Skip to content

Proofpoint Tap

Proofpoint Tap

About

Proofpoint Email Protection is the industry-leading email gateway, which can be deployed as a cloud service or on premises. It catches both known and unknown threats that others miss. Powered by NexusAI, our advanced machine learning technology, Email Protection accurately classifies various types of email. And it detects and blocks threats that don’t involve malicious payload, such as impostor email—also known as business email compromise (BEC)—using our Advanced BEC Defense. You can also automatically tag suspicious email to help raise user awareness. And you can track down any email in seconds. Plus, our granular email filtering controls spam, bulk graymail and other unwanted email.

Product Details

Vendor URL: Proofpoint Tap

Product Type: Email Gateway

Product Tier: Tier I

Integration Method: Custom

Integration URL: Proofpoint Tap - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: Near 100%

Data Label: PROOFPOINT_MAIL

Parsing technique: MultiEventOutput

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
_clickip additional.fields
_clicktime additional.fields
_toaddress network.email.to
additional_fieldname additional.fields
attackindex security_result.rule_labels
campaignid security_result.rule_labels
classification security_result.description
clickip additional.fields
clicksBlocked metadata.product_event_type
clicksPermitted metadata.product_event_type
clicksPermitted,clicksBlocked metadata.product_event_type
clicksPermitted,clicksBlocked.0.classification security_result.category_details
clicksPermitted,clicksBlocked.0.clickIP principal.ip
clicksPermitted,clicksBlocked.0.GUID,guid metadata.product_log_id
clicksPermitted,clicksBlocked.0.messageID network.email.mail_id
clicksPermitted,clicksBlocked.0.recipient network.email.to
clicksPermitted,clicksBlocked.0.sender about.email
clicksPermitted,clicksBlocked.0.sender network.email.from
clicksPermitted,clicksBlocked.0.senderIP target.ip
clicksPermitted,clicksBlocked.0.threatStatus security_result.threat_status
clicksPermitted,clicksBlocked.0.threatURL metadata.url_back_to_product
clicksPermitted,clicksBlocked.0.threatURL security_result.url_back_to_product
clicksPermitted,clicksBlocked.0.url security_result.about.url
clicksPermitted,clicksBlocked.0.url target.url
clicksPermitted,clicksBlocked.0.userAgent network.http.user_agent
clicktime additional.fields
completelyRewritten security_result.detection_fields
completelyrewritten security_result.rule_labels
connection.host principal.hostname
connection.ip principal.ip
cs1 network.email.mail_id
cs2 network.email.subject
cs3 network.email.from
cs6 network.email.subject
customerUserId target.user.employee_id
department target.user.department
dest_category security_result.category_details
duser network.email.to
emails target.user.email_addresses
envelope.rcpts.0 network.email.to
event metadata.description
eventname metadata.description
file_hash src.file.md5
file_name src.file.names
filter.qid security_result.detection_fields.value
GUID metadata.product_log_id
guid metadata.product_log_id
headerFrom network.email.bounce_address
host principal.hostname
id metadata.product_deployment_id
id metadata.product_log_id
imposterscore security_result.detection_fields
location target.user.office_address.state
malwarescore security_result.detection_fields
message_id network.email.mail_id
messageParts_contentType src.file.mime_type
messageParts_sha256 src.file.sha256
messagepartsdisposition additional.fields
messagepartssandboxstatus additional.fields
messagesBlocked metadata.product_event_type
messagesDelivered metadata.product_event_type
messagesDelivered,messagesBlocked metadata.product_event_type
messagesDelivered,messagesBlocked.0.GUID,guid metadata.product_log_id
messagesDelivered,messagesBlocked.headerFrom principal.investigation.comments
messagesDelivered,messagesBlocked.headerTo target.investigation.comments
messagesDelivered,messagesBlocked.messageID about.investigation.comments
messagesDelivered,messagesBlocked.messageID network.email.mail_id
messagesDelivered,messagesBlocked.messageParts.contentType about.file.mime_type
messagesDelivered,messagesBlocked.messageParts.filename about.file.full_path
messagesDelivered,messagesBlocked.messageParts.md5 about.file.md5
messagesDelivered,messagesBlocked.messageParts.sha256 security_result.about.file.sha256
messagesDelivered,messagesBlocked.sender network.email.from
messagesDelivered,messagesBlocked.senderIP principal.ip
messagesDelivered,messagesBlocked.subject network.email.subject
messagesDelivered,messagesBlocked.threatsInfoMap.classification security_result.category_details
messagesDelivered,messagesBlocked.threatsInfoMap.threat security_result.threat_id
messagesDelivered,messagesBlocked.threatsInfoMap.threatStatus security_result.threat_status
messagesDelivered,messagesBlocked.threatsInfoMap.threatType security_result.threat_name
messagesDelivered,messagesBlocked.threatsInfoMap.threatUrl security_result.url_back_to_product
messagesDelivered,messagesBlocked.toAddresses network.email.to
modulesRun security_result.rule_name
msg.header.message-id.0 network.email.mail_id
msg.header.reply_to.0 network.email.reply_to
msg.header.subject.0 network.email.subject
msg.parsedAddresses.cc.0 network.email.cc
msg.parsedAddresses.from.0 network.email.from
msg.parsedAddresses.to.0 network.email.to
msgParts.urls about.url
orig_dest target.user.userid
orig_recipient network.email.to
orig_src principal.user.userid
phishscore security_result.detection_fields
policyroutes security_result.detection_fields
qid additional.fields
quarantinefolder security_result.detection_fields
quarantinerule security_result.detection_fields
quid_label security_result.detection_fields
Record.clickIP principal.ip
Record.guid metadata.product_log_id
Record.GUID metadata.product_log_id
Record.headerFrom principal.investigation.comments
Record.headerTo target.investigation.comments
Record.messageID network.email.mail_id
Record.recipient network.email.to
Record.sender network.email.from
Record.sender principal.user.userid
Record.senderIP principal.ip
Record.senderIP target.ip
Record.subject network.email.subject
Record.threatURL metadata.url_back_to_product
Record.threatURL security_result.url_back_to_product
Record.url security_result.about.url
Record.url target.url
Record.userAgent network.http.user_agent
replyto security_result.detection_fields
return_addr network.email.reply_to
return_addr security_result.detection_fields
sender network.email.from
sha256 security_result.about.file.sha256
shost principal.hostname
size src.file.size
sm.qid security_result.detection_fields.value
sm.relay intermediary.hostname
sm.relay intermediary.ip
sm.stat security_result.detection_fields.value
sm.to.0 network.email.to
spamscore security_result.detection_fields
src principal.ip
stat_label security_result.detection_fields
subject network.email.subject
suser network.email.from
threat metadata.product_log_id
threat security_result.threat_id
threatID metadata.product_log_id
threatID security_result.threat_id
threatsInfoMap_campaignID security_result.about.namespace
threatsInfoMap_threatID security_result.threat_id
threatsInfoMap_threatType security_result.threat_name
threatsInfoMap_threatUrl metadata.url_back_to_product
threatstatisticsfamiliesname security_result.rule_labels
threatstatisticsfamiliesscore security_result.rule_labels
threatType security_result.threat_name
threatURL metadata.url_back_to_product
threatUrl security_result.url_back_to_product
title target.user.title
tls.cipher network.tls.cipher
tls.version network.tls.version
url target.url
user target.user.userid
userAgent network.http.user_agent
vip security_result.rule_labels
xmailer security_result.detection_fields

Product Event Types

Event UDM Event Classification Security Category alerting enabled
clicksBlocked NETWORK_CONNECTION
clicksPermitted NETWORK_CONNECTION
completelyRewritten = true
malware SOFTWARE_MALICIOUS
messagesBlocked,messagesDelivered EMAIL_TRANSACTION
messagesDelivered, completelyRewritten = false TRUE
phish MAIL_PHISHING
spam MAIL_SPAM

Log Sample

{"clicksPermitted":[{"url":"url","classification":"phish","clickTime":"2021-08-26T17:38:34.000Z","threatTime":"2021-08-26T21:01:34.000Z","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36","campaignId":"","id":"id","clickIP":"10.1.1.1","sender":"email","recipient":"email","senderIP":"10.1.1.1","GUID":"guid","threatID":"threatid","threatURL":"url","threatStatus":"active","messageID":"\u003cd2fe962858a329@acme.com\u003e"}],"queryEndTime":"2021-08-26T21:21:00Z"}

Sample Parsing

metadata.product_log_id = "logid"
metadata.event_timestamp = "2021-08-26T17:38:34Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "ProofPoint"
metadata.product_name = "TAP"
metadata.product_event_type = "clicksPermitted"
metadata.ingested_timestamp = "2021-08-26T21:22:03.994241Z"
principal.ip = "10.1.1.1"
target.url = "url"
about.ip = "10.10.147.161"
about.email = "email"
security_result.about.ip = "10.1.1.1"
security_result.about.url = "url"
security_result.description = "phish"
security_result.category = "MAIL_PHISHING"
security_result.category_details = "phish"
security_result.action = "ALLOW"
security_result.url_back_to_product = "url"
network.email.from = "email"
network.email.to = "email"
network.email.mail_id = "msgid"
network.http.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming Soon