I'm trying to integrate the ProofPoint TAP API into NetWitness using the instructions located here - Proofpoint Targeted Attack Protection Event Source Configuration
I don't think it's properly working. I keep getting errors when attempting to test the connection.
One thing that makes me think it's not working correctly is that in the configuration it asks for a username and password, however ProofPoint TAP uses API credentials with a service principal and a secret. Now this could translate to username and password within NetWitness but the documentation doesn't appear to do that.
I've confirmed that the URL for the API endpoint is correct, well the base url of https://tap-api-v2.proofpoint.com/v2/siem that the configuration defaults to returns an error. I'm not sure if I'm supposed to be specifying an endpoint that is documented here, SIEM API - Proofpoint, Inc.
Has anyone got this to work?
Your observations are correct. We are using different nomenclature for the same thing. If you don't supply anything for the URL, as it were, it should default to what you really need.
What I have found when working with this integration is if you had just deployed it from Live, you need to restart the log collector you deployed it to. If it still doesn't work, I'd recommend you open a case with RSA Support at that point and provide us the /var/log/messages from the collector, if possible.