> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Proofpoint TAP

> Connect Proofpoint Targeted Attack Protection to import email threat and phishing data.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="Proofpoint TAP" recommendDelegated={true} />

## What Living Security needs

| Credential            | Description                                                           |
| --------------------- | --------------------------------------------------------------------- |
| **Service Principal** | A TAP-specific credential generated from the Threat Insight Dashboard |
| **Secret**            | The secret paired with the Service Principal                          |
| **Regional API host** | The hostname for your Proofpoint TAP environment                      |

**Scopes:** Access to SIEM API (`/v2/siem/all`) and People API (`/v2/people/vap`)

**Required role:** Administrator access to manage Connected Applications in Threat Insight Dashboard

### Prerequisites

* You must have administrator access to the Proofpoint Threat Insight Dashboard to manage Connected Applications.
* TAP credentials are **separate from Proofpoint SAT credentials** — credentials from Security Awareness Training will not work here.

***

## Part A — In Proofpoint TAP

*Your Proofpoint TAP administrator completes these steps.*

<Steps>
  <Step title="Navigate to Connected Applications">
    1. Sign in to your [Proofpoint Threat Insight Dashboard](https://threatinsight.proofpoint.com/).
    2. Click **Settings** in the top navigation.
    3. Select **Connected Applications**.

    <Note>
      If you do not see **Connected Applications** under Settings, your account may lack administrator access. Contact your Proofpoint administrator to obtain access or have credentials created on your behalf.
    </Note>
  </Step>

  <Step title="Create a new Connected Application">
    1. Click **Create New Credential** (or **Add Application**).
    2. Enter a descriptive name (e.g., `Living Security Platform`).
    3. Save the application.
  </Step>

  <Step title="Copy the Service Principal and Secret">
    After creating the application, the dashboard displays the **Service Principal** and **Secret**.

    **Copy both values immediately** and store them securely.

    <Warning>
      The **Secret** may only be displayed once at creation time. If you navigate away without copying it, you must create a new credential.
    </Warning>
  </Step>

  <Step title="Identify your regional API host">
    Select the host that matches your Proofpoint TAP environment:

    | Region | API host                       |
    | ------ | ------------------------------ |
    | US     | `tap-api-v2.proofpoint.com`    |
    | EU     | `tap-api-v2.eu.proofpoint.com` |

    Enter the **host only** — no `https://` prefix and no trailing slash.
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="Proofpoint TAP">
    | Field                 | Value                                                                  |
    | --------------------- | ---------------------------------------------------------------------- |
    | **Username**          | The Service Principal from Part A, Step 3                              |
    | **Password**          | The Secret from Part A, Step 3                                         |
    | **Regional API host** | The host from Part A, Step 4 (US default: `tap-api-v2.proofpoint.com`) |

    <img src="https://mintcdn.com/livingsecurity/oVkrOMkYmNevekTI/integrations/images/proofpoint-tap/connect-dialog.png?fit=max&auto=format&n=oVkrOMkYmNevekTI&q=85&s=8f14316db95383b003d38a6142b3734e" alt="Living Security connect dialog for Proofpoint TAP" style={{maxWidth: "450px"}} width="576" height="684" data-path="integrations/images/proofpoint-tap/connect-dialog.png" />
  </ConnectInPlatform>
</Steps>

You are now connected to Proofpoint TAP.

<Note>
  Living Security syncs two data streams from Proofpoint TAP:

  * **SIEM Events** — Blocked and delivered email threats, plus URL clicks from `/v2/siem/all`. Updated hourly.
  * **Very Attacked People (VAP)** — Employees most targeted by email threats over 30 days, from `/v2/people/vap`. Updated daily.
</Note>

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The credentials are invalid. Verify that:

    1. Service Principal and Secret are correct
    2. Credentials have not been deleted or rotated in the Threat Insight Dashboard
  </Accordion>

  <Accordion title="403 Forbidden">
    The credential lacks access to the SIEM API or People API. Review the Connected Application's access in the Threat Insight Dashboard or contact your Proofpoint administrator.
  </Accordion>

  <Accordion title="Missing click events">
    `clicksBlocked` and `clicksPermitted` events require **URL Defense** (link rewriting) to be enabled in your TAP policy. If URL Defense is not enabled, these event types will be empty.
  </Accordion>

  <Accordion title="Missing messagesDelivered events">
    The `messagesDelivered` event type is only populated when Proofpoint retro-classifies a previously-delivered message as a threat. This event type may be empty if no retro-classifications have occurred.
  </Accordion>
</AccordionGroup>
