Proofpoint DLP¶
About¶
Proofpoint adds both threat and behavior telemetry to content to determine intent and risk. Combining these into a modern timeline view helps you understand if the user that triggered the DLP alert is compromised, malicious or negligent.
Product Details¶
Vendor URL: Proofpoint DLP
Product Type: DLP
Product Tier: Tier II
Integration Method: webhook
Integration URL: generic-webhook - Cyderes Documentation
Requirements¶
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: PROOFPOINT_DLP
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
activity.primaryCategory | additional.fields |
sessionId | additional.fields |
contextId | additional.fields |
Proofpoint (static) | metadata.vendor_name |
DLP (static) | metadata.product_name |
activity.trigger | metadata.product_event_type |
id | metadata.product_log_id |
agent.version | principal.asset.software.version |
agent.kind | principal.asset.software.name |
agent.id | principal.asset.software.description |
user.directory.title | principal.user.title |
resources.1._derivatives.direction.source.path | principal.file.full_path |
resources.1.hashes.0.value | principal.file.sha256 |
process.id | principal.process.product_specific_process_id |
process.executable.path | principal.process.file.full_path |
process.executable.name | principal.process.file.names |
process.pid | principal.process.pid |
process.ppid | principal.process.parent_pid |
user.username | principal.user.userid |
user.fullname | principal.user.user_display_name |
user.email | principal.user.email_addresses |
user.id | principal.user.product_object_id |
resources.name | principal.file.name |
resources.1.contentType | principal.resource.resource_subtype |
process.application.name | principal.application |
endpoint.hostname | principal.asset.hostname |
endpoint.hostname | principal.hostname |
endpoint.location.ip | principal.asset.ip |
endpoint.location.ip | principal.ip |
endpoint.net.interfaces.ip | principal.asset.ip |
endpoint.net.interfaces.ip | principal.ip |
endpoint.location.geo.coordinates.lat | principal.asset.location.region_latitude |
endpoint.location.geo.coordinates.lon | principal.asset.location.region_longitude |
endpoint.location.geo.address.country.name | principal.asset.location.country_or_region |
endpoint.location.geo.address.area1.code | principal.asset.location.cit |
endpoint.os.kind | principal.asset.platform_software.platform |
endpoint.os.version | principal.asset.platform_software.platform_version |
incident.severity | security_result.severity |
incident.name | security_result.category |
incident.name | security_result.summary |
incident.description | security_result.description |
activity.categories | security_result.category_detail |
incident.status | security_result.about.investigation.status |
resources.path | about.file.full_path |
resources.name | about.file.names |
devices.0.usb.vendor.name | target.asset.hardware.manufacturer |
devices.0.usb.serial | target.asset.hardware.serial_number |
devices.0.usb.product.name | target.asset.hardware.model |
devices.0.protocol | target.resource.resource_subtype |
resources.0.port | target.port |
site.path | target.file.full_pat |
site.url | target.url |
resources.0.host | target.hostname |
user.groups.id | about.group.product_object_id |
user.groups.name | about.group.group_display_name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all others | GENERIC_EVENT |
Log Sample¶
"{\"test\":{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"activity\":{\"trigger\":\"it:fs:file:open\",\"categories\":[\"it:ui:app:interaction\",\"it:web:browse\",\"it:web:file:upload\"],\"signals\":[{\"kind\":\"it:signal:dlp\"},{\"kind\":\"it:signal:itm\"}],\"policies\":[{\"id\":\"99e76879-190c-4556-96da-873b73939172\"},{\"id\":\"ca1e290b-e1f8-41e1-8AA3-febaeb50767f\"},{\"id\":\"51bd012e-5b7c-49cf-ba23-91dd290bc786\"}],\"clumps\":{\"primary\":{\"id\":\"c2f02196-9f36-4aea-9611-6e710de8a1ca\",\"item\":{\"designations\":[\"it:activity:clump:item:first\"]}}},\"primaryCategory\":\"it:web:file:upload\"},\"contextId\":\"094edaaa-2f44-5777-a9a3-fca4f4914b32:6y811uqzbro:1706695301366\",\"sessionId\":\"61272aaa-1caf-4462-a4ce-f32db96190ed\",\"process\":{\"id\":\"asdffsda1_10872_638422912910507132\",\"isRoot\":false,\"sid\":0,\"pid\":10872,\"ppid\":12564,\"uid\":0,\"gid\":0,\"euid\":0,\"egid\":0,\"executable\":{\"name\":\"msedge.exe\",\"path\":\"C:\\Program Files (x86)\\Microsoft\\Edge\\Applicationms\\edge.exe\"},\"application\":{\"name\":\"msedge\",\"description\":\"Microsoft Edge\",\"vendor\":\"Microsoft Corporation\"}},\"ui\":{\"windows\":[{\"id\":\"651e9f57-6bb4-418a-81ef-9656f4afa297\",\"title\":\"Client\",\"focused\":true,\"handle\":\"461998\",\"process\":{\"id\":\"L1HF1570AAA_10872_638422912910507132\"}}],\"layout\":{\"id\":\"rmujp8a6j1g\",\"w\":0,\"h\":0,\"displays\":[{\"id\":\"265981\",\"name\":\"Display name not available\",\"w\":1920,\"h\":1080,\"x\":0,\"y\":0},{\"id\":\"1981151\",\"name\":\"DELL Machine\",\"w\":1600,\"h\":900,\"x\":0,\"y\":0},{\"id\":\"224795\",\"name\":\"O1306H-R\",\"w\":1920,\"h\":1080,\"x\":0,\"y\":0}]}},\"resources\":[{\"id\":\"a5810c11-c94e-45ff-ad87-9120e6fc9caaa\",\"kind\":\"web\",\"target\":true,\"port\":443,\"scheme\":\"https\",\"url\":\"https://hostname2.com/sites/reports/SitePages/Client.aspx\",\"host\":\"hostname2.com\",\"classification\":{}},{\"id\":\"657fe513-c944-4bae-a845-95df0e7c6aaa\",\"kind\":\"file\",\"target\":false,\"path\":\"c:\\files\\path\",\"size\":1358885,\"contentType\":\"application/pdf\",\"name\":\"filename.pdf\",\"extension\":\"pdf\",\"classification\":{},\"_derivatives\":{\"direction\":{\"source\":{\"path\":\"c:\\files\\path\",\"name\":\"filename.pdf\"}}}}],\"site\":{\"url\":\"https://hostname2.com/sites/reports/SitePages/Client.aspx\",\"host\":\"hostname2.com\",\"scheme\":\"https\",\"port\":443,\"path\":\"/sites/reports/SitePages/Client.aspx\",\"resource\":{\"id\":\"a5810c8d-c94e-45ff-ad87-9120e6fc9c68\",\"kind\":\"web\",\"index\":0}},\"feed\":{\"id\":\"b5723e8a-62d3-4676-9323-c96035233AAA\",\"tenant\":11111111112,\"kind\":\"agent:saas\",\"region\":\"US-central-1\",\"realm\":\"aa-all\",\"instance\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"connection\":{\"source\":{\"ip\":\"10.0.0.165\",\"geo\":{\"coordinates\":{\"lat\":39.099,\"lon\":-94.57},\"address\":{\"country\":{\"code\":\"US\",\"name\":\"United States\"},\"area1\":{\"code\":\"Kansas City\"}}}}},\"data\":{\"source\":{\"kind\":\"endpoint:agent\"},\"realm\":{\"id\":\"pfpt:data:ap-northeast-1:endpoint:agent:b5729e8a-62d3-4676-9323-c960352332c7\"}},\"details\":{\"tenant\":{\"alias\":\"aliasllc\"}},\"vendor\":\"proofpoint\",\"product\":\"endpoint\",\"channel\":\"channel:endpoint\"},\"sver\":\"2.0\",\"organization\":{\"customer\":{\"id\":\"36740853-aaaa-bbbb-a834-90fa9351af99\",\"alias\":\"aliaslllc\",\"name\":\"name LLC\",\"details\":{\"verticals\":[]}},\"tenant\":{\"pfpt\":{\"oit\":{\"id\":1086733333}},\"id\":\"oit:tenant:1086733333\",\"kind\":\"oit\"},\"instances\":[{\"kind\":\"oit\",\"id\":\"oit:tenant:1086733333\"}]},\"_sys\":{\"processing\":{\"modules\":[],\"rule\":{\"artifacts\":[{\"engine\":\"it:artifact:engine:activity:platform:detection:default\",\"id\":\"activity-2087726148\",\"iver\":144,\"realmId\":\"pfpt:data:fallback:endpoint:agent:fallback\"},{\"engine\":\"it:artifact:engine:activity:platform:detection:default\",\"id\":\"activity-1086733333\",\"iver\":89,\"realmId\":\"pfpt:data:fallback:endpoint:agent:fallback\"}]}}},\"ttl\":1714471301,\"retention\":7776000,\"esUrl\":\"https://hostname3.com\",\"createdBy\":{\"principal\":{\"id\":\"b5729e8a-62d3-4676-9323-c960352332c7\"}},\"sortKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"partitionKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"context\":{\"partitionKey\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\",\"sortKey\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"contextId\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:6y811uqzbro:1706695301366\",\"sessionId\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\",\"ingestedAt\":\"2024-01-31T10:01:41.366Z\",\"createdAt\":\"2024-01-31T10:01:41.267736Z\"},\"endpoint\":{\"id\":\"hostname1\",\"name\":\"hostname1\",\"hostname\":\"hostname1\",\"fqdn\":\"hostname1.domain.com\",\"os\":{\"kind\":\"WINDOWS\",\"name\":\"Microsoft Windows 10 Enterprise\",\"version\":\"Microsoft Windows 10.0.19045\",\"multiuser\":1},\"net\":{\"interfaces\":[{\"ip\":\"10.0.0.97\"}]},\"location\":{\"ip\":\"10.0.0.165\",\"geo\":{\"coordinates\":{\"lat\":39.099,\"lon\":-94.57},\"address\":{\"country\":{\"code\":\"US\",\"name\":\"United States\"},\"area1\":{\"code\":\"Kansas City\"}}}},\"directory\":{\"domain\":\"US\"},\"alias\":\"hostname1\"},\"session\":{\"id\":\"61272f5f-1caf-4462-a4ce-f32db96190ed\"},\"user\":{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"uid\":0,\"gid\":0,\"username\":\"jdoe\",\"netbiosDomain\":\"US\",\"fullname\":\"Doe, John\",\"email\":\"johndoe@domain.com\",\"groups\":[{\"id\":\"S-1-5-23-000\",\"name\":\"BUILTIN\\Users\"}],\"directory\":{\"ou\":\"OU=Users,OU=staff\",\"title\":\"Staff\",\"domain\":\"DOMAIN\"},\"name\":\"jdoe\",\"displayName\":\"Doe, John\",\"aliases\":[{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"Doe, John\"},{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"johndoe@domain.com\"},{\"id\":\"S-1-5-21-1043211745-1394158158-1232828436-402AAA\",\"name\":\"jdoe\"}]},\"agent\":{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"kind\":\"agent:saas\",\"pid\":11448,\"version\":\"3.1.1.3\"},\"event\":{\"trace\":{\"context\":{\"transactionId\":\"e7e7d539-4e31-419e-b9f7-59eee6922aa5\",\"correlationId\":\"e7e7d539-4e31-419e-b9f7-59eee6922aa5\"}},\"kind\":\"it:agent:activity:event\",\"id\":\"24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8\",\"timezone\":{\"offset\":540},\"clock\":{\"offset\":0},\"observed\":{\"offline\":false},\"sequence\":{\"id\":0},\"observedAt\":\"2024-01-31T10:01:32.3408741Z\",\"inspectedAt\":\"2024-01-31T10:01:32.3408741Z\",\"ingestedAt\":\"2024-01-31T10:01:41.652Z\",\"expiresAt\":\"2024-04-30T10:01:41.000Z\",\"occurredAt\":\"2024-01-31T10:01:32.3408741Z\",\"time\":{\"local\":{\"date\":\"2024-01-31T19:01:32.340Z\",\"year\":2024,\"month\":1,\"day\":31,\"hour\":19,\"min\":1,\"sec\":32,\"dayOfYear\":31,\"dayOfWeek\":3},\"utc\":{\"secondOfDay\":36092}}},\"entity\":{\"kind\":\"endpoint:user:session\",\"vendor\":\"microsoft\",\"provider\":\"microsoft\",\"suite\":\"windows\",\"name\":\"windows\"},\"components\":[{\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2\",\"kind\":\"agent:saas\",\"version\":\"3.1.1.3\",\"policies\":[{\"id\":\"99e76879-190c-4556-96da-873b73939172:\"},{\"id\":\"ca1e290b-e1f8-41e1-8AA3-febaeb50767f:\"},{\"id\":\"51bd012e-5b7c-49cf-ba23-91dd290bc786:\"}]}],\"rver\":\"activity-event-2.0-1.814\",\"fqid\":\"TUFERSBZT1UgTE9PSyEgIA==\",\"tags\":[],\"indicators\":[{\"kind\":\"it:platform:predicate\",\"tags\":[],\"id\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\",\"alias\":\"7c501bc8-4b98-483c-ba1a-bb93bbc43763\",\"name\":\"[Rule] Exfiltrating any file to the web by uploading\",\"risk\":{},\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"8932ccb7-f2b2-481f-a2e1-01fd35beedab:4\"}]}]},{\"kind\":\"it:platform:rule\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b:1\",\"alias\":\"d03144d5-58bb-4e92-b228-a7f018f029cf\",\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\"}]},{\"op\":\"$exists\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.clumps.primary.item.designations\",\"kind\":\"field:value\"}},{\"op\":\"$stringEquals\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.clumps.primary.item.designations\",\"kind\":\"field:value\"},\"params\":[{\"value\":\"it:activity:clump:item:first\"}]},{\"op\":\"$ref\",\"result\":{\"value\":\"true\"},\"params\":[{\"value\":\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA:1\"}]}]},{\"kind\":\"it:platform:predicate\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"8932ccb7-f2b2-481f-a2e1-01fd35beedab:4\",\"alias\":\"it-library-threat-exfiltrating-any-file-to-the-web-by-uploading\",\"name\":\"Exfiltrating any file to the web by uploading\",\"risk\":{\"level\":\"pfpt:risk:600:high\"},\"result\":{\"value\":\"true\"},\"matches\":[{\"op\":\"$stringEquals\",\"result\":{\"value\":\"true\"},\"object\":{\"name\":\"activity.primaryCategory\",\"kind\":\"field:value\"},\"params\":[{\"value\":\"it:web:file:upload\"}]}]}],\"incident\":{\"reasons\":[{\"kind\":\"it:platform:rule\",\"tags\":[\"222cde0e-067d-4cc0-bf4e-0ce85a6296AA\",\"fee0b59e-fb9b-4e79-aaa6-1b92595547ed\"],\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b\",\"iver\":1,\"alias\":\"d03144d5-58bb-4e92-b228-a7f018f029cf\",\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"severity\":\"incident:severity:600:high\",\"indicators\":[{\"index\":1}]}],\"name\":\"Exfiltrating any file to the web by uploading\",\"description\":\"Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it.\",\"severity\":\"incident:severity:600:high\",\"id\":\"094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652\",\"kind\":\"it:platform:incident\",\"status\":\"incident:status:new\"},\"processing\":{\"actions\":[{\"kind\":\"it:rule:action:kind:platform:detection:activity:notify\",\"reasons\":[{\"details\":{\"parameters\":{\"targets\":[{\"id\":\"6108b1bc-543c-42ec-959e-4ca5d11f4236\"}]}},\"id\":\"864bfca3-58ec-4b7f-b4f8-286dca144c1b:1\",\"indicators\":[{\"index\":1}]}]}]}}}"
Sample Parsing¶
about.file.full_path = "c:\files\path"
about.file.names = "filename.pdf"
about.group.group_display_name = "BUILTIN\Users"
about.group.product_object_id = "S-1-5-23-000"
additional.fields["primaryCategory"] = "it:web:file:upload"
metadata.event_timestamp.seconds = 1706727622
metadata.event_type = "GENERIC_EVENT"
metadata.product_event_type = "it:fs:file:open"
metadata.product_log_id = "094ed23a-2f44-5722-a9a3-fca4f491aaa2:24b5dbb1-0828-4635-a73f-3ae2ea2a9aa8:1706695301652"
metadata.product_name = "DLP"
metadata.vendor_name = "Proofpoint"
principal.application = "msedge"
principal.asset.hostname = "hostname1"
principal.asset.ip = "10.0.0.165"
principal.asset.ip = "10.0.0.97"
principal.asset.location.city = "Kansas City"
principal.asset.location.country_or_region = "United States"
principal.asset.location.region_latitude = 39.099000
principal.asset.location.region_longitude = -94.57000
principal.asset.platform_software.platform = "WINDOWS"
principal.asset.platform_software.platform_version = "Microsoft Windows 10.0.19045"
principal.file.full_path = "c:\files\path"
principal.file.names = "filename1.pdf"
principal.process.file.full_path = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe"
principal.process.file.names = "msedge.exe"
principal.process.parent_pid = "12564"
principal.process.pid = "10872"
principal.process.product_specific_process_id = "PROOFPOINT_DLP:094ed23a-2f44-5722-a9a3-fca4f491aaa2"
principal.resource.resource_subtype = "application/pdf"
principal.user.email_addresses = "johndoe@domain.com"
principal.user.product_object_id = "S-1-5-21-1043211745-1394158158-1232828436-402AAA"
principal.user.user_display_name = "Doe, John"
principal.user.userid = "jdoe"
security_result.about.investigation.status = "NEW"
security_result.category_details = "it:ui:app:interaction"
security_result.category_details = "it:web:browse"
security_result.category_details = "it:web:file:upload"
security_result.category = "DATA_EXFILTRATION"
security_result.description = "Detects when a user exfiltrates any file type (tracked or non-tracked) in any size to the web by uploading it."
security_result.severity = "HIGH"
security_result.summary = "Exfiltrating any file to the web by uploading"
target.file.full_path = "/sites/reports/SitePages/Client.aspx"
target.hostname = "hostname2.com"
target.port = 443
target.url = "https://hostname2.com/sites/reports/SitePages/Client.aspx"