Proofpoint Email Security Add-On for Splunk
Overview
Details
By normalizing filtering data produced by PPS to CIM-compliant Email data model, Splunk users can perform search, report or other operations they have built using the Email data model against PPS filtering data without further customizations, which eliminates the need to understand PPS filtering data format.
Copyright (c) 2010-2017 by Proofpoint, Inc. All Rights Reserved.
Proofpoint, Proofpoint Protection Server and the Proofpoint logos are trademarks or registered trademarks of Proofpoint, Inc.
Proofpoint Email Security Add-On For Splunk
| About | Proofpoint Email Security Add-On for Splunk |
| Developer | Proofpoint, Inc. |
| App Version | 1.0.9 |
| App Build | 8 |
| App | Proofpoint Email Security App for Splunk |
| Technology Add-on (TA) | Proofpoint TAP SIEM Modular Input |
| Folder Name | TA_pps |
| Vendor Products | Proofpoint Enterprise Protection 8.0 and above |
| Proofpoint On Demand 8.0 and above | |
| Has index-time operations | True |
| Create an index | False |
| Implements summarization | False |
| Splunk Enterprise versions | 8.1, 8.0, 7.3, 7.2, 7.1, 7.0 |
| CIM | 4.8+ |
| Platforms | Platform Independent |
Installation and Configuration
Pre-requisites
- Splunk Enterprise (8.x or 7.x).
- Splunk Common Integration Model technology add-on 4.8 or above.
-
Proofpoint Email Security App For Splunk 1.0.3 available on Splunkbase
-
Proofpoint Email Security Add-On for Splunk 1.0.9 available on Splunkbase
Proofpoint Products (One or more)
- Proofpoint Enterprise Protection 8.0 and above
- Proofpoint On Demand 8.0 and above
- Target Attack Protection API access with API Service account and secret key
Product Configuration
- Hardware and Virtual Appliance deployments: Requires syslog configuration ( Logs and Reports > Log Settings)
- Proofpoint on Demand (PoD): Requires Remote Syslog Forwarding license. Please refer this document on how to configure remote syslog: https://proofpointcommunities.force.com/community/s/article/Remote-Syslog-Forwarding
Deployment
Single Server Deployment:
In a single server deployment, single instance of Splunk Enterprise functions as data collection node, indexer and search head. In such deployment, install the add-ons Proofpoint Email Security Add-On and Proofpoint TAP SIEM Modular Input. After that, install Proofpoint Email Security App For Splunk.
Distributed Deployment
In a distributed deployment, typically a combination of forwarders are deployed for data collection, separate indexer nodes for data injection and search heads for data visualization are deployed. We recommend installing our TA's on both Forwarder and Search heads and the App on the search head.
| Component | Heavy Forwarder | Indexer | Search head |
| Proofpoint Email Security Add-On for Splunk (TA) | Install | No (Note) | Install |
| Proofpoint TAP SIEM Modular Input 1.0.1 available (TA) | Install | No (Note) | Install |
| Proofpoint Email Security App For Splunk (App) | No | No | Install |
Note: When there is no forwarder, you will have to install TA on Indexer.
Splunk Configuration
Add UDP/TCP input to listen on the port for PPS logs and specify "pps_log" as sourcetype. You can do this from Splunk Admin Console.
- Go to "Settings" -> "Data Inputs"
- Click on "Add new" action for TCP or UDP input
- Enter port and click on "Next"
- In "Select sourcetype" search and select "pps_log" sourcetype if it already exists or create a new sourcetype as "pps_log" and Custom category. Click on "Review".
- Review config and submit to create a data source.
- Check data summary and sourcetypes tab to make sure the logs are being accepted for the pps_log sourcetype.
Proofpoint Email Protection Configuration
On the Proofpoint Email Protection admin console, enable syslog to forward to your Splunk instance
- Login to PPS as an admin user and navigate to “Logs and Reports > Log Settings”. Proofpoint on Demand customers please note that this feature requires a separate Remote Syslog license.
- Input syslog protocol, host and port numbers
- Enable Filter and Mail logs
- Click “Save Changes”
Verification
PPS filter and mail logs are collected by the source type "pps_log" and are mapped to sourcetypes pps_filter_log and pps_mail_log. In the search box you can verify the logs by search for "sourcetype="pps_filter_log" and "sourcetype="pps_mail_log"
Release Notes
Version 1.0.9
Updated Proofpoint Logo.
Version 1.0.8
This add-on is designed to work with Proofpoint Email Security App for Splunk (TA).
Update “Email” as category for pps_log and pps_mail_log sourcetype.
Extracts host field in props.conf for pps_filter_log sourcetype.
Version 1.0.7
Version 1.0.7
This add-on is designed to work with Proofpoint Email Security App for Splunk (TA).
* Can extract both filter and mail (mta) logs
Version 1.0.6
- Added field extractions for av, firewall, dkim, dmarc and spf
- Fixed regex for file_name field extraction to handle quoted value
- Changed regex for message_session_id field to extract from every line, if exists
Version 1.0.5
- Fixed regex for file_name field extraction to handle quoted value
- Changed regex for message_session_id field to extract from every line, if exists
Version 1.0.4
Updated app icon to new logo.
Version 1.0.3
- Updated app icon to new logo.
- Removed empty files under default directory.
Version 1.0.2
Fix regular expression for recipient and src_user fields.
Version 1.0.1
Version 1.0.1
- Added SHOULD_LINEMERGE=false property for source type pps_filter_log in default/props.conf.
- Added comment on a workaround of log data not being indexed issue for TRANSFORMS-set property in default/props.conf.
Version 1.0.0
Copyright (c) 2010-2016 by Proofpoint, Inc. All Rights Reserved.
Proofpoint, Proofpoint Protection Server and the Proofpoint logos are trademarks or registered trademarks of Proofpoint, Inc.
Proofpoint Protection Server - Technology Add-on for Splunk
Introduction
Customers interested in integrating Proofpoint Protection Server (PPS) logs with Splunk can utilize this custom-built add-on. This technology add-on focuses on normalizing the filter logs based on the Splunk Common Information Model (CIM) for email.
Splunk CIM Email Data Model
By normalizing filtering data produced by PPS to CIM-compliant Email data model, Splunk users can perform search, report or other operations they have built using the Email data model against PPS filtering data without further customizations, which eliminates the need to understand PPS filtering data format.
Pre-requisites
- Splunk Enterprise (tested with version 6.3).
- Splunk Common Integration Model technology add-on (refer below on how to install the CIM).
- Pro