Initialize the Proofpoint Beat

This section provides the process to set up the Proofpoint Beat to fetch Proofpoint TAP logs.

Prerequisites

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. To start the Beat, run the following command:

    ./lrctl proofpointbeat start
    
  2. Use the Up and Down Arrow keys to select New proofpointbeat instance from the list, and then press Enter.

  3. Enter the unique identifier for this proofpointbeat instance, and then press Enter.

  4. Using the arrow keys, choose one of the event types to configure this beat instance, and then press Enter.

    Tag parsing (except beatname and device_type) is not supported for the clicks_permitted endpoint. However, if you are initializing this instance for clicks permitted events, the logs generated will be classified under the MPE subrule as Proofpoint : Click Threat Allowed.

  5. Enter the Proofpoint service principal as the Username, and then press Enter.

  6.  Enter Proofpoint service secret as the Password, and then press Enter.

  7.  Enter the hostname or IP address of the System Monitor Agent that has been Configured for JSON Parsing, and then press Enter.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Enter the port on which the System Monitor Agent is configured to listen for JSON data (the default is 5044), and then press Enter.
    The proofpointbeat service started message appears.

  2. Check the status of the service to confirm that it’s running:

    ./lrctl proofpointbeat status
    
  3. (Optional) Edit the proofpointbeat configuration to update the values set above if needed. Ensure that you have all the needed information for each step available as you will need to re-enter it:

    ./lrctl proofpointbeat config edit
    

Default Config Values for the Proofpoint Beat

S.No

Field Name

Default Value

1

heartbeatinterval

60s

2

heartbeatdisabled

false

3

period

180s

Currently, the period is set to 180s by default to support the Proofpoint TAP API's request limit. The Proofpoint TAP API request limit for clicks_permitted is 1800/24 hours. For other events, the cumulative request limit is 1800/24 hours. If you are setting up the beat instance with the "clicks_permitted" event type, then you can edit the period value up to 30 seconds for faster MPS.

To edit the period value:

  1. Export the Beat config file using this command –

    Bash
    ./lrctl proofpointbeat config export -f <fullyqualifiedbeatname> --outfile proofpointbeat.yml
    
  2. Edit the period value and re-save the file.

  3. Re-import the config file

    Bash
    cat proofpointbeat.yml | ./lrctl proofpointbeat config import
    
  4. Restart the beat to load the new changes.

4

throttling_interval

3600

This is the time period to make another API call in case of a failed request due to the 429 error to avoid throttling. This value is displayed in seconds, and should always be greater than 0.

Since the log collection will only be resume on next day once exhausted, the throttling time is set to 1 hour to reduce unnecessary requests.

5

http_timeout

120s

The amount of time, in seconds, before an HTTP Connection timeout. This value should not be less than or equal to zero.

6

number_of_back_days

7

Number of back days for which logs are to be fetched. This value varies based on the log source.

7

username

User-provided

For Proofpoint, this is the service principal obtained in the Proofpoint portal.

8

password

User-provided

For Proofpoint, this is the service secret obtained in the Proofpoint portal.

9

event_type

User-provided

There are 4 types of proofpoint TAP events that is supported in the beat

  • Clicks_permitted

  • Clicks_blocked

  • Messages_blocked

  • Messages_Delivered

User can configure one beat instance in any one of the event type listed above.