaron Martin on Jul 26, 2020 9:25 PM
  Mark Correct
  Correct Answer
  I've tried to get it to work, restarted the log collector, it doesn't appear to work.
  Whenever i test the connection I get the following error. I've set the debug to verbose but don't see where anything is being logged. I don't see anything in /var/log/messages
  
  Test connection failed:Got error while making API call. Status Code: 404
  Like • Show 0 Likes0
  Actions
  - Aaron Martin @ Jeremy Kerwin on Jul 27, 2020 7:52 AM
    Mark Correct
    Correct Answer
    404 would indicate bad authentication on whatever web server you are hitting. Based on my reading of the script, we are ultimately running something similar to the following so if you understand curl well enough, you can use something like this to test. If this doesn't seem to be your problem, then I must suggest you open a case with RSA Support/Proofpoint. Whoever seems at fault here.
    
    curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2016-05-01T12:30:00Z" --user "$PRINCIPAL:$SECRET"
    Like • Show 0 Likes0
    Actions
    - Jeremy Kerwin @ Aaron Martin on Jul 29, 2020 7:07 AM
      Mark Correct
      Correct Answer
      executing the curl command from the command line works as expected. yes I configured the plugin to use a proxy
      
      curl -x X.X.X.X:8080 --user "$PRINCIPAL:$SECRET" "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2020-07-29T03:00:00Z"
      
      {"queryEndTime" : "2020-07-29T03:00:00Z", "clicksPermitted" : [], "clicksBlocked" : [], "messagesDelivered" : [], "messagesBlocked" : [{"spamScore":100,"phishScore":100,"threatsInfoMap":..............................
      Like • Show 0 Likes0
      Actions

ProofPoint Targeted Attack Protection (TAP) Integration

Outcomes

Related Content

Recommended Content