Skip to main content

Overview

The Proofpoint integration (INT-012) ingests email-security threat events (malicious messages and clicks) from Proofpoint Targeted Attack Protection (TAP) into CaseBender and turns them into alerts (and optionally cases).
Recommended: enable Automatic polling. CaseBender pulls new threat events directly from the Proofpoint TAP SIEM API on a schedule — no inbound endpoint is required. See Automatic polling.
Polling uses the Proofpoint TAP SIEM API, authenticated with a service principal + secret (HTTP Basic).

Capabilities

Prerequisites

1

Create SIEM API credentials

In the Proofpoint TAP dashboard, go to Settings → Connected Applications and create a Service Principal. Copy the principal and secret.
2

Network egress

The CaseBender poller must reach https://tap-api-v2.proofpoint.com.

Configure the integration in CaseBender

1

Open the integration catalog

Go to Settings → Integrations → Create, then choose Proofpoint from the Email Security category.
2

Enter API credentials

3

Enable automatic polling (recommended)

4

Configure auto-case creation

1

Scheduled pull

On each interval, CaseBender requests all threat events since the last cursor. The SIEM API serves at most the last 12 hours in one-hour windows, so CaseBender clamps the request window accordingly and uses the API’s queryEndTime as the next cursor.
2

Deduplication

Events are deduplicated by threatID/messageID, so overlapping polling windows never create duplicates.
3

Normalization

Each event is normalized into a CaseBender alert with sender/recipient/URL observables and classification tags.
Because the SIEM API only serves the last 12 hours, keep polling enabled continuously and set a short interval (≤ 5 minutes). If the poller is offline for more than 12 hours, events older than that window cannot be retrieved retroactively.

Security considerations

  • Secret handling — the service principal secret is stored in the integration settings; rotate on your organization’s schedule.
  • Network — restrict egress to https://tap-api-v2.proofpoint.com.

Troubleshooting

Confirm the service principal + secret are valid and that TAP recorded threat activity in the last hour. Keep the interval at/below 5 minutes.Make sure all CaseBender services are running — with Docker, docker compose ps should show the worker and misp-processor services Up.
The service principal or secret is incorrect, or the connected application was removed in the TAP dashboard.