Plugins 〉Proofpoint Tap
Proofpoint Tap
Proofpoint TAP Data Source Plugin for Grafana
Description
The Proofpoint TAP DataSource Plugin is a Grafana backend datasource plugin that enables on-demand querying and visualization of Proofpoint Targeted Attack Protection (TAP) SIEM events inside Grafana panels.
Proofpoint TAP is a security solution that helps organizations identify, prevent, and respond to sophisticated email-based attacks targeting users. It uses an advanced email security platform to analyze email traffic and provide visibility into potential threats across all email communications.
Features
- Query and visualize Proofpoint TAP SIEM events directly within Grafana
- Support for multiple event categories: Clicks Permitted, Clicks Blocked, Messages Delivered, and Messages Blocked
- Automatic time-range chunking to comply with Proofpoint API constraints
- Built-in retry logic with exponential backoff for transient failures
- Three pre-built dashboards for immediate insight into email threat data
Compatibility
| Component | Version / Detail |
|---|---|
| Grafana | >= 12.3.0 |
| Proofpoint SIEM API | v2 |
| Authentication | Basic Auth (Service Principal + Secret) |
Visuals
Configuration Editor
Query Editor
Installation
Requirements
- Grafana >= 12.3.0
- A Proofpoint TAP account with API access
- A Service Principal and Secret for authentication
Obtaining Service Credentials
- Login to the Proofpoint TAP dashboard.
- Navigate to Settings > Connected Applications.
- Click Create New Credential.
- Name the new credential set and click Generate.
- Copy the Service Principal and Secret.
Install the Plugin
Install the plugin from the Grafana Plugin Catalog or using the Grafana CLI:
grafana cli plugins install crestdata-proofpointtap-datasource
After installation, restart the Grafana server for the plugin to be loaded.
Configure the Data Source
- In Grafana, navigate to Connections > Data Sources > Add data source.
- Search for Proofpoint Tap and select it.
- Fill in the required configuration fields:
| Name | Type | Required | Description |
|---|---|---|---|
| Service Principal | String | Yes | The Service Principal of the Proofpoint TAP account |
| Secret | Secure String | Yes | The Secret of the Proofpoint TAP account |
- Click Save & Test. The health check will validate your credentials against the Proofpoint API.
Usage
Query Editor
Once the data source is configured, you can create panels using the query editor with the following parameters:
| Parameter | Type | Options | Default | Description |
|---|---|---|---|---|
| Event Types | Dropdown | Clicks Permitted, Clicks Blocked, Messages Delivered, Messages Blocked, All | All | Select the event type to query |
| Threat Status | Dropdown | All, Active, Cleared, FalsePositive | All | Filter events by threat status |
| Threat Type | Dropdown | All, URL, Attachment, MessageText | All | Filter by threat type (for All, Messages Delivered, Messages Blocked) |
| Columns | Multi-select | Depends on event type | Depends on event type | Which fields to return in the DataFrame |
Time Range Handling
The Proofpoint SIEM API enforces:
- Max lookback: 7 days
- Max fetch window: 1 hour per request
The plugin handles this automatically:
(to - from) <= 1 hour→ single API call(to - from) > 1 hour→ split into 1-hour chunks, sequential execution, responses mergedfromolder than 7 days → clear error returned
Error Handling and Retry Strategy
Retries are performed only for transient failures:
- HTTP 429 (rate limited)
- HTTP 5xx responses (500–599)
- Network/connection-level errors
- Errors while reading the response body
Max retry attempts: 3, with exponential backoff (base delay: 3 seconds).
Non-retryable: HTTP 4xx errors (e.g., 401, 403) are returned immediately.
Pre-built Dashboards
The plugin ships three pre-built dashboards. All share these common default settings:
| Setting | Value |
|---|---|
| Default time range | Last 1 hour (now-1h to now) |
| Auto-refresh | Disabled |
| Datasource selection | Template variable (dropdown for selecting the instance) |
1. Proofpoint TAP Overview — High-level summary of all TAP events, including total event count, threat classification and status breakdowns, and top senders.
2. Proofpoint TAP Messages Analysis — Detailed analysis of delivered and blocked email messages, including threat type and status distributions, and average threat scores.
3. Proofpoint TAP Clicks Analysis — Detailed analysis of permitted and blocked URL click events, with breakdowns by classification and threat status.
Limitations and Recommendations
Time range limitations:
- Max lookback: 7 days
- Max interval per request: 1 hour (larger ranges are split into 1-hour chunks)
Recommended Grafana time ranges:
| Use Case | Recommended Range | Auto-refresh |
|---|---|---|
| Live monitoring | Last 1 hour | ON |
| Short investigations | Last 6 hours (up to 12h if low panel count) | ON with caution |
| Historical investigations | > 12 hours up to 7 days | OFF |
Refresh intervals: Due to chunking, total requests scale with panels × chunks × refresh frequency. Prefer Refresh = Off for time ranges > 6 hours or multi-panel dashboards. If auto-refresh is required, use a minimum interval of 1 minute with a time range ≤ 1 hour and a low number of Proofpoint panels.
API rate limits: Each endpoint is limited to 1800 requests per 24 hours.
Support
For issues, questions, or feature requests, please open an issue in this repository.
Roadmap
See the open issues for a list of proposed features and known issues.
Contributing
Contributions are welcome! See the repository README for development setup instructions.
Authors and Acknowledgment
Developed by Crestdata.
License
This plugin is distributed under the LICENSE.
References
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Install on Grafana Cloud
Plugins can be installed directly from within your Grafana instance or automated using the Cloud API or Terraform.
Learn more about plugin installationMarketplace plugins
This is a paid plugin developed by a marketplace partner. To purchase an entitlement, sign in first, then fill out the contact form.
Get this plugin
This is a paid for plugin developed by a marketplace partner. To purchase entitlement please fill out the contact us form.
What to expect:
- Grafana Labs will reach out to discuss your needs
- Payment will be taken by Grafana Labs
- Once purchased the plugin will be available for you to install (cloud) or a signed version will be provided (on-premise)
Thank you! We will be in touch.
For more information, visit the docs on plugin installation.
Installing on a local Grafana:
For local instances, plugins are installed and updated via a simple CLI command. Plugins are not updated automatically, however you will be notified when updates are available right within your Grafana.
1. Install the Data Source
Use the grafana-cli tool to install Proofpoint Tap from the commandline:
grafana-cli plugins install The plugin will be installed into your grafana plugins directory; the default is /var/lib/grafana/plugins. More information on the cli tool.
Alternatively, you can manually download the .zip file for your architecture below and unpack it into your grafana plugins directory.
Alternatively, you can manually download the .zip file and unpack it into your grafana plugins directory.
2. Configure the Data Source
Accessed from the Grafana main menu, newly installed data sources can be added immediately within the Data Sources section.
Next, click the Add data source button in the upper right. The data source will be available for selection in the Type select box.
To see a list of installed data sources, click the Plugins item in the main menu. Both core data sources and installed data sources will appear.
Changelog
1.0.6
- Added public link for the license link in plugin.json and README.
1.0.5
- Updated the license link in README.
- Added filterQuery support.
1.0.4
- Added public link for screenshots present in Readme.
1.0.3
- Aligned the version across plugin.json, CHANGELOG, and the release tag
1.0.2
- Updated EULA in license
- Updated Dashboards to reference the existing panels
1.0.1
- Updated backend logger
- Updated TLS verification logic
1.0.0
Initial release.
