Copyright (c) 2010-2019 by Proofpoint, Inc. All Rights Reserved.
Proofpoint, Proofpoint on Demand, Proofpoint Protection Server and the Proofpoint logos are trademarks or registered trademarks of Proofpoint, Inc.
|About||Proofpoint On Demand Email Security Add-on|
|App||Proofpoint On Demand Email Security App|
|Vendor Product||Proofpoint On Demand 8.0 and above|
|Has index-time operations||True|
|Create an index||False|
|Splunk Enterprise versions||6.5, 6.6, 7.0, 7.1, 7.2|
|Requires Splunk Restart||Yes|
In a single server deployment, single instance of Splunk Enterprise functions as data collection node, indexer and search head. In such deployment, install Proofpoint On Demand Email Security Add-on and Proofpoint TAP SIEM Modular Input. After that, install Proofpoint On Demand Email Security App.
In a distributed deployment, typically a combination of forwarders are deployed for data collection, separate indexer nodes for data ingestion and search heads for data visualization are deployed. We recommend installing our TA's on both Forwarder and Search heads and the App on the search head.
|Component||Heavy Forwarder||Indexer||Search head|
|Proofpoint On Demand Email Security Add-on||Install||No (Note)||Install|
|Proofpoint TAP SIEM Modular Input 1.0.1 available (TA)||Install||No (Note)||Install|
|Proofpoint On Demand Email Security App||No||No||Install|
Note: When there is no forwarder, you will have to install the Add-on on Indexer.
Contact Proofpoint support to enable PoD Log API capability. This requires Remote syslog license on your deployment.
Make sure you have the Cluster ID and API Key before you start configuring the Add-on. The cluster ID can be found top right corner of your Proofpoint on Demand admin console and it looks like customername_hosted. The API key is a long series of 200+ alpha numeric characters. Optionally you can check if the API key is valid using a curl command. Here is an example:
curl -i --no-buffer -k -v -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: logstream.proofpoint.com:443" -H "Authorization: Bearer <APIKEY>" -H "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ==" -H "Sec-WebSocket-Version: 13" "https://logstream.proofpoint.com:443/v1/stream?cid=<cluster-id>&type=message"
There are two steps to configure the Proofpoint On Demand Email Security Add-on. First, configure an account profile that would be used to connect to Proofpoint Log service. Second, configure mail and message inputs that would use the configured account profile to download logs and tokenize them. Here are the detailed steps:
Now that the account profile is created, next let's create input types.
The Proofpoint On Demand logs are collected by the source type pps_maillog and pps_messagelog. In the search box you can verify the logs by searching for sourcetype="pps_maillog" and sourcetype="pps_messagelog". Note, if the sourcetypes are not created, that means there were no logs downloaded after the inputs were created.
Updates in 2.0.0 release
1. Support for Splunk 8 with compatibility for both Python 2 and 3.
2. Minor changes to TLS dashboard.
3. Proofpoint Icon updated according to recent branding changes.
4. CIM mapping changes
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.