Setting up an Enclave Inbox with Proofpoint

Updated 1 year ago by TruSTAR

This page explains how to use TruSTAR's Enclave Inbox feature to ingest emails, enrich suspicious observables with additional intelligence, and then pull that intelligence into your workflow tools. This example uses ProofPoint as the third-party workflow tool.

An Enclave is limited to a single Enclave Email Inbox.



  • Proofpoint licensed user
  • Permissions to configure forwarding rules.


  • You must be a Company Administrator to set up the Enclave Email Inbox feature.

Configuring TruSTAR

After you have retrieved your Proofpoint API key, follow these steps:

  1. Log in to the TruSTAR Web App.
  2. Click navigate to User Settings on the Navigation Bar, then choose Settings from the dropdown menu.
  3. Click Enclave inbox on the Settings menu.
  4. Click the + sign on the far right vertical menu to start the configuration.
  5. Follow the configuration instructions in this document: Enclave Inbox.
  6. In the Sender Emails field, specify and press Enter to add it to the list.
  7. Click Send to complete the configuration.

After the set-up is complete, reports from Proofpoint TAP will be submitted into the specified enclave, usually within 15 minutes of a successful configuration.


What Indicators are supported when emails are forwarded from Proofpoint? 

You can find the whole list here.

How can I set up Proofpoint TAP to forward phishing emails to a TruSTAR Enclave?

This video explains how to set up Proofpoint to forward phishing emails using the Enclave Inbox:

How do I configure Proofpoint to unwind the encoding URL so it becomes extractable in TruSTAR?

Navigate to the Email Protection tab in the Proofpoint configuration panel (see screenshot) and configure the rewrite settings. This is explained in further detail at the 2:10 mark in the configuration video:

TruSTAR does not decode URLs submitted to the TruSTAR platform from third party tools that have been encoded. Users who would like to leverage TruSTARs platform capabilities for phishing triage and indicator correlation will need to have their URLs decoded before submitting them to TruSTAR. Please reach out the vendor's support team for help on decoding URL's so it can be useful in TruSTAR

Please reach out to for any additional questions.

How Did We Do?