Splunk® Intelligence Management (Legacy)

User Guide

Set up an enclave inbox with ProofPoint

This page explains how to use Splunk Intelligence Management's Enclave Inbox feature to ingest emails, enrich suspicious observables with additional intelligence, and then pull that intelligence into your workflow tools. This example uses ProofPoint as the third-party workflow tool.

An enclave is limited to a single enclave email inbox.

Prerequisites

Verify you meet the following requirements before proceeding:

  • You must be a ProofPoint licensed user
  • You must have permissions to configure forwarding rules in ProofPoint
  • You must be a Splunk Intelligence Management company administrator to set up an enclave email inbox.

Configure Splunk Intelligence Management

After you have retrieved your Proofpoint API key, follow these steps:

  1. Log in to the Splunk Intelligence Management Web App.
  2. Select User Settings > Settings.
  3. Click Enclave inbox on the Settings menu.
  4. Click the + sign to start the configuration.
  5. Follow the configuration instructions in this document: Enclave Inbox.
  6. In the Sender Emails field, specify tap-notifications@proofpoint.com and press Enter to add it to the list.
  7. Click Send to complete the configuration.

After the set-up is complete, reports from Proofpoint TAP will be submitted into the specified enclave, usually within 15 minutes of a successful configuration.

FAQ

What Indicators are supported when emails are forwarded from Proofpoint?

You can find the whole list here.

How can I set up Proofpoint TAP to forward phishig emails to a Splunk Intelligence Management enclave?

This video explains how to set up Proofpoint to forward phishing emails using the Enclave Inbox. See video how to set up Proofpoint to forward phishing emails using the Enclave Inbox

How do I configure Proofpoint to unwind the encoding URL so it becomes extractable in Splunk Intelligence Management?

Navigate to the Email Protection tab in the Proofpoint configuration panel and configure the rewrite settings. This is explained in further detail in the configuration video: Configure Proofpoint to unwind the encoding URL.

Splunk Intelligence Management does not decode URLs submitted to the Splunk Intelligence Management platform from third party tools that have been encoded. Users who would like to leverage Splunk Intelligence Management's platform capabilities for phishing triage and indicator correlation will need to have their URLs decoded before submitting them to Splunk Intelligence Management. Please reach out the vendor's support team for help on decoding URL's so it can be useful in Splunk Intelligence Management.

Last modified on 21 April, 2022
Set up an enclave inbox to email incident and alert information directly to your enclaves   Add, edit, and remove users from Splunk Intelligence Management

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters