Data export lets you securely replicate your data outside Proofpoint. This includes metadata such as activity data, alerts and events. Once it is exported, you can manipulate the data to perform analysis and correlations.
Data can be replicated to a customer-owned AWS S3 bucket, Azure and can then be pulled into other analytic tools such as SIEMs and Data Lakes. You specify which data you want to export.
To enable raw data export from the platform to external storage, you must to onboard external storage in the from Integrations > Integrations Settings (see Integration Settings.)
Assigning Signals
-
From Proofpoint Data Security & Posture, select the Administration app. Select Integrations > Data Export. Signals are displayed by region.
Only those options that are licensed according to your company's entitlements will be displayed. (See Understanding Entitlements.)
By default, all signal/sources display as Disabled until you make the assignment. Until you assign the signals and sources, data export is not enabled.
-
To assign a signal, click ... next to the relevant region and click Edit. The Assign Signals panel displays.
-
From a dropdown select the storage area defined in the Integration Settings. (You can select one storage area for each signal type for each region.)
-
Click Save.
Exported Data Prefixes
Export data is written at the storage root level with the following path (base path is not configurable).
You can use the prefixes to help you when locating data.
tenants/{{data-kind}}/tenant={{platform-tenant-id}}/year={{year}}/month={{month}}/day={{day}}/hour={{hour}}/FILE-NAME.gz
where:
{{data-kind}} for each product is:
-
oitactivity = endpoint data events
-
casb = casb data events
-
meta = meta networks data events
-
incidents = incidents across all channels/products
-
platform = audit data across all channels/products (contains web console users activity data as well)