Skip to content

Proofpoint Tap

Proofpoint Tap

About

Proofpoint Email Protection is the industry-leading email gateway, which can be deployed as a cloud service or on premises. It catches both known and unknown threats that others miss. Powered by NexusAI, our advanced machine learning technology, Email Protection accurately classifies various types of email. And it detects and blocks threats that don’t involve malicious payload, such as impostor email—also known as business email compromise (BEC)—using our Advanced BEC Defense. You can also automatically tag suspicious email to help raise user awareness. And you can track down any email in seconds. Plus, our granular email filtering controls spam, bulk graymail and other unwanted email.

Product Details

Vendor URL: Proofpoint Tap

Product Type: Email Gateway

Product Tier: Tier I

Integration Method: Custom

Integration URL: Proofpoint Tap - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: Near 100%

Data Label: PROOFPOINT_MAIL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
clicksPermitted,clicksBlocked metadata.product_event_type
clicksPermitted,clicksBlocked.0.classification security_result.category_details
clicksPermitted,clicksBlocked.0.clickIP principal.ip
clicksPermitted,clicksBlocked.0.GUID,guid metadata.product_log_id
clicksPermitted,clicksBlocked.0.messageID network.email.mail_id
clicksPermitted,clicksBlocked.0.recipient network.email.to
clicksPermitted,clicksBlocked.0.sender about.email
clicksPermitted,clicksBlocked.0.sender network.email.from
clicksPermitted,clicksBlocked.0.senderIP target.ip
clicksPermitted,clicksBlocked.0.threatStatus security_result.threat_status
clicksPermitted,clicksBlocked.0.threatURL metadata.url_back_to_product
clicksPermitted,clicksBlocked.0.threatURL security_result.url_back_to_product
clicksPermitted,clicksBlocked.0.url security_result.about.url
clicksPermitted,clicksBlocked.0.url target.url
clicksPermitted,clicksBlocked.0.userAgent network.http.user_agent
completelyRewritten security_result.detection_fields
connection.host principal.hostname
connection.ip principal.ip
envelope.rcpts.0 network.email.to
filter.qid security_result.detection_fields.value
guid metadata.product_log_id
id metadata.product_log_id
messagesDelivered,messagesBlocked metadata.product_event_type
messagesDelivered,messagesBlocked.0.GUID,guid metadata.product_log_id
messagesDelivered,messagesBlocked.headerFrom principal.investigation.comments
messagesDelivered,messagesBlocked.headerTo target.investigation.comments
messagesDelivered,messagesBlocked.messageID about.investigation.comments
messagesDelivered,messagesBlocked.messageID network.email.mail_id
messagesDelivered,messagesBlocked.messageParts.contentType about.file.mime_type
messagesDelivered,messagesBlocked.messageParts.filename about.file.full_path
messagesDelivered,messagesBlocked.messageParts.md5 about.file.md5
messagesDelivered,messagesBlocked.messageParts.sha256 security_result.about.file.sha256
messagesDelivered,messagesBlocked.sender network.email.from
messagesDelivered,messagesBlocked.senderIP principal.ip
messagesDelivered,messagesBlocked.subject network.email.subject
messagesDelivered,messagesBlocked.threatsInfoMap.classification security_result.category_details
messagesDelivered,messagesBlocked.threatsInfoMap.threat security_result.threat_id
messagesDelivered,messagesBlocked.threatsInfoMap.threatStatus security_result.threat_status
messagesDelivered,messagesBlocked.threatsInfoMap.threatType security_result.threat_name
messagesDelivered,messagesBlocked.threatsInfoMap.threatUrl security_result.url_back_to_product
messagesDelivered,messagesBlocked.toAddresses network.email.to
msg.header.message-id.0 network.email.mail_id
msg.header.reply_to.0 network.email.reply_to
msg.header.subject.0 network.email.subject
msg.parsedAddresses.cc.0 network.email.cc
msg.parsedAddresses.from.0 network.email.from
msg.parsedAddresses.to.0 network.email.to
msgParts.urls about.url
sm.qid security_result.detection_fields.value
sm.relay intermediary.hostname
sm.relay intermediary.ip
sm.stat security_result.detection_fields.value
sm.to.0 network.email.to
tls.cipher network.tls.cipher
tls.version network.tls.version

Product Event Types

Event UDM Event Classification Security Category alerting enabled
clicksBlocked NETWORK_CONNECTION
clicksPermitted NETWORK_CONNECTION
completelyRewritten = true
malware SOFTWARE_MALICIOUS
messagesBlocked,messagesDelivered EMAIL_TRANSACTION
messagesDelivered, completelyRewritten = false TRUE
phish MAIL_PHISHING
spam MAIL_SPAM

Log Sample

{"clicksPermitted":[{"url":"url","classification":"phish","clickTime":"2021-08-26T17:38:34.000Z","threatTime":"2021-08-26T21:01:34.000Z","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36","campaignId":"","id":"id","clickIP":"10.1.1.1","sender":"email","recipient":"email","senderIP":"10.1.1.1","GUID":"guid","threatID":"threatid","threatURL":"url","threatStatus":"active","messageID":"\u003cd2fe962858a329@acme.com\u003e"}],"queryEndTime":"2021-08-26T21:21:00Z"}

Sample Parsing

metadata.product_log_id = "logid"
metadata.event_timestamp = "2021-08-26T17:38:34Z"
metadata.event_type = "NETWORK_HTTP"
metadata.vendor_name = "ProofPoint"
metadata.product_name = "TAP"
metadata.product_event_type = "clicksPermitted"
metadata.ingested_timestamp = "2021-08-26T21:22:03.994241Z"
principal.ip = "10.1.1.1"
target.url = "url"
about.ip = "10.10.147.161"
about.email = "email"
security_result.about.ip = "10.1.1.1"
security_result.about.url = "url"
security_result.category = "MAIL_PHISHING"
security_result.category_details = "phish"
security_result.action = "ALLOW"
security_result.url_back_to_product = "url"
network.email.from = "email"
network.email.to = "email"
network.email.mail_id = "msgid"
network.http.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/90.0.4430.212 Safari/537.36"

Parser Alerting

Alerting criteria is listed in the Product Event Types table above.

Rules

Coming Soon