This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ProofPoint Targeted Attack Protection (TAP) Integration

Anonymous
Not applicable

‎2020-07-19 09:01 PM

I'm trying to integrate the ProofPoint TAP API into NetWitness using the instructions located here - Proofpoint Targeted Attack Protection Event Source Configuration 

 

I don't think it's properly working. I keep getting errors when attempting to test the connection. 

One thing that makes me think it's not working correctly is that in the configuration it asks for a username and password, however ProofPoint TAP uses API credentials with a service principal and a secret. Now this could translate to username and password within NetWitness but the documentation doesn't appear to do that. 

 

I've confirmed that the URL for the API endpoint is correct, well the base url of https://tap-api-v2.proofpoint.com/v2/siem  that the configuration defaults to returns an error. I'm not sure if I'm supposed to be specifying an endpoint that is documented here, SIEM API - Proofpoint, Inc. 

 

Has anyone got this to work?

0 Likes
5 REPLIES 5

AaronMartin2
Employee
Employee

‎2020-07-20 07:20 AM

Your observations are correct. We are using different nomenclature for the same thing. If you don't supply anything for the URL, as it were, it should default to what you really need.

 

What I have found when working with this integration is if you had just deployed it from Live, you need to restart the log collector you deployed it to. If it still doesn't work, I'd recommend you open a case with RSA Support at that point and provide us the /var/log/messages from the collector, if possible.

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-20 07:25 AM

Great, thanks for that, that was one thing I didn't do was restart the log collector. I'll give that a shot.

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-26 09:25 PM

I've tried to get it to work, restarted the log collector, it doesn't appear to work.

Whenever i test the connection I get the following error. I've set the debug to verbose but don't see where anything is being logged. I don't see anything in /var/log/messages

 

Test connection failed:Got error while making API call. Status Code: 404

 

0 Likes

AaronMartin2
Employee
Employee
In response to Anonymous

‎2020-07-27 07:52 AM

404 would indicate bad authentication on whatever web server you are hitting. Based on my reading of the script, we are ultimately running something similar to the following so if you understand curl well enough, you can use something like this to test. If this doesn't seem to be your problem, then I must suggest you open a case with RSA Support/Proofpoint. Whoever seems at fault here.

 

curl "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2016-05-01T12:30:00Z" --user "$PRINCIPAL:$SECRET"

0 Likes

Anonymous
Not applicable
In response to AaronMartin2

‎2020-07-29 07:07 AM

executing the curl command from the command line works as expected. yes I configured the plugin to use a proxy

 

curl -x X.X.X.X:8080 --user "$PRINCIPAL:$SECRET" "https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&interval=PT30M/2020-07-29T03:00:00Z"

 

{"queryEndTime" : "2020-07-29T03:00:00Z", "clicksPermitted" : [], "clicksBlocked" : [], "messagesDelivered" : [], "messagesBlocked" : [{"spamScore":100,"phishScore":100,"threatsInfoMap":..............................

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.