Overview
The Proofpoint integration (INT-012) ingests email-security threat events (malicious messages and clicks) from Proofpoint Targeted Attack Protection (TAP) into CaseBender and turns them into alerts (and optionally cases).Polling uses the Proofpoint TAP SIEM API, authenticated with a service
principal + secret (HTTP Basic).
Capabilities
Prerequisites
1
Create SIEM API credentials
In the Proofpoint TAP dashboard, go to Settings → Connected Applications and create a
Service Principal. Copy the principal and secret.
2
Network egress
The CaseBender poller must reach
https://tap-api-v2.proofpoint.com.Configure the integration in CaseBender
1
Open the integration catalog
Go to Settings → Integrations → Create, then choose Proofpoint from the
Email Security category.
2
Enter API credentials
3
Enable automatic polling (recommended)
4
Configure auto-case creation
Inbound (automatic polling, recommended)
1
Scheduled pull
On each interval, CaseBender requests all threat events since the last cursor. The SIEM API
serves at most the last 12 hours in one-hour windows, so CaseBender clamps the request
window accordingly and uses the API’s
queryEndTime as the next cursor.2
Deduplication
Events are deduplicated by
threatID/messageID, so overlapping polling windows never
create duplicates.3
Normalization
Each event is normalized into a CaseBender alert with sender/recipient/URL observables and
classification tags.
Security considerations
- Secret handling — the service principal secret is stored in the integration settings; rotate on your organization’s schedule.
- Network — restrict egress to
https://tap-api-v2.proofpoint.com.
Troubleshooting
Polling is enabled but no events appear
Polling is enabled but no events appear
Confirm the service principal + secret are valid and that TAP recorded threat activity in the
last hour. Keep the interval at/below 5 minutes.Make sure all CaseBender services are running — with Docker,
docker compose ps should
show the worker and misp-processor services Up.