Proofpoint Threat Protection Integration

1. In the Cisco XDR navigation menu, choose Administration > Integrations.

2. On the Integrations page, click the Third-Party tab and navigate to the Proofpoint Threat Protection integration.

3. Click the plus sign (+) in the lower-right corner of the card. The Proofpoint Threat Protection integration page is displayed.

4. Expand the Integration Guide area and follow the instructions on how to add the Proofpoint Threat Protection integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Proofpoint Threat Protection integration, Cisco XDR ingests detected security threats from Proofpoint for incident correlation.

To view incidents with Proofpoint Threat Protection data:

1. In the Cisco XDR navigation menu, choose Incidents.

2. Look for Proofpoint in the Source column to find incidents generated with Proofpoint Threat Protection data.

3. Select an incident and open the Incident Detail page.

4. Click on the Detection page to see events from Proofpoint and other sources.

To verify that Cisco XDR is receiving Proofpoint Threat Protection data when no incidents are present, go to the Investigate > Detection findings page and filter the table by Proofpoint Threat Protection using the Source drop-down list. For more information, see the Detection Findings help topic.

You can perform the following task after you integrate Proofpoint Threat Protection with Cisco XDR:

• Detection findings - View the security events generated by Proofpoint Threat Protection to validate the data that is ingested by Cisco XDR for incident generation. For details, see Detection Findings.