1. Expel Help Center
  2. Connect Your Technology
  3. L-P Integrations
  4. Proofpoint

Proofpoint TAP for MDR Setup for Workbench

The Proofpoint Targeted Attack Protection (TAP) for MDR integration allows us to apply our detection strategy to your Proofpoint TAP alerts, and pull them into the Workbench queue for investigation and remediation.

Prerequisites

  1. You must have the Organization Admin role in Workbench to set up this integration.
  2. You must have permissions to create new service credentials in the TAP Dashboard.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create the TAP Service Credentials for Expel
  2. Add Proofpoint TAP as a Security Device in Workbench
  3. (Optional) Set Up Auto Email Deletion

Step 1: Create the TAP Service Credentials for Expel

You must create a new service credential set for Expel so that we can access your Proofpoint TAP alerts.

  1. Log in to the TAP Dashboard.
  2. Navigate to Settings > Connected Applications.
  3. Select Create New Credential.
  4. Enter a name for the credential set, then select Generate.
  5. Copy the Service Principal and Secret values, and save them to a safe place for use in the next section (these values will not reappear and are not retrievable later).
  6. Select Done.

Step 2: Add Proofpoint TAP for MDR as a Security Device in Workbench

Now that you have granted access to Expel, you can configure the integration in Workbench.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices.
  3. Select Add Security Device.
  4. In the search box, type “Proofpoint” and then select the Proofpoint TAP for MDR integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName TAP MDR”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Proofpoint TAP service principal - enter the Service Principal value you saved in Step 1.
    • Proofpoint TAP secret - enter the Secret value you saved in Step 1.
    • Select Save.
  6. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Step 3: (Optional) Set Up Auto Email Deletion

The first two steps of this guide enable Expel to ingest the Proofpoint TAP alerts and investigate any malicious activity. This optional customer configuration lets us use detection strategy to immediately delete any email that Proofpoint TAP identifies as malicious (referenced in Proofpoint TAP as a "Delivered Message" event) as soon as we ingest its associated alert.

This means those emails will be assumed as correctly flagged by Proofpoint TAP as malicious, and then deleted for every email user without a SOC investigation. We will instead focus all of our SOC efforts on other types of Proofpoint TAP alerts. However, the Proofpoint TAP alert that references the deleted email will still be available to our SOC analysts and can be correlated to other suspicious activity where needed.

Note

You must have Microsoft 365 or Google Workspace as your email provider to use this feature.

  1. Set up appropriate permissions within your email provider by selecting one of the links below for instructions.
    If you have already enabled the Remove Malicious Email auto remediation in support of a different integration, you can skip this step (because you will have already set this part up). 
    • Microsoft 365: Follow only the Step 1 section of this guide, then return to this page and continue to step 2. 
    • Google Workspace: Follow only the Step 1 and Step 2 sections of this guide, then return to this page and continue to step 2. 
  2. Still in Workbench, navigate to Organization Settings > My Organizations.
  3. Select the Configuration tab.
  4. In Configuration Values, locate and enable the action.
    • In the search field, enter "email" to begin your search.
    • Locate the Auto-Remediate Suspicious Delivered Email Alerts configuration value (org.preference.email.auto_remediate_delivered).
    • Select the checkbox to enable it.
    • Select Save.

auto remediate emails.png

Related articles