Initialize the Proofpoint Beat

This section provides the process to set up the Proofpoint Beat to fetch Proofpoint TAP logs.

Prerequisites

• Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
• The Proofpoint service Principal & Secret is active. For more information, see Threat Response - Integration with TAP.

• The following port is open:

  Direction	Port	Protocol	Source
  Outbound	443	HTTPS	proofpointbeat

Initialize the Beat

1. To confirm the Open Collector is running, run the following command:

   CODE

   ./lrctl status

   If the Open Collector is not running correctly, see Troubleshoot the Open Collector in the Open Collector Installation and User Guide.
   You should see the open_collector and metrics versions.
   

   

2. To start the Beat, run the following command:

   CODE

   ./lrctl proofpointbeat start

   

3. Using the arrow keys, select New proofpointbeat instance.
   

   

4. Enter the unique beat identifier for this beat instance, and then press Enter.
   

   

5. Using the arrow keys, choose one of the event types to configure this beat instance, and then press Enter.

   

   Tag parsing (except beatname and device_type) is not supported for the clicks_permitted endpoint. However, if you are initializing this instance for clicks permitted events, the logs generated will be classified under the MPE subrule as Proofpoint : Click Threat Allowed.

   

6. Enter the Proofpoint service principal, obtained from the Proofpoint portal, as the Username, and then press Enter.
   

   

7.  Enter Proofpoint service secret, obtained from the Proofpoint portal, as the Password, and then press Enter.
   

   

8.  The proofpointbeat service started message appears.
   

   

9. To check the status of the service, run the following command:

   CODE

   ./lrctl proofpointbeat status

Default Config Values for the Proofpoint Beat

S.No	Field Name	Default Value
1	heartbeatinterval	60s
2	heartbeatdisabled	false
3	period	180s Currently, the period is set to 180s by default to support the Proofpoint TAP API's request limit. The Proofpoint TAP API request limit for clicks_permitted is 1800/24 hours. For other events, the cumulative request limit is 1800/24 hours. If you are setting up the beat instance with the "clicks_permitted" event type, then you can edit the period value up to 30 seconds for faster MPS. To edit the period value: Export the Beat config file using this command – BASH ./lrctl proofpointbeat config export -f <fullyqualifiedbeatname> --outfile proofpointbeat.yml Edit the period value and re-save the file. Re-import the config file BASH cat proofpointbeat.yml | ./lrctl proofpointbeat config import Restart the beat to load the new changes.
4	throttling_interval	3600 This is the time period to make another API call in case of a failed request due to the 429 error to avoid throttling. This value is displayed in seconds, and should always be greater than 0. Since the log collection will only be resume on next day once exhausted, the throttling time is set to 1 hour to reduce unnecessary requests.
5	http_timeout	120s The amount of time, in seconds, before an HTTP Connection timeout. This value should not be less than or equal to zero.
6	number_of_back_days	7 Number of back days for which logs are to be fetched. This value varies based on the log source.
7	username	User-provided For Proofpoint, this is the service principal obtained in the Proofpoint portal.
8	password	User-provided For Proofpoint, this is the service secret obtained in the Proofpoint portal.
9	event_type	User-provided There are 4 types of proofpoint TAP events that is supported in the beat Clicks_permitted Clicks_blocked Messages_blocked Messages_Delivered User can configure one beat instance in any one of the event type listed above.