Proofpoint Identity Threat Platform¶
About¶
The Proofpoint Identity Threat Defense platform provides end-to-end protection against identity threats. It includes component products Proofpoint Shadow and Proofpoint Spotlight. It features the discovery and remediation of identity vulnerabilities as well as agentless deception-based detections and forensics. These allow you to discover, prioritize and remediate vulnerable identities. They also help you detect and respond to active threats.
Product Details¶
Vendor URL: Proofpoint
Product Type: ITDR
Product Tier: Tier II
Integration Method: API
Log Guide: Threats API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: PROOFPOINT_IDENTITY_THREAT_PLATFORM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| component | principal.resource.name |
| deceptiveHostname | target.asset.hostname |
| deceptiveHostname | security_result.detection_fields |
| destinationTrapIP | target.ip |
| destinationTrapIP | target.asset.ip |
| destinationTrapIP | security_result.detection_fields |
| deviceReceiptTime | metadata.event_timestamp |
| event | metadata.product_event_type |
| eventCount | additional.fields |
| eventId | additional.fields |
| eventType | metadata.product_event_type |
| findings | security_result.detection_fields |
| hasForensics | security_result.detection_fields |
| headerCategory | metadata.description |
| healthCheckName | target.resource.name |
| id | metadata.product_log_id |
| impact | security_result.summary |
| incidentId | security_result.threat_id |
| incidentUrl | security_result.url_back_to_product |
| instanceName | target.resource.attribute.labels |
| issue | security_result.description |
| lastConfigurationCheckStatus | security_result.action_details |
| lastSeenUser | principal.user.userid |
| logonUser | principal.user.userid |
| outcome | security_result.action_details |
| processName | target.process.file.full_path |
| serviceType | network.application_protocol |
| settingsLink | security_result.url_back_to_product |
| sourceAddress | principal.ip |
| sourceHostname | principal.hostname |
| sourceIp | principal.ip |
| tenantName | observer.resource.name |
| user | target.user.userid |
| userAgent | network.http.user_agent |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| ACCESS | NETWORK_CONNECTION |
| LOGIN | USER_LOGIN |
Log Sample¶
{"id":"8116e2ea-158a-4363-b3e9-cab2f9fad0c6","headerCategory":"ITD:audit","event":"Login","tenantName":"examplecorp-saas","user":"john.doe@examplecorp.com","eventDetails":"","sourceAddress":"10.85.52.219","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10.0.0.0 Safari/537.36","deviceReceiptTime":1744661754866,"outcome":"success"}
Sample Parsing¶
extracted.fields["deviceReceiptTime"] = "1.744661754866e+12"
metadata.description = "ITD:audit"
metadata.event_type = "USER_LOGIN"
metadata.log_type = "PROOFPOINT_IDENTITY_THREAT_PLATFORM"
metadata.product_event_type = "Login"
metadata.product_log_id = "8116e2ea-158a-4363-b3e9-cab2f9fad0c6"
metadata.product_name = "Identity Threat Platform"
metadata.vendor_name = "Proofpoint"
network.http.user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10.0.0.0 Safari/537.36"
observer.resource.name = "examplecorp-saas"
principal.ip = "10.85.52.219"
security_result.action_details = "success"
security_result.action = "ALLOW"
target.administrative_domain = "examplecorp.com"
target.user.userid = "john.doe@examplecorp.com"