--- title: Proofpoint 365 Total Protection Integration for Elastic description: The Proofpoint 365 Total Protection integration for Elastic collects detailed email security and delivery logs via a REST API. It provides security teams... url: https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/proofpoint_365totalprotection products: - Elastic integrations applies_to: - Serverless Observability projects: Generally available - Serverless Security projects: Generally available - Elastic Stack: Generally available since 9.2 --- # Proofpoint 365 Total Protection Integration for Elastic | | | |-------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------| | **Version** | 0.1.0 : Beta ([View all](#changelog)) | | **Subscription level**[What's this?](https://www.elastic.co/subscriptions) | Basic | | **Developed by**[What's this?](https://docs-v3-preview.elastic.dev/elastic/integration-docs/tree/main/reference/developed-by) | Partner | | **Ingestion method(s)** | API | | **Minimum Kibana version(s)** | 9.2.0 | To use beta integrations, go to the **Integrations** page in Kibana, scroll down, and toggle on the _Display beta integrations_ option. ## Overview The Proofpoint 365 Total Protection integration for Elastic collects detailed email security and delivery logs via a REST API. It provides security teams with centralized visibility into email traffic, threat activity, and message disposition directly in Elastic. This integration enables teams to detect, investigate, and respond to email-based threats while supporting compliance, auditing, and operational monitoring use cases. Key capabilities - With this integration, security teams can: - Monitor spam, malware, phishing, and advanced email threats - Track message delivery outcomes, including failures and SMTP errors - Analyze email traffic volume and patterns over time - Investigate email-related security incidents in Elastic SIEM - Maintain detailed audit logs for regulatory and compliance requirements ### Compatibility This integration is compatible with: - Proofpoint 365 Total Protection ### How it works This integration uses the Proofpoint REST API (`/api/v0/emails/_search/`) to fetch email log data. Elastic Agent polls the API at a configurable interval (default: 5 minutes) and ingests structured email metadata, including sender, recipient, subject, classification, delivery status, and security verdicts. To ensure data integrity, events are automatically deduplicated using the unique message ID, preventing duplicate ingestion when polling overlapping time ranges. ## Collected data The email data stream includes detailed records across the following categories : ### Email metadata - Message ID, subject, timestamp - Sender, recipient, owner - Message size and attachment details ### Security information - Classification (clean, spam, malware, phishing) - Threat detection reasons - URL rewriting status - Encryption type ### Delivery information - Delivery status and gateway verdict - Source and destination IP addresses and hostnames - SMTP status codes and dialog details ### Supported use cases - **Email security monitoring**: Real-time visibility into spam, malware, and phishing activity - **Threat hunting**: Identify suspicious patterns and correlate email threats with other security signals - **Incident response**: Investigate email-based attacks using Elastic SIEM workflows - **Operational visibility**: Monitor mail flow, gateway health, and delivery issues - **Compliance and audit**: Retain searchable email logs to meet regulatory requirements ## Prerequisites To use this integration, you need: - An active **Proofpoint 365 Total Protection subscription** with API access enabled - An **API token** generated in the Control Panel - Log in to - Navigate to My Settings → API token - Create a new API token - A **domain name or email address** to monitor ## Deployment This integration uses an agent-based deployment model. 1. Install Elastic Agent on a supported host 2. In Kibana, navigate to Fleet → Integrations 3. Search for Proofpoint 365 Total Protection and click Add 4. Configure the integration: - API key - Domain or email address - Polling interval (default: 5 minutes) 5. Save the configuration and assign it to an Agent policy Data ingestion begins automatically after deployment. ### Validation After deployment, confirm the integration is working correctly: - Verify the Elastic Agent status is Healthy in Fleet - Open Discover in Kibana and select the appropriate data view - Search for logs-proofpoint_365totalprotection.email-* - Confirm that new email events appear with recent timestamps ## Troubleshooting ### No data appearing - Verify that email activity exists during the selected time range - Confirm the configured domain or email address is correct - Ensure the API token has sufficient permissions ### High API usage or rate limiting - Increase the polling interval to 10 or 15 minutes - Verify API rate limits with Proofpoint 365 Total Protection support - Consider splitting high-volume domains across multiple integrations ## Screenshots This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed. ![Proofpoint 365 Total Protection screenshot](https://epr.elastic.co/package/proofpoint_365totalprotection/0.1.0/img/proofpoint_365totalprotection-screenshot.png) ## Changelog | Version | Details | Minimum Kibana version | |-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| | **0.1.0** | **Enhancement** ([View pull request](https://github.com/elastic/integrations/pull/17212))Initial public release of Proofpoint 365 Total Protection integration for Elastic. | 9.2.0 |