Proofpoint Tap¶
About¶
Proofpoint Email Protection is the industry-leading email gateway, which can be deployed as a cloud service or on premises. It catches both known and unknown threats that others miss. Powered by NexusAI, our advanced machine learning technology, Email Protection accurately classifies various types of email. And it detects and blocks threats that don’t involve malicious payload, such as impostor email—also known as business email compromise (BEC)—using our Advanced BEC Defense. You can also automatically tag suspicious email to help raise user awareness. And you can track down any email in seconds. Plus, our granular email filtering controls spam, bulk graymail and other unwanted email.
Product Details¶
Vendor URL: Proofpoint Tap
Product Type: Email Gateway
Product Tier: Tier I
Integration Method: Custom
Integration URL: Proofpoint Tap - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: PROOFPOINT_MAIL
Parsing technique: MultiEventOutput
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
_clickip | additional.fields |
_clicktime | additional.fields |
_toaddress | network.email.to |
additional_fieldname | additional.fields |
attackindex | security_result.rule_labels |
campaignid | security_result.rule_labels |
classification | security_result.description |
clickip | additional.fields |
clicksBlocked | metadata.product_event_type |
clicksPermitted | metadata.product_event_type |
clicksPermitted,clicksBlocked | metadata.product_event_type |
clicksPermitted,clicksBlocked.0.classification | security_result.category_details |
clicksPermitted,clicksBlocked.0.clickIP | principal.ip |
clicksPermitted,clicksBlocked.0.GUID,guid | metadata.product_log_id |
clicksPermitted,clicksBlocked.0.messageID | network.email.mail_id |
clicksPermitted,clicksBlocked.0.recipient | network.email.to |
clicksPermitted,clicksBlocked.0.sender | about.email |
clicksPermitted,clicksBlocked.0.sender | network.email.from |
clicksPermitted,clicksBlocked.0.senderIP | target.ip |
clicksPermitted,clicksBlocked.0.threatStatus | security_result.threat_status |
clicksPermitted,clicksBlocked.0.threatURL | metadata.url_back_to_product |
clicksPermitted,clicksBlocked.0.threatURL | security_result.url_back_to_product |
clicksPermitted,clicksBlocked.0.url | security_result.about.url |
clicksPermitted,clicksBlocked.0.url | target.url |
clicksPermitted,clicksBlocked.0.userAgent | network.http.user_agent |
clicktime | additional.fields |
completelyRewritten | security_result.detection_fields |
completelyrewritten | security_result.rule_labels |
connection.host | principal.hostname |
connection.ip | principal.ip |
cs1 | network.email.mail_id |
cs2 | network.email.subject |
cs3 | network.email.from |
cs6 | network.email.subject |
customerUserId | target.user.employee_id |
department | target.user.department |
dest_category | security_result.category_details |
duser | network.email.to |
emails | target.user.email_addresses |
envelope.rcpts.0 | network.email.to |
event | metadata.description |
eventname | metadata.description |
file_hash | src.file.md5 |
file_name | src.file.names |
filter.qid | security_result.detection_fields.value |
GUID | metadata.product_log_id |
guid | metadata.product_log_id |
headerFrom | network.email.bounce_address |
host | principal.hostname |
id | metadata.product_deployment_id |
id | metadata.product_log_id |
imposterscore | security_result.detection_fields |
location | target.user.office_address.state |
malwarescore | security_result.detection_fields |
message_id | network.email.mail_id |
messageParts_contentType | src.file.mime_type |
messageParts_sha256 | src.file.sha256 |
messagepartsdisposition | additional.fields |
messagepartssandboxstatus | additional.fields |
messagesBlocked | metadata.product_event_type |
messagesDelivered | metadata.product_event_type |
messagesDelivered,messagesBlocked | metadata.product_event_type |
messagesDelivered,messagesBlocked.0.GUID,guid | metadata.product_log_id |
messagesDelivered,messagesBlocked.headerFrom | principal.investigation.comments |
messagesDelivered,messagesBlocked.headerTo | target.investigation.comments |
messagesDelivered,messagesBlocked.messageID | about.investigation.comments |
messagesDelivered,messagesBlocked.messageID | network.email.mail_id |
messagesDelivered,messagesBlocked.messageParts.contentType | about.file.mime_type |
messagesDelivered,messagesBlocked.messageParts.filename | about.file.full_path |
messagesDelivered,messagesBlocked.messageParts.md5 | about.file.md5 |
messagesDelivered,messagesBlocked.messageParts.sha256 | security_result.about.file.sha256 |
messagesDelivered,messagesBlocked.sender | network.email.from |
messagesDelivered,messagesBlocked.senderIP | principal.ip |
messagesDelivered,messagesBlocked.subject | network.email.subject |
messagesDelivered,messagesBlocked.threatsInfoMap.classification | security_result.category_details |
messagesDelivered,messagesBlocked.threatsInfoMap.threat | security_result.threat_id |
messagesDelivered,messagesBlocked.threatsInfoMap.threatStatus | security_result.threat_status |
messagesDelivered,messagesBlocked.threatsInfoMap.threatType | security_result.threat_name |
messagesDelivered,messagesBlocked.threatsInfoMap.threatUrl | security_result.url_back_to_product |
messagesDelivered,messagesBlocked.toAddresses | network.email.to |
modulesRun | security_result.rule_name |
msg.header.message-id.0 | network.email.mail_id |
msg.header.reply_to.0 | network.email.reply_to |
msg.header.subject.0 | network.email.subject |
msg.parsedAddresses.cc.0 | network.email.cc |
msg.parsedAddresses.from.0 | network.email.from |
msg.parsedAddresses.to.0 | network.email.to |
msgParts.urls | about.url |
orig_dest | target.user.userid |
orig_recipient | network.email.to |
orig_src | principal.user.userid |
phishscore | security_result.detection_fields |
policyroutes | security_result.detection_fields |
qid | additional.fields |
quarantinefolder | security_result.detection_fields |
quarantinerule | security_result.detection_fields |
quid_label | security_result.detection_fields |
Record.clickIP | principal.ip |
Record.guid | metadata.product_log_id |
Record.GUID | metadata.product_log_id |
Record.headerFrom | principal.investigation.comments |
Record.headerTo | target.investigation.comments |
Record.messageID | network.email.mail_id |
Record.recipient | network.email.to |
Record.sender | network.email.from |
Record.sender | principal.user.userid |
Record.senderIP | principal.ip |
Record.senderIP | target.ip |
Record.subject | network.email.subject |
Record.threatURL | metadata.url_back_to_product |
Record.threatURL | security_result.url_back_to_product |
Record.url | security_result.about.url |
Record.url | target.url |
Record.userAgent | network.http.user_agent |
replyto | security_result.detection_fields |
return_addr | network.email.reply_to |
return_addr | security_result.detection_fields |
sender | network.email.from |
sha256 | security_result.about.file.sha256 |
shost | principal.hostname |
size | src.file.size |
sm.qid | security_result.detection_fields.value |
sm.relay | intermediary.hostname |
sm.relay | intermediary.ip |
sm.stat | security_result.detection_fields.value |
sm.to.0 | network.email.to |
spamscore | security_result.detection_fields |
src | principal.ip |
stat_label | security_result.detection_fields |
subject | network.email.subject |
suser | network.email.from |
threat | metadata.product_log_id |
threat | security_result.threat_id |
threatID | metadata.product_log_id |
threatID | security_result.threat_id |
threatsInfoMap_campaignID | security_result.about.namespace |
threatsInfoMap_threatID | security_result.threat_id |
threatsInfoMap_threatType | security_result.threat_name |
threatsInfoMap_threatUrl | metadata.url_back_to_product |
threatstatisticsfamiliesname | security_result.rule_labels |
threatstatisticsfamiliesscore | security_result.rule_labels |
threatType | security_result.threat_name |
threatURL | metadata.url_back_to_product |
threatUrl | security_result.url_back_to_product |
title | target.user.title |
tls.cipher | network.tls.cipher |
tls.version | network.tls.version |
url | target.url |
user | target.user.userid |
userAgent | network.http.user_agent |
vip | security_result.rule_labels |
xmailer | security_result.detection_fields |
Product Event Types¶
Event | UDM Event Classification | Security Category | alerting enabled |
---|---|---|---|
clicksBlocked | NETWORK_CONNECTION | ||
clicksPermitted | NETWORK_CONNECTION | ||
completelyRewritten = true | |||
malware | SOFTWARE_MALICIOUS | ||
messagesBlocked,messagesDelivered | EMAIL_TRANSACTION | ||
messagesDelivered, completelyRewritten = false | TRUE | ||
phish | MAIL_PHISHING | ||
spam | MAIL_SPAM |
Log Sample¶
{"clicksPermitted":[{"url":"url","classification":"phish","clickTime":"2021-08-26T17:38:34.000Z","threatTime":"2021-08-26T21:01:34.000Z","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36","campaignId":"","id":"id","clickIP":"10.1.1.1","sender":"email","recipient":"email","senderIP":"10.1.1.1","GUID":"guid","threatID":"threatid","threatURL":"url","threatStatus":"active","messageID":"\u003cd2fe962858a329@acme.com\u003e"}],"queryEndTime":"2021-08-26T21:21:00Z"}
Sample Parsing¶
metadata.product_log_id = "logid"
metadata.event_timestamp = "2021-08-26T17:38:34Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "ProofPoint"
metadata.product_name = "TAP"
metadata.product_event_type = "clicksPermitted"
metadata.ingested_timestamp = "2021-08-26T21:22:03.994241Z"
principal.ip = "10.1.1.1"
target.url = "url"
about.ip = "10.10.147.161"
about.email = "email"
security_result.about.ip = "10.1.1.1"
security_result.about.url = "url"
security_result.description = "phish"
security_result.category = "MAIL_PHISHING"
security_result.category_details = "phish"
security_result.action = "ALLOW"
security_result.url_back_to_product = "url"
network.email.from = "email"
network.email.to = "email"
network.email.mail_id = "msgid"
network.http.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.