Copyright (c) 2010-2017 by Proofpoint, Inc. All Rights Reserved.
Proofpoint, Proofpoint Protection Server and the Proofpoint logos are trademarks or registered trademarks of Proofpoint, Inc.
About | Proofpoint Email Security Add-On for Splunk |
Developer | Proofpoint, Inc. |
App Version | 1.0.9 |
App Build | 8 |
App | Proofpoint Email Security App for Splunk |
Technology Add-on (TA) | Proofpoint TAP SIEM Modular Input |
Folder Name | TA_pps |
Vendor Products | Proofpoint Enterprise Protection 8.0 and above |
Proofpoint On Demand 8.0 and above | |
Has index-time operations | True |
Create an index | False |
Implements summarization | False |
Splunk Enterprise versions | 8.1, 8.0, 7.3, 7.2, 7.1, 7.0 |
CIM | 4.8+ |
Platforms | Platform Independent |
Proofpoint Email Security App For Splunk 1.0.3 available on Splunkbase
Proofpoint Email Security Add-On for Splunk 1.0.9 available on Splunkbase
In a single server deployment, single instance of Splunk Enterprise functions as data collection node, indexer and search head. In such deployment, install the add-ons Proofpoint Email Security Add-On and Proofpoint TAP SIEM Modular Input. After that, install Proofpoint Email Security App For Splunk.
In a distributed deployment, typically a combination of forwarders are deployed for data collection, separate indexer nodes for data injection and search heads for data visualization are deployed. We recommend installing our TA's on both Forwarder and Search heads and the App on the search head.
Component | Heavy Forwarder | Indexer | Search head |
Proofpoint Email Security Add-On for Splunk (TA) | Install | No (Note) | Install |
Proofpoint TAP SIEM Modular Input 1.0.1 available (TA) | Install | No (Note) | Install |
Proofpoint Email Security App For Splunk (App) | No | No | Install |
Note: When there is no forwarder, you will have to install TA on Indexer.
Add UDP/TCP input to listen on the port for PPS logs and specify "pps_log" as sourcetype. You can do this from Splunk Admin Console.
On the Proofpoint Email Protection admin console, enable syslog to forward to your Splunk instance
PPS filter and mail logs are collected by the source type "pps_log" and are mapped to sourcetypes pps_filter_log and pps_mail_log. In the search box you can verify the logs by search for "sourcetype="pps_filter_log" and "sourcetype="pps_mail_log"
Updated Proofpoint Logo.
This add-on is designed to work with Proofpoint Email Security App for Splunk (TA).
Update “Email” as category for pps_log and pps_mail_log sourcetype.
Extracts host field in props.conf for pps_filter_log sourcetype.
Version 1.0.7
This add-on is designed to work with Proofpoint Email Security App for Splunk (TA).
* Can extract both filter and mail (mta) logs
Updated app icon to new logo.
Fix regular expression for recipient and src_user fields.
Version 1.0.1
Copyright (c) 2010-2016 by Proofpoint, Inc. All Rights Reserved.
Proofpoint, Proofpoint Protection Server and the Proofpoint logos are trademarks or registered trademarks of Proofpoint, Inc.
Proofpoint Protection Server - Technology Add-on for Splunk
Introduction
Customers interested in integrating Proofpoint Protection Server (PPS) logs with Splunk can utilize this custom-built add-on. This technology add-on focuses on normalizing the filter logs based on the Splunk Common Information Model (CIM) for email.
Splunk CIM Email Data Model
By normalizing filtering data produced by PPS to CIM-compliant Email data model, Splunk users can perform search, report or other operations they have built using the Email data model against PPS filtering data without further customizations, which eliminates the need to understand PPS filtering data format.
Pre-requisites
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.