Skip to main content

Proofpoint Protection Server

Download With Dependencies

Proofpoint email security appliance.

Proofpoint Protection Server (PPS)

This pack provides a Cortex XSOAR integration for Proofpoint Protection Server.
Additionally, it supports Syslog-based log ingestion from Proofpoint Protection Server and includes parsing and modeling rules (XDM mapping) for Cortex XSIAM.

Configuration on Proofpoint Server Side

  1. Log in to the Proofpoint Protection Server interface.
  2. Click Logs and Reports.
  3. Click Log Settings.
  4. Go to the Remote Log Options panel.
  5. From Syslog Protocol Select TCP or UDP.
  6. In Syslog Host, type the IP address or Hostname of your Broker VM.
  7. In Syslog Port, type 514 or any other preferred port.
  8. Enable the Syslog Filter Enable by clicking On.
  9. In the Facility list select the local1 value.
  10. In the Level list select the Information value.
  11. Enable Syslog MTA Enable by clicking On.
  12. In the Facility list select the mail value.
  13. In the Level list select the Information value.
  14. Click the Save Changes.

To review the Proofpoint Protection Server Syslog forwarding docs, click here.

Collect Events from Proofpoint Protection Server

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.

  2. Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.

  3. Click Add New.

  4. When configuring the Syslog Collector, set the following values (not relevant for CEF and LEEF formats)

    Parameter: : Value :
    Protocol Set the Syslog Protocol defined on Proofpoint PS side (TCP or UDP)
    Port Enter the Syslog Port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Proofpoint PS
    Vendor Enter proofpoint
    Product Enter ps

Proofpoint Protection Server (PPS)

This pack provides a Cortex integration for Proofpoint Protection Server.
Additionally, it supports Syslog-based log ingestion from Proofpoint Protection Server and includes parsing and modeling rules (XDM mapping) for Cortex XSIAM.

Configuration on Proofpoint Server Side

  1. Log in to the Proofpoint Protection Server interface.
  2. Click Logs and Reports.
  3. Click Log Settings.
  4. Go to the Remote Log Options panel.
  5. From Syslog Protocol Select TCP or UDP.
  6. In Syslog Host, type the IP address or Hostname of your Broker VM.
  7. In Syslog Port, type 514 or any other preferred port.
  8. Enable the Syslog Filter Enable by clicking On.
  9. In the Facility list select the local1 value.
  10. In the Level list select the Information value.
  11. Enable Syslog MTA Enable by clicking On.
  12. In the Facility list select the mail value.
  13. In the Level list select the Information value.
  14. Click the Save Changes.

To review the Proofpoint Protection Server Syslog forwarding docs, click here.

Collect Events from Proofpoint Protection Server

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.

  2. Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.

  3. Click Add New.

  4. When configuring the Syslog Collector, set the following values (not relevant for CEF and LEEF formats)

    Parameter: : Value :
    Protocol Set the Syslog Protocol defined on Proofpoint PS side (TCP or UDP)
    Port Enter the Syslog Port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from Proofpoint PS
    Vendor Enter proofpoint
    Product Enter ps

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJuly 22, 2020
Last ReleaseAugust 20, 2025
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.