Skip to main content

What Living Security needs

Scopes: Access to SIEM API (/v2/siem/all) and People API (/v2/people/vap) Required role: Administrator access to manage Connected Applications in Threat Insight Dashboard

Prerequisites

  • You must have administrator access to the Proofpoint Threat Insight Dashboard to manage Connected Applications.
  • TAP credentials are separate from Proofpoint SAT credentials — credentials from Security Awareness Training will not work here.

Part A — In Proofpoint TAP

Your Proofpoint TAP administrator completes these steps.
1

Navigate to Connected Applications

  1. Sign in to your Proofpoint Threat Insight Dashboard.
  2. Click Settings in the top navigation.
  3. Select Connected Applications.
If you do not see Connected Applications under Settings, your account may lack administrator access. Contact your Proofpoint administrator to obtain access or have credentials created on your behalf.
2

Create a new Connected Application

  1. Click Create New Credential (or Add Application).
  2. Enter a descriptive name (e.g., Living Security Platform).
  3. Save the application.
3

Copy the Service Principal and Secret

After creating the application, the dashboard displays the Service Principal and Secret.Copy both values immediately and store them securely.
The Secret may only be displayed once at creation time. If you navigate away without copying it, you must create a new credential.
4

Identify your regional API host

Select the host that matches your Proofpoint TAP environment:Enter the host only — no https:// prefix and no trailing slash.

Part B — In the Living Security Platform

The program owner completes this step, or the system admin if using delegated setup.
1
You are now connected to Proofpoint TAP.
Living Security syncs two data streams from Proofpoint TAP:
  • SIEM Events — Blocked and delivered email threats, plus URL clicks from /v2/siem/all. Updated hourly.
  • Very Attacked People (VAP) — Employees most targeted by email threats over 30 days, from /v2/people/vap. Updated daily.

Troubleshooting

The credentials are invalid. Verify that:
  1. Service Principal and Secret are correct
  2. Credentials have not been deleted or rotated in the Threat Insight Dashboard
The credential lacks access to the SIEM API or People API. Review the Connected Application’s access in the Threat Insight Dashboard or contact your Proofpoint administrator.
clicksBlocked and clicksPermitted events require URL Defense (link rewriting) to be enabled in your TAP policy. If URL Defense is not enabled, these event types will be empty.
The messagesDelivered event type is only populated when Proofpoint retro-classifies a previously-delivered message as a threat. This event type may be empty if no retro-classifications have occurred.