What Living Security needs
Scopes: Access to SIEM API (
/v2/siem/all) and People API (/v2/people/vap)
Required role: Administrator access to manage Connected Applications in Threat Insight Dashboard
Prerequisites
- You must have administrator access to the Proofpoint Threat Insight Dashboard to manage Connected Applications.
- TAP credentials are separate from Proofpoint SAT credentials — credentials from Security Awareness Training will not work here.
Part A — In Proofpoint TAP
Your Proofpoint TAP administrator completes these steps.1
Navigate to Connected Applications
- Sign in to your Proofpoint Threat Insight Dashboard.
- Click Settings in the top navigation.
- Select Connected Applications.
If you do not see Connected Applications under Settings, your account may lack administrator access. Contact your Proofpoint administrator to obtain access or have credentials created on your behalf.
2
Create a new Connected Application
- Click Create New Credential (or Add Application).
- Enter a descriptive name (e.g.,
Living Security Platform). - Save the application.
3
Copy the Service Principal and Secret
After creating the application, the dashboard displays the Service Principal and Secret.Copy both values immediately and store them securely.
4
Identify your regional API host
Select the host that matches your Proofpoint TAP environment:
Enter the host only — no
https:// prefix and no trailing slash.Part B — In the Living Security Platform
The program owner completes this step, or the system admin if using delegated setup.1
Living Security syncs two data streams from Proofpoint TAP:
- SIEM Events — Blocked and delivered email threats, plus URL clicks from
/v2/siem/all. Updated hourly. - Very Attacked People (VAP) — Employees most targeted by email threats over 30 days, from
/v2/people/vap. Updated daily.
Troubleshooting
403 Forbidden
403 Forbidden
The credential lacks access to the SIEM API or People API. Review the Connected Application’s access in the Threat Insight Dashboard or contact your Proofpoint administrator.
Missing click events
Missing click events
clicksBlocked and clicksPermitted events require URL Defense (link rewriting) to be enabled in your TAP policy. If URL Defense is not enabled, these event types will be empty.Missing messagesDelivered events
Missing messagesDelivered events
The
messagesDelivered event type is only populated when Proofpoint retro-classifies a previously-delivered message as a threat. This event type may be empty if no retro-classifications have occurred.
