Proofpoint CASB
This pack includes parsing and modeling rules for Proofpoint CASB logs sent via HTTP Event Collector.
Supported Timestamp Formats
Timestamp is extracted from the occurredAt field with the following format - yyyy-mm-ddTHH:MM:SS.SSSZ
Collect Events from Proofpoint CASB (XSIAM)
On XSIAM side:
- Navigate to Settings -> Data Sources -> Add Data Source.
- From the Type dropdown list, select Custom Integrations.
- Click Custom - HTTP based Collector.
- Click Connect.
- Set the following values:
- Name as
Proofpoint CASB - Compression as
uncompressed - Log Format as
JSON - Vendor as
proofpoint - Product as
casb
- Name as
- Creating a new HTTP Log Collector will allow you to generate a unique token. Save it since it will be used later.
- Click the 3 dots next to the newly created instance and copy the API Url. It will also be used later.
On Proofpoint CASB side:
Link to Proofpoint webhook docs
Guidelines:
- Navigate to Integrations > Notification Policies. Click New Notification.
- Select For Rules > Create.
- Name the new policy as "Forward events to XSIAM".
- Click Add in the Webhooks area.
- From the dropdown, select Generic Template.
- In the URL field paste the API Url from the last section.
- In the Method field select POST.
- In the Headers field do the following:
a. Click Add Row.
b. Add the value Authorization to the Name field of the first row.
c. In the Value field paste the unique token you created in the last section.
d. Add the value Content-Type to the Name field of the second row.
e. In the Value field add the value application/json. - In the Data section use the given default format.
- Click Save.
