cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Sending Proofpoint TAP logs to Azure Sentinel
By
Cristhofer Munoz
Published Jul 22 2019 07:27 AM 11.5K Views
Cristhofer Munoz
Microsoft
‎Jul 22 2019 07:27 AM

Sending Proofpoint TAP logs to Azure Sentinel

‎Jul 22 2019 07:27 AM

More than 90% of targeted attacks start with email—and these threats are always evolving. Proofpoint Targeted Attack Protection (TAP) helps you stay ahead of attackers with an innovative approach that detects, analyzes and blocks advanced threats before they reach your inbox. This includes ransomware and other advanced email threats delivered through malicious attachments and URLs. And zero-day threats, polymorphic malware, weaponized documents and phishing attacks.

 

Azure  Sentinel provides a practical way for you to connect your data sources. Azure Sentinel comes with several connectors for Microsoft solutions available out of the box. There are three major ways to ingest data into Azure Sentinel:

  • Microsoft sources
  • 3rd party sources 
  • Custom logs

Many  security technologies provide a set of APIs through which events can be retrieved. The below figure is a high-level architecture on how to ingest data from any set of APIs to Azure Sentinel. APIs can be consumed by a custom logic app connector; it supports both a push and pull implementation which is made available in Azure Log Analytics. Azure Sentinel is built on top of Azure Log Analytics making data imported to Azure Log Analytics available to Azure Sentinel.

 

AzureSentinel_CustomLogicApp.PNG

Figure 1:  High Level Process to ingest data into Azure Sentinel via custom API connector

 

In a previous blogpost we’ve demonstrated how to send REST API data to Azure Sentinel. In this article we will walk through the process of how to ingest  logs using a custom Logic Apps workflow to retrieve REST API data. However, this article can be utilized as a step by step guide to ingest logs from any data source that provides a set of APIs.

 

Please reference Proofpoint’s API Documentation which detail the various API endpoints made available which can be leveraged.

Step 1: Retrieve REST API data

 

The first step is to retrieve REST API data from Proofpoint’s TAP service. Currently, the following event types are exposed:

  • Blocked or permitted clicks to threats recognized by URL Defense
  • Blocked or delivered messages that contain threats recognized by URL Defense or Attachment Defense

Step 2: Build a Custom Logic App Data Collector

 

Once you have the logic apps designer opened, the first step is to add a recurrence trigger, in my case I will run my logic app every hour.

 

Recurrence.PNG

Note: The recurrence you specify must be coded in the SinceSeconds parameter of the Get request

 

Next, we will add a new step and select the HTTP block. In the method field, select GET to request data from Proofpoint.

 

HTTP.PNG

 

Notes: Proofpoint requires Basic Authentication with an API key.

By specifying “Blocked” you will fetch events for clicks to malicious URL’s blocked in the specified time period. You can fetch other events by leveraging additional endpoints available on the Proofpoint TAP API Documentation.

 

To send the data to the Azure Sentinel workspace we first need to parse the data. To achieve this, we leverage a Parse JSON building block:

 

 Parse_JSON.PNG

Notes:

A query may return results that are null or be interpreted as a number instead of an integer. Adjusting the auto-generated schema to include all the possible types a query could return for that field is safer and will avoid JSON parse errors. 

 

If you select a different end point, you will need also to change the element from the JSON you pick for pushing to Azure Log Analytics .

 

At this point, we are ready to send the logs to the Azure Sentinel workspace. To send the data, we will add the Azure Log Analytics Data Collector building block . Below you will specify the connection name, Workspace ID, and Workspace key associated to the desired workspace you wish to send data to.

 

Log_Analytics_Data_Collector.PNG

Once you specify those details, we will leverage the “Parse JSON” output as the input and will specify a Custom Log Name i.e. Proofpoint Data as shown below:

 

CustomLog.PNG

Step 3: See the data in Log Analytics/Azure Sentinel

 

Azure Sentinel is built on top of Log Analytics; hence, the data is available in both portals  (Log Analytics workspace blade & Azure Sentinel). After the logic app runs, the data can be found in the Azure Sentinel workspace under the Custom Logs schema.

To get to the custom log data, we first need to click on the Logs tab under General

 

See_The_Data.PNG

 

Note: Custom Log View of ProofPointData_CL (“_CL”  is added to the name provided in the above “Send Data” block) We will append “_CL” for any custom logs ingested.

 

Now that we can see the data in Azure Sentinel, we now can build analytic rules, hunting queries, or associate it with any other data for correlation.

 

In the sample hunting query below, we are looking for the Top 10 Phishing sources:

ProofPointData_CL | where phishScore_d > 80 | summarize cnt=count () by fromAddress_s | top 10 by cnt

 

 

huntin2.PNG

Wrapping up

In this blogpost I’ve shown you how seamless it is to retrieve Proofpoint TAP REST API by leveraging a custom logic app. This exact same process can be leveraged for other vendors who provide APIs to their data sources for easy integration into Azure Log Analytics/ Azure Sentinel.

 

Reviewers:

@Andrew Harris (AZURE SEC) 

@Nicholas DiCola (SECURITY JEDI) 

@Ofer Shezaf

@Tiander Turpijn 

@Yuri Diogenes 

 

 

 

6 Comments
Version history
Last update:
‎Jul 29 2019 08:32 AM
Updated by:
Labels