Connect your Proofpoint On Demand Email Security (POD) solution to Azure Sentinel

Important

The Proofpoint On Demand Email Security connector is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

This article explains how to connect your Proofpoint On Demand Email Security appliance to Azure Sentinel. The POD data connector allows you to easily connect your POD logs with Azure Sentinel, so that you can view the data in workbooks, use it to create custom alerts, and incorporate it to improve investigation. Integration between Proofpoint On Demand Email Security and Azure Sentinel makes use of Websocket API.

Note

Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.

Prerequisites

Configure and connect Proofpoint On Demand Email Security

Proofpoint On Demand Email Security can integrate and export logs directly to Azure Sentinel.

  1. In the Azure Sentinel navigation menu, select Data connectors.

  2. From the Data connectors gallery, select Proofpoint On Demand Email Security (Preview) and then Open connector page.

  3. Follow the steps described in the Configuration section of the connector page.

Find your data

After a successful connection is established, the data appears in Logs, under Custom Logs, in the following tables:

  • ProofpointPOD_message_CL
  • ProofpointPOD_maillog_CL

See the Next steps tab in the connector page for some useful sample queries.

Validate connectivity

It may take up to 60 minutes until your logs start to appear in Log Analytics.

Next steps

In this document, you learned how to connect Proofpoint On Demand Email Security to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: