# Proofpoint

SureCloud connects to Proofpoint Email Protection to retrieve threat detection statistics, DLP policy configuration, quarantine activity, and email security rule status. This allows SureCloud to verify that inbound and outbound email security controls are active — confirming that threat protection, spam filtering, and data loss prevention policies are configured and generating results.

## Authentication and setup

Proofpoint Email Protection (cloud) authenticates API requests using a Service Principal with a Secret. SureCloud uses credentials generated within the Proofpoint admin portal.

{% stepper %}
{% step %}

### Create a Service Principal in Proofpoint

Log in to the Proofpoint admin portal at [adminv8.proofpoint.com](https://adminv8.proofpoint.com/). Navigate to **Settings → Connected Applications** and click **Add**. Give it a name such as `SureCloud CCM`. Note the generated **Principal** and **Secret** — the secret is only displayed once.
{% endstep %}

{% step %}

### Enter the credentials in SureCloud

Navigate to **SureCloud → Integrations → Proofpoint → Connect**. Enter the Service Principal and Secret. Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
Store the Service Principal secret securely. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Proofpoint → Settings → Connected Applications** and update it in **SureCloud → Integrations → Proofpoint → Edit Connection**.
{% endhint %}

## Endpoints

| API Call                          | Use Case                                                                     |
| --------------------------------- | ---------------------------------------------------------------------------- |
| `GET /v2/siem/all`                | Retrieve all security events (clicks, messages) for threat activity evidence |
| `GET /v2/siem/clicks/blocked`     | Retrieve blocked URL click events for phishing protection evidence           |
| `GET /v2/siem/messages/blocked`   | Retrieve blocked inbound message events for threat protection evidence       |
| `GET /v2/siem/messages/delivered` | Retrieve delivered messages with threat classifications for DLP monitoring   |
| `GET /v2/threat/summary`          | Retrieve threat detection summary statistics for dashboard evidence          |
| `GET /v2/people/top-attackers`    | Retrieve most-targeted users for risk prioritisation evidence                |

## Pagination

`GET /v2/siem/all` and related SIEM endpoints use time-window based retrieval rather than cursor pagination. SureCloud queries events within a defined time interval using `interval` (ISO 8601 duration) or `sinceSeconds` parameters. For large event volumes, SureCloud breaks collection into smaller time windows.

```json
GET /v2/siem/messages/blocked?format=json&sinceSeconds=3600
```

## Required permissions

SureCloud requires a Proofpoint Service Principal with access to:

* SIEM API (threat event data)
* People API (VAP and attack target data)
* Threat API (summary statistics)

Standard Service Principals created in the Proofpoint Connected Applications settings have access to these APIs by default.

## Polling frequency

| Data Type                                        | Interval       |
| ------------------------------------------------ | -------------- |
| Threat events (clicks blocked, messages blocked) | Every 4 hours  |
| Threat detection summary statistics              | Every 24 hours |
| Most-attacked users                              | Every 24 hours |

## Troubleshooting

<details>

<summary>Connection test returns 401 Unauthorized</summary>

The Service Principal or Secret is incorrect, or the secret has been regenerated in Proofpoint. Navigate to **Proofpoint → Settings → Connected Applications**, confirm the application exists, and regenerate the secret. Update both the principal and secret in **SureCloud → Integrations → Proofpoint → Edit Connection**.

</details>

<details>

<summary>SIEM event data returns empty for recent time windows</summary>

Proofpoint's SIEM API has a minimum delay before events are available — typically up to 30 minutes after detection. If querying events from the last few minutes, the response may be empty. SureCloud accounts for this delay in its polling window. If events are consistently missing beyond this window, confirm the Proofpoint account has SIEM API access enabled.

</details>

<details>

<summary>Only some message types are returned</summary>

Proofpoint's SIEM endpoints are split by message type (blocked, delivered, clicks). SureCloud queries each endpoint separately. If a specific message type is missing, confirm that event type is enabled in your Proofpoint account's Connected Applications API access settings.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/proofpoint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.