Skip to content

Proofpoint DLP

Proofpoint DLP

About

Proofpoint adds both threat and behavior telemetry to content to determine intent and risk. Combining these into a modern timeline view helps you understand if the user that triggered the DLP alert is compromised, malicious or negligent.

Product Details

Vendor URL: Proofpoint DLP

Product Type: DLP

Product Tier: Tier II

Integration Method: webhook

Integration URL: generic-webhook - Cyderes Documentation

Requirements

Parser Details

Log Format: Syslog

Expected Normalization Rate: 100%

Data Label: PROOFPOINT_DLP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
activity.primaryCategory additional.fields
sessionId additional.fields
contextId additional.fields
Proofpoint (static) metadata.vendor_name
DLP (static) metadata.product_name
activity.trigger metadata.product_event_type
id metadata.product_log_id
agent.version principal.asset.software.version
agent.kind principal.asset.software.name
agent.id principal.asset.software.description
user.directory.title principal.user.title
resources.1._derivatives.direction.source.path principal.file.full_path
resources.1.hashes.0.value principal.file.sha256
process.id principal.process.product_specific_process_id
process.executable.path principal.process.file.full_path
process.executable.name principal.process.file.names
process.pid principal.process.pid
process.ppid principal.process.parent_pid
user.username principal.user.userid
user.fullname principal.user.user_display_name
user.email principal.user.email_addresses
user.id principal.user.product_object_id
resources.name principal.file.name
resources.1.contentType principal.resource.resource_subtype
process.application.name principal.application
endpoint.hostname principal.asset.hostname
endpoint.hostname principal.hostname
endpoint.location.ip principal.asset.ip
endpoint.location.ip principal.ip
endpoint.net.interfaces.ip principal.asset.ip
endpoint.net.interfaces.ip principal.ip
endpoint.location.geo.coordinates.lat principal.asset.location.region_latitude
endpoint.location.geo.coordinates.lon principal.asset.location.region_longitude
endpoint.location.geo.address.country.name principal.asset.location.country_or_region
endpoint.location.geo.address.area1.code principal.asset.location.cit
endpoint.os.kind principal.asset.platform_software.platform
endpoint.os.version principal.asset.platform_software.platform_version
incident.severity security_result.severity
incident.name security_result.category
incident.name security_result.summary
incident.description security_result.description
activity.categories security_result.category_detail
incident.status security_result.about.investigation.status
resources.path about.file.full_path
resources.name about.file.names
devices.0.usb.vendor.name target.asset.hardware.manufacturer
devices.0.usb.serial target.asset.hardware.serial_number
devices.0.usb.product.name target.asset.hardware.model
devices.0.protocol target.resource.resource_subtype
resources.0.port target.port
site.path target.file.full_pat
site.url target.url
resources.0.host target.hostname
user.groups.id about.group.product_object_id
user.groups.name about.group.group_display_name

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT

Log Sample

"{\"test\":{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"activity\":{\"trigger\":\"it:fs:file:open\",\"categories\":[\"it:ui:app:interaction\",\"it:web:browse\",\"it:web:file:upload\"],\"signals\":[{\"kind\":\"it:signal:dlp\"},{\"kind\":\"it:signal:itm\"}],\"policies\":[{\"id\":\"99e76879-190c-4556-96da-873b73939172\"},{\"id\":\"ca1e290b-e1f8-41e1-8AA3-febaeb50767f\"},{\"id\":\"51bd012e-5b7c-49cf-ba23-91dd290bc786\"}],\"clumps\":{\"primary\":{\"id\":\"c2f02196-9f36-4aea-9611-6e710de8a1ca\",\"item\":{\"designations\":[\"it:activity:clump:item:first\"]}}},\"primaryCategory\":\"it:web:file:upload\"},\"contextId\":\"094edaaa-2f44-5777-a9a3-fca4f4914b32:6y811uqzbro:1706695301366\",\"sessionId\":\"61272aaa-1caf-4462-a4ce-f32db96190ed\",\"process\":{\"id\":\"asdffsda1_10872_638422912910507132\",\"isRoot\":false,\"sid\":0,\"pid\":10872,\"ppid\":12564,\"uid\":0,\"gid\":0,\"euid\":0,\"egid\":0,\"executable\":{\"name\":\"msedge.exe\",\"path\":\"C:\\Program Files (x86)\\Microsoft\\Edge\\Applicationms\\edge.exe\"},\"application\":{\"name\":\"msedge\",\"description\":\"Microsoft Edge\",\"vendor\":\"Microsoft Corporation\"}},\"ui\":{\"windows\":[{\"id\":\"651e9f57-6bb4-418a-81ef-9656f4afa297\",\"title\":\"Client\",\"focused\":true,\"handle\":\"461998\",\"process\":{\"id\":\"L1HF1570AAA_10872_638422912910507132\"}}],\"layout\":{\"id\":\"rmujp8a6j1g\",\"w\":0,\"h\":0,\"displays\":[{\"id\":\"265981\",\"name\":\"Display name not available\",\"w\":1920,\"h\":1080,\"x\":0,\"y\":0},{\"id\":\"1981151\",\"name\":\"DELL Machine\",\"w\":1600,\"h\":900,\"x\":0,\"y\":0},{\"id\":\"224795\",\"name\":\"O1306H-R\",\"w\":1920,\"h\":1080,\"x\":0,\"y\":0}]}},\"resources\":[{\"id\":\"a5810c11-c94e-45ff-ad87-9120e6fc9caaa\",\"kind\":\"web\",\"target\":true,\"port\":443,\"scheme\":\"https\",\"url\":\"https://hostname2.com/sites/reports/SitePages/Client.aspx\",\"host\":\"hostname2.com\",\"classification\":{}},{\"id\":\"657fe513-c944-4bae-a845-95df0e7c6aaa\",\"kind\":\"file\",\"target\":false,\"path\":\"c:\\files\\path\",\"size\":1358885,\"contentType\":\"application/pdf\",\"name\":\"filename.pdf\",\"extension\":\"pdf\",\"classification\":{},\"_derivatives\":{\"direction\":{\"source\":{\"path\":\"c:\\files\\path\",\"name\":\"filename.pdf\"}}}}],\"site\":{\"url\":\"https://hostname2.com/sites/reports/SitePages/Client.aspx\",\"host\":\"hostname2.com\",\"scheme\":\"https\",\"port\":443,\"path\":\"/sites/reports/SitePages/Client.aspx\",\"resource\":{\"id\":\"a5810c8d-c94e-45ff-ad87-9120e6fc9c68\",\"kind\":\"web\",\"index\":0}},\"feed\":{\"id\":\"b5723e8a-62d3-4676-9323-c96035233AAA\",\"tenant\":11111111112,\"kind\":\"agent:saas\",\"region\":\"US-central-1\",\"realm\":\"aa-all\",\"instance\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"connection\":{\"source\":{\"ip\":\"10.0.0.165\",\"geo\":{\"coordinates\":{\"lat\":39.099,\"lon\":-94.57},\"address\":{\"country\":{\"code\":\"US\",\"name\":\"United States\"},\"area1\":{\"code\":\"Kansas City\"}}}}},\"data\":{\"source\":{\"kind\":\"endpoint:agent\"},\"realm\":{\"id\":\"pfpt:data:ap-northeast-1:endpoint:agent:b5729e8a-62d3-4676-9323-c960352332c7\"}},\"details\":{\"tenant\":{\"alias\":\"aliasllc\"}},\"vendor\":\"proofpoint\",\"product\":\"endpoint\",\"channel\":\"channel:endpoint\"},\"sver\":\"2.0\",\"organization\":{\"customer\":{\"id\":\"36740853-aaaa-bbbb-a834-90fa9351af99\",\"alias\":\"aliaslllc\",\"name\":\"name LLC\",\"details\":{\"verticals\":[]}},\"tenant\":{\"pfpt\":{\"oit\":{\"id\":1086733333}},\"id\":\"oit:tenant:1086733333\",\"kind\":\"oit\"},\"instances\":[{\"kind\":\"oit\",\"id\":\"oit:tenant:1086733333\"}]},\"_sys\":{\"processing\":{\"modules\":[],\"rule\":{\"artifacts\":[{\"engine\":\"it:artifact:engine:activity:platform:detection:default\",\"id\":\"activity-2087726148\",\"iver\":144,\"realmId\":\"pfpt:data:fallback:endpoint:agent:fallback\"},{\"engine\":\"it:artifact:engine:activity:platform:detection:default\",\"id\":\"activity-1086733333\",\"iver\":89,\"realmId\":\"pfpt:data:fallback:endpoint:agent:fallback\"}]}}},\"ttl\":1714471301,\"retention\":7776000,\"esUrl\":\"https://hostname3.com\",\"createdBy\":{\"principal\":{\"id\":\"b5729e8a-62d3-4676-9323-c960352332c7\"}},\"sortKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"partitionKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"context\":{\"partitionKey\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\",\"sortKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"contextId\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"sessionId\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\",\"ingestedAt\":\"2024-01-31T10:01:41.366Z\",\"createdAt\":\"2024-01-31T10:01:41.267736Z\"},\"endpoint\":{\"id\":\"hostname1\",\"name\":\"hostname1\",\"hostname\":\"hostname1\",\"fqdn\":\"hostname1.domain.com\",\"os\":{\"kind\":\"WINDOWS\",\"name\":\"Microsoft Windows 10 Enterprise\",\"version\":\"Microsoft Windows 10.0.19045\",\"multiuser\":1},\"net\":{\"interfaces\":[{\"ip\":\"10.0.0.97\"}]},\"location\":{\"ip\":\"10.0.0.165\",\"geo\":{\"coordinates\":{\"lat\":39.099,\"lon\":-94.57},\"address\":{\"country\":{\"code\":\"US\",\"name\":\"United States\"},\"area1\":{\"code\":\"Kansas City\"}}}},\"directory\":{\"domain\":\"US\"},\"alias\":\"hostname1\"},\"session\":{\"id\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\"},\"user\":{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"uid\":0,\"gid\":0,\"username\":\"jdoe\",\"netbiosDomain\":\"US\",\"fullname\":\"Doe, John\",\"email\":\"johndoe@domain.com\",\"groups\":[{\"id\":\"S-1-5-23-000\",\"name\":\"BUILTIN\\Users\"}],\"directory\":{\"ou\":\"OU=Users,OU=staff\",\"title\":\"Staff\",\"domain\":\"DOMAIN\"},\"name\":\"jdoe\",\"displayName\":\"Doe, John\",\"aliases\":[{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"Doe, John\"},{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"johndoe@domain.com\"},{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"jdoe\"}]},\"agent\":{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"kind\":\"agent:saas\",\"pid\":11448,\"version\":\"3.1.1.3\"},\"event\":{\"trace\":{\"context\":{\"transactionId\":\"e7e7d539-4e31-419e-b9f7-59eee6922aa5\",\"correlationId\":\"e7e7d539-4e31-419e-b9f7-59eee6922aa5\"}},\"kind\":\"it:agent:activity:event\",\"id\":\"24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8\",\"timezone\":{\"offset\":540},\"clock\":{\"offset\":0},\"observed\":{\"offline\":false},\"sequence\":{\"id\":0},\"observedAt\":\"2024-01-31T10:01:32.3408741Z\",\"inspectedAt\":\"2024-01-31T10:01:32.3408741Z\",\"ingestedAt\":\"2024-01-31T10:01:41.652Z\",\"expiresAt\":\"2024-04-30T10:01:41.000Z\",\"occurredAt\":\"2024-01-31T10:01:32.3408741Z\",\"time\":{\"local\":{\"date\":\"2024-01-31T19:01:32.340Z\",\"year\":2024,\"month\":1,\"day\":31,\"hour\":19,\"min\":1,\"sec\":32,\"dayOfYear\":31,\"dayOfWeek\":3},\"utc\":{\"secondOfDay\":36092}}},\"entity\":{\"kind\":\"endpoint:user:session\",\"vendor\":\"microsoft\",\"provider\":\"microsoft\",\"suite\":\"windows\",\"name\":\"windows\"},\"components\":[{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"kind\":\"agent:saas\",\"version\":\"3.1.1.3\",\"policies\":[{\"id\":\"99e76879-190c-4556-96da-873b73939172:\"},{\"id\":\"ca1e290b-e1f8-41e1-8AA3-febaeb50767f:\"},{\"id\":\"51bd012e-5b7c-49cf-ba23-91dd290bc786:\"}]}],\"rver\":\"activity-event-2.0-1.814\",\"fqid\":\"TUFERSBZT1UgTE9PSyEgIA==\",\"tags\":[],\"indicators\":[{\"kind\":\"it:platform:predicate\",\"tags\":[],\"id\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\",\"alias\":\"7c501bc8-4b98-483c-ba1a-bb93bbc43763\",\"name\":\"[Rule] Exfiltrating any file to the web by uploading\",\"risk\":{},\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"8932ccb7-f2b2-481f-a2e1-01fd35beedab:4\"}]}]},{\"kind\":\"it:platform:rule\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b:1\",\"alias\":\"d03144d5-58bb-4e92-b228-a7f018f029cf\",\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\"}]},{\"op\":\"$exists\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.clumps.primary.item.designations\",\"kind\":\"field:value\"}},{\"op\":\"$stringEquals\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.clumps.primary.item.designations\",\"kind\":\"field:value\"},\"params\":[{\"value\":\"it:activity:clump:item:first\"}]},{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\"}]}]},{\"kind\":\"it:platform:predicate\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"8932ccb7-f2b2-481f-a2e1-01fd35beedab:4\",\"alias\":\"it-library-threat-exfiltrating-any-file-to-the-web-by-uploading\",\"name\":\"Exfiltrating any file to the web by uploading\",\"risk\":{\"level\":\"pfpt:risk:600:high\"},\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$stringEquals\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.primaryCategory\",\"kind\":\"field:value\"},\"params\":[{\"value\":\"it:web:file:upload\"}]}]}],\"incident\":{\"reasons\":[{\"kind\":\"it:platform:rule\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b\",\"iver\":1,\"alias\":\"d03144d5-58bb-4e92-b228-a7f018f029cf\",\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"severity\":\"incident:severity:600:high\",\"indicators\":[{\"index\":1}]}],\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"severity\":\"incident:severity:600:high\",\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"kind\":\"it:platform:incident\",\"status\":\"incident:status:new\"},\"processing\":{\"actions\":[{\"kind\":\"it:rule:action:kind:platform:detection:activity:notify\",\"reasons\":[{\"details\":{\"parameters\":{\"targets\":[{\"id\":\"6108b1bc-543c-42ec-959e-4ca5d11f4236\"}]}},\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b:1\",\"indicators\":[{\"index\":1}]}]}]}}}"

Sample Parsing

about.file.full_path = "c:\files\path"
about.file.names = "filename.pdf"
about.group.group_display_name = "BUILTIN\Users"
about.group.product_object_id = "S-1-5-23-000"
additional.fields["primaryCategory"] = "it:web:file:upload"
metadata.event_timestamp.seconds = 1706727622
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "it:fs:file:open"
metadata.product_log_id = "094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652"
metadata.product_name = "DLP"
metadata.vendor_name = "Proofpoint"
principal.application = "msedge"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.0.0.165"
principal.asset.ip = "10.0.0.97"
principal.asset.location.city = "Kansas City"
principal.asset.location.country_or_region = "United States"
principal.asset.location.region_latitude = 39.099000
principal.asset.location.region_longitude = -94.57000
principal.asset.platform_software.platform = "WINDOWS"
principal.asset.platform_software.platform_version = "Microsoft Windows 10.0.19045"
principal.file.full_path = "c:\files\path"
principal.file.names = "filename1.pdf"
principal.process.file.full_path = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
principal.process.file.names = "msedge.exe"
principal.process.parent_pid = "12564"
principal.process.pid = "10872"
principal.process.product_specific_process_id = "PROOFPOINT_DLP:094ed23a-2f44-5722-a9a3-fca4f491aaa2"
principal.resource.resource_subtype = "application/pdf"
principal.user.email_addresses = "johndoe@domain.com"
principal.user.product_object_id = "S-1-5-21-1043211745-1394158158-1232828436-402AAA"
principal.user.user_display_name = "Doe, John"
principal.user.userid = "jdoe"
security_result.about.investigation.status = "NEW"
security_result.category_details = "it:ui:app:interaction"
security_result.category_details = "it:web:browse"
security_result.category_details = "it:web:file:upload"
security_result.category = "DATA_EXFILTRATION"
security_result.description = "Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it."
security_result.severity = "HIGH"
security_result.summary = "Exfiltrating any file to the web by uploading"
target.file.full_path = "/sites/reports/SitePages/Client.aspx"
target.hostname = "hostname2.com"
target.port = 443
target.url = "https://hostname2.com/sites/reports/SitePages/Client.aspx"