Proofpoint On Demand¶
About¶
Proofpoint Email Protection is the industry-leading email gateway, which can be deployed as a cloud service or on premises. It catches both known and unknown threats that others miss. Powered by NexusAI, our advanced machine learning technology, Email Protection accurately classifies various types of email. And it detects and blocks threats that don’t involve malicious payload, such as impostor email—also known as business email compromise (BEC)—using our Advanced BEC Defense. You can also automatically tag suspicious email to help raise user awareness. And you can track down any email in seconds. Plus, our granular email filtering controls spam, bulk graymail and other unwanted email.
Product Details¶
Vendor URL: Proofpoint On Demand
Product Type: Email Security
Product Tier: Tier II
Integration Method: Custom
Integration URL: Proofpoint On Demand - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: Near 100%
Data Label: PROOFPOINT_ON_DEMAND
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| connection.host | principal.hostname |
| connection.ip | principal.ip |
| envelope.rcpts.0 | network.email.to |
| filter.qid | security_result.detection_fields.value |
| guid | metadata.product_log_id |
| id | metadata.product_log_id |
| msg.header.message-id.0 | network.email.mail_id |
| msg.header.reply_to.0 | network.email.reply_to |
| msg.header.subject.0 | network.email.subject |
| msg.parsedAddresses.cc.0 | network.email.cc |
| msg.parsedAddresses.from.0 | network.email.from |
| msg.parsedAddresses.to.0 | network.email.to |
| msgParts.urls | about.url |
| sm.qid | security_result.detection_fields.value |
| sm.relay | intermediary.hostname |
| sm.relay | intermediary.ip |
| sm.stat | security_result.detection_fields.value |
| sm.to.0 | network.email.to |
| tls.cipher | network.tls.cipher |
| tls.version | network.tls.version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | EMAIL_TRANSACTION |
Log Sample¶
{"guid":"guid","ts":"2021-08-25T11:13:04.196761-0400","envelope":{"from":"email","rcpts":[]},"filter":{"qid":"qid","actions":[{"rule":"dha","module":"access","action":"throttle"},{"action":"continue","rule":"dha","module":"access"},{"isFinal":true,"rule":"dha","module":"access","action":"retry"}],"suborgs":{"sender":"0","rcpts":["0"]},"disposition":"retry","routes":[],"modules":{"pdr":{"v2":{"response":"pass"}}},"durationSecs":0.008932,"throttleIp":"10.10.1.1"},"msg":{"header":{},"normalizedHeader":{},"parsedAddresses":{},"lang":"","sizeBytes":0},"msgParts":[],"metadata":{"origin":{"data":{"version":"8.17.4.32","cid":"dcsg_hosted","agent":"agent"}}},"connection":{"protocol":"smtp:smtp","resolveStatus":"ok","helo":"server","ip":"10.10.0.1","country":"us","host":"servername","sid":"sid"}}
Sample Parsing¶
metadata.product_log_id = "guid"
metadata.event_timestamp = "2021-08-25T15:13:04.196Z"
metadata.event_type = "EMAIL_TRANSACTION"
metadata.vendor_name = "Proofpoint"
metadata.product_name = "PoD"
metadata.ingested_timestamp = "2021-08-25T15:26:37.819191Z"
principal.hostname = "servername"
principal.ip = "10.10.0.1"
security_result.action = "UNKNOWN_ACTION"
security_result.detection_fields.key = "QUID"
security_result.detection_fields.value = "qid"
network.email.subject = ""
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon