> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Proofpoint TAP

> Ingest Proofpoint Targeted Attack Protection threat events into CaseBender by automatic polling (pull) using the SIEM API.

## Overview

The Proofpoint integration (**INT-012**) ingests email-security threat events (malicious
messages and clicks) from Proofpoint Targeted Attack Protection (TAP) into CaseBender and turns
them into alerts (and optionally cases).

<Tip>
  **Recommended: enable Automatic polling.** CaseBender pulls new threat events
  directly from the Proofpoint TAP SIEM API on a schedule — no inbound endpoint
  is required. See [Automatic polling](#inbound-automatic-polling-recommended).
</Tip>

<Note>
  Polling uses the **Proofpoint TAP SIEM API**, authenticated with a **service
  principal + secret** (HTTP Basic).
</Note>

## Capabilities

| Capability                | Direction | Description                                                                   |
| ------------------------- | --------- | ----------------------------------------------------------------------------- |
| **Threat polling (pull)** | Inbound   | CaseBender polls the TAP SIEM API on a schedule and ingests new threat events |
| Message + click events    | Inbound   | Blocked/delivered messages and blocked/permitted clicks are ingested          |
| Observable extraction     | Inbound   | Senders, recipients, URLs, and threat indicators                              |
| Classification tagging    | Inbound   | Threat type and classification become tags                                    |

## Prerequisites

<Steps>
  <Step title="Create SIEM API credentials">
    In the Proofpoint TAP dashboard, go to **Settings → Connected Applications** and create a
    **Service Principal**. Copy the **principal** and **secret**.
  </Step>

  <Step title="Network egress">
    The CaseBender poller must reach `https://tap-api-v2.proofpoint.com`.
  </Step>
</Steps>

## Configure the integration in CaseBender

<Steps>
  <Step title="Open the integration catalog">
    Go to **Settings → Integrations → Create**, then choose **Proofpoint** from the
    **Email Security** category.
  </Step>

  <Step title="Enter API credentials">
    | Field              | Description                                     |
    | ------------------ | ----------------------------------------------- |
    | Service Principal  | TAP SIEM API service principal                  |
    | Secret             | TAP SIEM API secret                             |
    | API URL (optional) | Defaults to `https://tap-api-v2.proofpoint.com` |
  </Step>

  <Step title="Enable automatic polling (recommended)">
    | Option                   | Effect                                               |
    | ------------------------ | ---------------------------------------------------- |
    | `pollingEnabled`         | Turn on scheduled pulling of threat events           |
    | `pollingIntervalMinutes` | How often to poll (default `5`; keep at/below 5)     |
    | `pollMaxItemsPerRun`     | Safety cap on items ingested per run (default `500`) |
  </Step>

  <Step title="Configure auto-case creation">
    | Option               | Effect                                                                 |
    | -------------------- | ---------------------------------------------------------------------- |
    | `autoCreateCases`    | Promote each threat event to a **Case** (deduped by threat/message ID) |
    | `minSeverityForCase` | Only auto-create cases at/above this severity                          |
  </Step>
</Steps>

## Inbound (automatic polling, recommended)

<Steps>
  <Step title="Scheduled pull">
    On each interval, CaseBender requests all threat events since the last cursor. The SIEM API
    serves at most the **last 12 hours** in **one-hour windows**, so CaseBender clamps the request
    window accordingly and uses the API's `queryEndTime` as the next cursor.
  </Step>

  <Step title="Deduplication">
    Events are **deduplicated by `threatID`/`messageID`**, so overlapping polling windows never
    create duplicates.
  </Step>

  <Step title="Normalization">
    Each event is normalized into a CaseBender alert with sender/recipient/URL observables and
    classification tags.
  </Step>
</Steps>

<Warning>
  Because the SIEM API only serves the last 12 hours, keep polling enabled continuously and set a
  short interval (≤ 5 minutes). If the poller is offline for more than 12 hours, events older than
  that window cannot be retrieved retroactively.
</Warning>

## Security considerations

* **Secret handling** — the service principal secret is stored in the integration settings;
  rotate on your organization's schedule.
* **Network** — restrict egress to `https://tap-api-v2.proofpoint.com`.

## Troubleshooting

<AccordionGroup>
  <Accordion title="Polling is enabled but no events appear">
    Confirm the service principal + secret are valid and that TAP recorded threat activity in the
    last hour. Keep the interval at/below 5 minutes.

    **Make sure all CaseBender services are running** — with Docker, `docker compose ps` should
    show the `worker` and `misp-processor` services `Up`.
  </Accordion>

  <Accordion title="401 Unauthorized">
    The service principal or secret is incorrect, or the connected application was removed in the
    TAP dashboard.
  </Accordion>
</AccordionGroup>

## Related documentation

* [Integrations overview](./introduction.mdx)
* [Proofpoint TAP SIEM API](https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API)
