Proofpoint Targeted Attack Protection (TAP)
Overview
Proofpoint TAP is the core threat detection engine in the Proofpoint email security stack. It analyzes email messages, URLs, and attachments in real time using sandboxing, behavioral analysis, and threat intelligence. The TAP SIEM API provides programmatic access to all threat events, click activity, and message disposition data.
TAP identifies three primary threat vectors:
- URL threats - Malicious links in email bodies
- Attachment threats - Malicious files attached to messages
- Message-level threats - Threats classified at the message level (e.g., BEC, impostor)
Key Concepts
Threat Classifications
| Classification | Description | Typical Action |
|---|
malware | Known or sandboxed malware payload | Block and quarantine |
phish | Credential harvesting or phishing | Block and quarantine |
spam | Unsolicited bulk email | Quarantine or tag |
impostor | Business Email Compromise (BEC) | Quarantine or warn |
Threat Dispositions
| Disposition | Description |
|---|
allowed | Message was delivered to the recipient |
blocked | Message was blocked before delivery |
quarantined | Message was placed in quarantine |
Click Verdicts
| Verdict | Description |
|---|
permitted | Click was allowed (URL was clean at time of click) |
blocked | Click was blocked (URL was malicious at time of click) |
Time Windows
TAP SIEM API supports relative and absolute time windows:
| Parameter | Format | Example | Max Window |
|---|
sinceSeconds | Integer (seconds) | 3600 (1 hour) | 86400 (24 hours) |
sinceTime | ISO 8601 | 2024-02-15T00:00:00Z | 24 hours from now |
interval | ISO 8601 duration | PT1H (1 hour) | 1 hour |
Important: The maximum lookback window is 24 hours. For historical data beyond 24 hours, use the forensics or campaign APIs instead.
Field Reference
Message Event Fields
| Field | Type | Description |
|---|
GUID | string | Unique message identifier |
QID | string | Queue ID from the mail server |
sender | string | Envelope sender address |
recipient | string[] | List of recipient addresses |
subject | string | Message subject line |
messageTime | datetime | When the message was processed |
threatsInfoMap | object[] | Array of threat details |
malwareScore | int | 0-100 malware confidence score |
phishScore | int | 0-100 phishing confidence score |
spamScore | int | 0-100 spam confidence score |
impostorScore | int | 0-100 impostor/BEC confidence score |
cluster | string | Proofpoint cluster that processed the message |
messageParts | object[] | Breakdown of message MIME parts |
completelyRewritten | boolean | Whether all URLs were rewritten by URL Defense |
policyRoutes | string[] | Policy rules that matched |
Threat Info Map Fields
| Field | Type | Description |
|---|
threat | string | The threat indicator (URL, hash, etc.) |
threatID | string | Unique threat identifier |
threatStatus | string | active, cleared, falsePositive |
threatTime | datetime | When the threat was first identified |
threatType | string | url, attachment, messageText |
classification | string | malware, phish, spam, impostor |
threatUrl | string | URL to threat detail in TAP dashboard |
Click Event Fields
| Field | Type | Description |
|---|
campaignId | string | Associated campaign identifier |
clickIP | string | IP address of the clicker |
clickTime | datetime | When the click occurred |
GUID | string | Message GUID containing the URL |
recipient | string | Who clicked |
sender | string | Who sent the message |
threatID | string | Threat identifier for the URL |
threatTime | datetime | When URL was classified as threat |
threatURL | string | The malicious URL that was clicked |
url | string | The original URL before rewrite |
userAgent | string | Browser user agent of the clicker |
classification | string | malware, phish |
MCP Tools
| Tool | Description | Key Parameters |
|---|
proofpoint_tap_get_all_events | Retrieve all TAP events (messages + clicks) | sinceSeconds, sinceTime, threatType, threatStatus |
proofpoint_tap_get_messages_blocked | Get messages blocked by TAP | sinceSeconds, sinceTime |
proofpoint_tap_get_messages_delivered | Get messages delivered despite threats | sinceSeconds, sinceTime |
proofpoint_tap_get_clicks_permitted | Get clicks that were permitted | sinceSeconds, sinceTime |
proofpoint_tap_get_clicks_blocked | Get clicks that were blocked | sinceSeconds, sinceTime |
proofpoint_tap_get_top_clickers | Get users who click most on threats | window (14, 30, 90 days) |
Common Workflows
Check Recent Threats (Last Hour)
- Call
proofpoint_tap_get_all_events with sinceSeconds=3600
- Separate results into messages blocked, messages delivered, clicks permitted, clicks blocked
- Prioritize any delivered threats or permitted clicks for immediate investigation
- Group threats by classification (malware, phish, impostor)
Investigate a Specific Time Window
- Call
proofpoint_tap_get_messages_blocked with sinceTime set to start of window
- Call
proofpoint_tap_get_messages_delivered with same time window
- Cross-reference delivered messages against click data
- Identify any users who received and clicked on threats
Monitor for Business Email Compromise
- Call
proofpoint_tap_get_messages_delivered with sinceSeconds=3600
- Filter for
impostorScore > 50 in results
- Check if any impostor messages were delivered without quarantine
- Alert on high-confidence impostor messages that reached users
Daily Threat Summary
- Call
proofpoint_tap_get_all_events with sinceSeconds=86400
- Aggregate by classification: malware, phish, spam, impostor counts
- Identify top targeted recipients
- List any permitted clicks with threat details
- Generate summary report with trend comparison
Click Investigation
- Call
proofpoint_tap_get_clicks_permitted with relevant time window
- For each permitted click, note the
recipient, threatURL, and clickTime
- Cross-reference
campaignId to find related threats
- Check if the user's credentials may be compromised
- Initiate password reset if phishing click was to a credential harvester
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid time range | Ensure sinceSeconds <= 86400 or sinceTime is within 24 hours |
| 400 | Invalid threatType | Use url, attachment, or messageText |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Insufficient permissions | Ensure TAP API access is enabled for your service principal |
| 404 | No data available | No events in the specified time window |
| 429 | Rate limit exceeded | Implement backoff; TAP API allows ~1000 requests/hour |
Empty Results
If no events are returned:
- The time window may be too narrow - expand to full 24 hours
- The organization may not have had any threat events in the window
- Check that the service principal has access to the correct organization
Best Practices
- Poll regularly - Set up periodic polling (every 5-15 minutes) for near-real-time threat awareness
- Focus on delivered threats - Blocked threats are handled; delivered threats need human review
- Track permitted clicks - These indicate users who interacted with threats and may need remediation
- Correlate with campaigns - Use
campaignId to connect individual events to broader threat campaigns
- **Monito