Pfptcommunity
Proofpoint API Code Snippets
Install / Use
/learn @pfptcommunity/PfptcommunityREADME
Proofpoint Data Rocks
The content and samples on this page are created by the pfptcommunity and not created, validated or supported by Proofpoint Inc. Official Proofpoint, out of box (partner) integrations can be found on the Proofpoint Technology Partners page.
Please ★ Star on the top of this page if you like this page! Did you create something cool, we are looking for your help, to extend this page with some cool samples. Please contact us at pfptcommunity@gmail.com if you want to join the pfptcommunity.
<br>- Introduction to REST APIs
- Targeted Attack Protection (TAP)
- Nexus People Risk Explorer (NPRE)
- Spreadsheet or BI Tools - Most Popular
- Code snippets
- Threat Response Auto-Pull (TRAP)
- Protection On Demand (POD)
- Isolation
- Essentials
- Security Awareness Training (PSAT)
- Cloud Access Security Broker (CASB)
- Meta Networks (META)
- Insider Threat Management (ITM)
- Emerging Threats Intelligence (ETI)
Introduction to REST APIs
Representational State Transfer (REST) Application Programming Interface (API) is a way for applications to seamlessly share data via HTTPS. An API is a building block of code that is used to send data requests from one application to another and deliver data responses back. It’s the messenger who takes a request to the system and returns a response from it. The building block contains endpoints, headers, parameters, and fields. Therefore, you can use the Proofpoint Results API endpoints to request raw data from the platform for use in your Business Intelligence (BI) analysis tools.
A familiar example often used to explain APIs involves ordering food at a restaurant. In this scenario, the waiter is the API. You give him your food request, he takes your food request to the kitchen, the kitchen staff prepares the food, and the waiter returns the food to you. You made a request of the kitchen for food and used the waiter to deliver the request and receive a response (that being the food). So, back to the Proofpoint Results API and how it works. If a customer wants certain data results (the food) from the platform (the kitchen) to use in their business analysis tool, they can use the API (the waiter) to deliver the data request and receive the data response (the food).
What is consuming a REST API? Similarly, the act of consuming or using a REST API means to eat it all up. In context, it means to eat it, swallow it, and digest it — leaving any others in the pile exposed.
JSON stands for JavaScript Object Notation and it is a completely language-independent text format that is mainly used to transmit data between a server and client. The structure of a JSON object is derived from JavaScript object notation syntax, meaning that data is organised in key/value pairs separated by commas, with the whole of the object being wrapped by curly braces and arrays being wrapped by square brackets, like so:
"identity": {
"name": "Winston Wolf",
"email": [
"thewolf@fixaprob.com",
"mr.wolf@fixaprob.com",
"w.wolf@jmail.com"
],
"department": "Operations",
"location": "Amsterdam",
"title": "Problem solver"
}
// * JSON Object Structure Sample
REST implements multiple 'methods' for different types of http request, the following are most popular: - GET: Get resource from the server. - POST: Create resource to the server. You can read more about 4 Most Used REST API Authentication Methods.
Proofpoint provides some lovely REST APIs that can be used to gather information. Below code snippets and reference will help you getting started.
<br>Use cases
To shift to data-driven security decision making start with the right data. You can think of many, many, many use cases to integrate the cool proofpoint data with other security/risk domains. The Proofpoint data (VAPS) is gold for Security and risk management (SRM) leaders.
Risk Dashboards with BI tools
Many SRM leaders are creating their own organization specific risk metrics and monitor these with their own dashboarding tools. Key risk indicators from multiple domains (data silos) can be consolidated into a single pane of glass. We have created several Power BI and Excel examples on howto consume proofpoint data directly/natively into BI tools. Below image is an example of NPRE data that is directly pulled into Power BI. This example can be easily adjusted or extended to include other risk indicators for your organization. See the NPRE or TAP section on this page for more details.
<img src="https://raw.githubusercontent.com/pfptcommunity/pfptcommunity/main/usecase_bi.jpg" width=60% height=60%> <br> Key players BI and their REST API supportMicrosoft Power BI - howto Build connector
Tableau (Salesforce) - howto Build connector
Google Data Studio - howto Build connector
<br>Blending data from multiple sources
Some organizations do not (want to) sync all user data to Azure AD and/or Proofpoint TAP. As a result the TAP Dashboard only shows email addresses. On-prem BI Tooling is very good in collecting data from multiple sources, correlate the data and present it in a friendly way. With these tools, one can collect data from both Proofpoint TAP and Active Directory on-prem and present this in a single pane of glass.
<img src="https://raw.githubusercontent.com/pfptcommunity/pfptcommunity/main/usecase_adsync.jpg" width=55% height=55%> <br>Identity Governance and other IAM
Identity governance is about making sure each person has exactly the access they need to do their jobs without causing risk to the organization. The Proofpoint Very Attacked Person (VAP) data can be easily integrated into your IGA solution to enhance the IGA dataset for decision making. IGA calculates risk scores for users based on authorizations/access. It makes a lot of sense to enrich the data with VAP data. See:
IGA vendors: Atos (Evidian), Brainwave, Broadcom (CA), Clear Skye, Forgerock, Hitachi ID, IBM, Micro Focus, Okta, Omada, One Identity (Quest), Sailpoint, SAP, Saviyint, SecZetta.
<img src="https://raw.githubusercontent.com/pfptcommunity/pfptcommunity/main/usecase_iga.jpg" width=70% height=70%> <br>SIEM / UBA / UEBA
Push events to Security Information and Event Management (SIEM) or User / Entity Behavior Analytics (UBA/UEBA) Risk scores are calculated for each user in UB tools.
Other
Many, many other use cases exist; from network infrastructure, endpoint. CrowdStrike, Okta, Palo Alto Networks, Amazon Web Services, Splunk, IBM, ZScaler, Imperva, CyberArk, Deciso, Sailpoint, VMware Carbon Black. See Proofpoint Technology Partners page.
<br>TAP API
The Threat Insight Dashboard (Targeted Attack Protection) provides several different API endpoints for integration with other products in your security ecosystem.
Official Documentation - Threat Insight Dashboard
<br>Spreadsheet or BI tools consuming TAP API data
Several BI and spreadsheet tools, like Microsoft Power BI and/or Excel or Google's toolset can directly fetch JSON data from an REST endpoint. See the Microsoft doc for more information. Below you can see and download a sample Excel sheet that fetches data from the People endpoint(s).
| Action | Description | | ------------- | ------------- | | MS Excel : YouTube Howto Video | Watch getting started with the tap_api_people.xlsx sample sheet | | MS Excel : YouTube Troubleshoot Video | Watch troubleshoot authorizations and understand the tap_api_people.xlsx sample sheet | | MS Excel : Download the Spreadsheet | Download the tap_api.xlsx sheet | | MS Power BI : YouTube Video | Short video tap_api_people.xlsx sample Power BI file | | MS Power BI : Download the Power BI file | Download the tap_api.pbix sheet | | [MS Power BI : Screenshot](https://github.com/pfptcommunity/pfpt
