topic Integrating Proofpoint TAP into XSIAM in Cortex XSIAM Discussions https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/integrating-proofpoint-tap-into-xsiam/m-p/596990#M73 <P>Hi,</P> <P>&nbsp;</P> <P>I would like some guidance on which data source I should use when integrating Proofpoint TAP into XSIAM.</P> <P>&nbsp;</P> <P>In the content pack "Proofpoint TAP" on the marketplace,</P> <P>&nbsp;</P> <P>There is a data source named "Proofpoint TAP".&nbsp; This data source has the ability to fetch alerts, and it ingests into the "proofpoint_tap_v2_generic_alert_raw" data set. However it does not come with an associative data modeling rule.&nbsp; It does come with a correlation rule "Proofpoint TAP v2 Alerts (automatically generated)"</P> <P>This method appears to have come from installing the <A href="https://cortex.marketplace.pan.dev/marketplace/details/ProofpointTAP/" target="_self">Proofpoint TAP content pack</A> on the marketplace</P> <P>&nbsp;</P> <P>There is another data source named "Proofpoint Targeted Attack Protection" which can also fetch alerts, and it ingests into the "proofpoint_tap_raw" data set. It does come with a data modeling rule "[MODEL: dataset=proofpoint_tap_raw, content_id="ProofpointTAP"]"&nbsp; but it does not come with an associative correlation rule.</P> <P>This method appears to be installed available by default&nbsp;&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Logs-from-Proofpoint-Targeted-Attack-Protection" target="_self">XSIAM documentation</A></P> <P>&nbsp;</P> <P>Both of these are stated to be supported by Palo Alto XSIAM.&nbsp; Why the difference here?&nbsp; Which one should be used?&nbsp; Should both be used, but in different ways?&nbsp; Why doesn't one come with a data modeling rule and why doesn't the other come with a basic correlation rule?&nbsp; Is the documentation out of date.&nbsp; Should the customer be redirected in the documentation to use the one in the&nbsp;"Proofpoint TAP" content pack?</P> <P>&nbsp;</P> Thu, 05 Sep 2024 15:33:44 GMT amcdonal363 2024-09-05T15:33:44Z Integrating Proofpoint TAP into XSIAM https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/integrating-proofpoint-tap-into-xsiam/m-p/596990#M73 <P>Hi,</P> <P>&nbsp;</P> <P>I would like some guidance on which data source I should use when integrating Proofpoint TAP into XSIAM.</P> <P>&nbsp;</P> <P>In the content pack "Proofpoint TAP" on the marketplace,</P> <P>&nbsp;</P> <P>There is a data source named "Proofpoint TAP".&nbsp; This data source has the ability to fetch alerts, and it ingests into the "proofpoint_tap_v2_generic_alert_raw" data set. However it does not come with an associative data modeling rule.&nbsp; It does come with a correlation rule "Proofpoint TAP v2 Alerts (automatically generated)"</P> <P>This method appears to have come from installing the <A href="https://cortex.marketplace.pan.dev/marketplace/details/ProofpointTAP/" target="_self">Proofpoint TAP content pack</A> on the marketplace</P> <P>&nbsp;</P> <P>There is another data source named "Proofpoint Targeted Attack Protection" which can also fetch alerts, and it ingests into the "proofpoint_tap_raw" data set. It does come with a data modeling rule "[MODEL: dataset=proofpoint_tap_raw, content_id="ProofpointTAP"]"&nbsp; but it does not come with an associative correlation rule.</P> <P>This method appears to be installed available by default&nbsp;&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Logs-from-Proofpoint-Targeted-Attack-Protection" target="_self">XSIAM documentation</A></P> <P>&nbsp;</P> <P>Both of these are stated to be supported by Palo Alto XSIAM.&nbsp; Why the difference here?&nbsp; Which one should be used?&nbsp; Should both be used, but in different ways?&nbsp; Why doesn't one come with a data modeling rule and why doesn't the other come with a basic correlation rule?&nbsp; Is the documentation out of date.&nbsp; Should the customer be redirected in the documentation to use the one in the&nbsp;"Proofpoint TAP" content pack?</P> <P>&nbsp;</P> Thu, 05 Sep 2024 15:33:44 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/integrating-proofpoint-tap-into-xsiam/m-p/596990#M73 amcdonal363 2024-09-05T15:33:44Z