Page Comparison

Table of Contents

maxLevel	2
type	flat

...

Product / Service	Tags	Data tables
Proofpoint Email Protection	`mail.proofpoint.pod`	`mail.proofpoint.pod`
	`mail.proofpoint.pod.events`	`mail.proofpoint.pod.events`
	`mail.proofpoint.pod.isolation`	`mail.proofpoint.pod.isolation`
	`mail.proofpoint.pod.maillog`	`mail.proofpoint.pod.maillog`
	`mail.proofpoint.pod.message`	`mail.proofpoint.pod.message`
	`mail.proofpoint.sendmail`	`mail.proofpoint.sendmail`
	`mail.proofpoint.stdout`	`mail.proofpoint.stdout`
	`mail.proofpoint.tapsiem`	`mail.proofpoint.tapsiem`
	`mail.proofpoint.tapsiem_syslog`	`mail.proofpoint.tapsiem_syslog`
	`mail.proofpoint.tapsiem_v2`	`mail.proofpoint.tapsiem_v2`
	`mail.proofpoint.tapsiem_v2.clicksblocked`	`mail.proofpoint.tapsiem_v2.clicksblocked`
	`mail.proofpoint.tapsiem_v2.clickspermitted`	`mail.proofpoint.tapsiem_v2.clickspermitted`
	`mail.proofpoint.tapsiem_v2.messagesblocked`	`mail.proofpoint.tapsiem_v2.messagesblocked`
	`mail.proofpoint.tapsiem_v2.messagesdelivered`	`mail.proofpoint.tapsiem_v2.messagesdelivered`
	`mail.proofpoint.trap`	`mail.proofpoint.trap`
	`mail.proofpoint.trap_incident`	`mail.proofpoint.trap_incident`

For more information, read more about Devo tags.

How is the data sent to Devo?

...

Source port → Required one
Source data → (\[PTRAuditData [^\]]+\].*)$
Target tag → mail.proofpoint.trap
Target message → \\D1
Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

Source port → Required one
Source tag → filter_instance1
Target tag → mail.proofpoint.stdout
Select Stop processing

Rule 3 - Proofpoint sendmail

Source port → Required one
Target tag → mail.proofpoint.sendmail
Select Stop processing

Table structure

...

Rw ui tabs macro

Rw tab

title	1-4

mail.proofpoint.pod
mail.proofpoint.pod.events
mail.proofpoint.pod.isolation
mail.proofpoint.pod.maillog

Anchor
tag1
tag1
mail.proofpoint.pod

Field	Type	Extra fields
eventdate	`timestamp`
connection__ip	`ip4`
connection__country	`str`
connection__resolveStatus	`str`
connection__helo	`str`
connection__sid	`str`
connection__protocol	`str`
connection__host	`str`
connection__tls__inbound__cipherBits	`int4`
connection__tls__inbound__version	`str`
connection__tls__inbound__cipher	`str`
metadata__origin__data__agent	`str`
metadata__origin__data__version	`str`
metadata__origin__data__cid	`str`
ts	`str`
msgParts	`str`
filter__qid	`str`
filter__actions	`str`
filter__durationSecs	`float8`
filter__suborgs__sender	`str`
filter__suborgs__rcpts	`str`
filter__startTime	`str`
filter__isMsgReinjected	`bool`
filter__modules__pdr__v2__rscore	`int4`
filter__modules__pdr__v2__response	`str`
filter__modules__urldefense__counts__unique	`int4`
filter__modules__urldefense__counts__rewritten	`int4`
filter__modules__urldefense__counts__total	`int4`
filter__modules__urldefense__counts__noRewriteIsExcludedDomain	`int4`
filter__modules__urldefense__counts__noRewriteIsEmail	`int4`
filter__modules__urldefense__counts__noRewriteIsSchemeless	`int4`
filter__modules__urldefense__counts__noRewriteIsUnsupportedScheme	`int4`
filter__modules__urldefense__version__engine	`str`
filter__modules__spf__domain	`str`
filter__modules__spf__result	`str`
filter__modules__zerohour__score	`str`
filter__modules__spam__charsets	`str`
filter__modules__spam__langs	`str`
filter__modules__spam__version__definitions	`str`
filter__modules__spam__version__engine	`str`
filter__modules__spam__scores__engine	`int4`
filter__modules__spam__scores__classifiers__mlx	`int4`
filter__modules__spam__scores__classifiers__suspect	`int4`
filter__modules__spam__scores__classifiers__lowpriority	`int4`
filter__modules__spam__scores__classifiers__adult	`int4`
filter__modules__spam__scores__classifiers__mlxlog	`int4`
filter__modules__spam__scores__classifiers__spam	`int4`
filter__modules__spam__scores__classifiers__malware	`int4`
filter__modules__spam__scores__classifiers__impostor	`int4`
filter__modules__spam__scores__classifiers__phish	`int4`
filter__modules__spam__scores__classifiers__bulk	`int4`
filter__modules__spam__scores__classifiers__adjust	`int4`
filter__modules__spam__scores__classifiers__ndr	`int4`
filter__modules__spam__scores__overall	`int4`
filter__modules__spam__triggeredClassifier	`str`
filter__modules__spam__safeBlockedListMatches	`str`
filter__modules__regulation__rules	`str`
filter__modules__regulation__matches	`str`
filter__quarantine__folder	`str`
filter__quarantine__rule	`str`
filter__isMsgEncrypted	`bool`
filter__disposition	`str`
filter__routes	`str`
filter__routeDirection	`str`
filter__verified__rcptsHashed	`str`
filter__verified__rcpts	`str`
filter__msgSizeBytes	`int8`
filter__origGuid	`str`
pps__agent	`str`
pps__version	`str`
pps__cid	`str`
envelope__from2	`str`
envelope__rcptsHashed	`str`
envelope__fromHashed	`str`
envelope__rcpts	`str`
msg__parsedAddresses__fromHashed	`str`
msg__parsedAddresses__toHashed	`str`
msg__parsedAddresses__to	`str`
msg__parsedAddresses__from2	`str`
msg__parsedAddresses__ccHashed	`str`
msg__parsedAddresses__cc	`str`
msg__lang	`str`
msg__normalizedHeader__fromHashed	`str`
msg__normalizedHeader__reply_to	`str`
msg__normalizedHeader__message_id	`str`
msg__normalizedHeader__from2	`str`
msg__normalizedHeader__toHashed	`str`
msg__normalizedHeader__to	`str`
msg__normalizedHeader__reply_toHashed	`str`
msg__normalizedHeader__subject	`str`
msg__normalizedHeader__x_originating_ip	`str`
msg__normalizedHeader__x_mailer	`str`
msg__normalizedHeader__return_path	`str`
msg__normalizedHeader__return_pathHashed	`str`
msg__normalizedHeader__ccHashed	`str`
msg__normalizedHeader__cc	`str`
msg__sizeBytes	`int8`
msg__header__fromHashed	`str`
msg__header__reply_to	`str`
msg__header__message_id	`str`
msg__header__from2	`str`
msg__header__toHashed	`str`
msg__header__to	`str`
msg__header__reply_toHashed	`str`
msg__header__subject	`str`
msg__header__x_originating_ip	`str`
msg__header__x_mailer	`str`
msg__header__return_pathHashed	`str`
msg__header__return_path	`str`
guid	`str`
userId	`str`
userName	`str`
url	`str`
date	`timestamp`
region	`str`
zone	`str`
disposition	`str`
categories_str	`str`
data	`str`
tls__verify	`str`
tls__version	`str`
tls__cipher	`str`
id	`str`
sm__mailer	`str`
sm__stat	`str`
sm__pri	`str`
sm__to_str	`str`
sm__xdelay	`str`
sm__relay	`str`
sm__qid	`str`
sm__dsn	`str`
sm__delay	`str`
metadata__customerId	`str`
metadata__origin__schemaVersion	`str`
msgParts__sizeDecodedBytes_str	`str`
msgParts__isVirtual_str	`str`
msgParts__detectedExt_str	`str`
msgParts__labeledCharset_str	`str`
msgParts__structureId_str	`str`
msgParts__detectedSizeBytes_str	`str`
msgParts__labeledMime_str	`str`
msgParts__detectedCharset_str	`str`
msgParts__isCorrupted_str	`str`
msgParts__sha256_str	`str`
msgParts__isProtected_str	`str`
msgParts__md5_str	`str`
msgParts__urls_str	`str`
msgParts__detectedName_str	`str`
msgParts__isDeleted_str	`str`
msgParts__isTimedOut_str	`str`
msgParts__dataBase64_str	`str`
msgParts__detectedMime_str	`str`
msgParts__disposition_str	`str`
msgParts__isArchive_str	`str`
msgParts__labeledExt_str	`str`
msgParts__sandboxStatus_str	`str`
msgParts__labeledName_str	`str`
msgParts__textExtracted_str	`str`
msg__normalizedHeader__message_id_str	`str`
msg__normalizedHeader__subject_str	`str`
msg__normalizedHeader__to_str	`str`
msg__normalizedHeader__from_str	`str`
msg__parsedAddresses__fromDisplayNames_str	`str`
msg__parsedAddresses__to_str	`str`
msg__parsedAddresses__from_str	`str`
msg__header__subject_str	`str`
msg__header__message_id_str	`str`
msg__header__from_str	`str`
msg__header__to_str	`str`
msg__sizeBytes_int4	`int4`
envelope__from	`str`
envelope__rcpts_str	`str`
filter__delivered__rcpts_str	`str`
filter__suborgs__rcpts_str	`str`
filter__modules__spam__charsets_str	`str`
filter__modules__spam__langs_str	`str`
filter__actions__rule_str	`str`
filter__actions__action_str	`str`
filter__actions__module_str	`str`
filter__actions__isFinal_str	`str`
filter__verified__rcpts_str	`str`
filter__msgSizeBytes_int4	`int4`
filter__routes_str	`str`
filter__quarantine__type	`str`
filter__quarantine__module	`str`
filter__quarantine__folderId	`str`
metadata__origin__data__version_ip4	`ip4`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag2
tag2
mail.proofpoint.pod.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

connection__ip

ip4

connection__country

str

connection__resolveStatus

str

connection__helo

str

connection__sid

str

connection__protocol

str

connection__host

str

connection__tls__inbound__cipherBits

int4

connection__tls__inbound__version

str

connection__tls__inbound__cipher

str

metadata__origin__data__agent

str

metadata__origin__data__version

str

metadata__origin__data__cid

str

ts

str

msgParts

str

msgParts__isProtected_str

str

Code Block
replace(replace(stringify(json(msgParts__isProtected)), '[', ''), ']', '')

msgParts__isProtected

msgParts__isTimedOut_str

str

Code Block
replace(replace(stringify(json(msgParts__isTimedOut)), '[', ''), ']', '')

msgParts__isTimedOut

msgParts__dataBase64_str

str

Code Block
join(msgParts__dataBase64, ',')

msgParts__dataBase64

msgParts__metadata__generator_str

str

Code Block
join(msgParts__metadata__generator, ',')

msgParts__metadata__generator

msgParts__metadata__scalecrop_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__scalecrop)), '[', ''), ']', '')

msgParts__metadata__scalecrop

msgParts__metadata__shareddoc_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__shareddoc)), '[', ''), ']', '')

msgParts__metadata__shareddoc

msgParts__metadata__author_str

str

Code Block
join(msgParts__metadata__author, ',')

msgParts__metadata__author

msgParts__metadata__linksdirty_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__linksdirty)), '[', ''), ']', '')

msgParts__metadata__linksdirty

msgParts__metadata__codepage_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__codepage)), '[', ''), ']', '')

msgParts__metadata__codepage

msgParts__metadata__lastauthor_str

str

Code Block
join(msgParts__metadata__lastauthor, ',')

msgParts__metadata__lastauthor

msgParts__metadata__security_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__security)), '[', ''), ']', '')

msgParts__metadata__security

msgParts__metadata__hyperlinkschanged_str

str

Code Block
replace(replace(stringify(json(msgParts__metadata__hyperlinkschanged)), '[', ''), ']', '')

msgParts__metadata__hyperlinkschanged

msgParts__metadata__appname_str

str

Code Block
join(msgParts__metadata__appname, ',')

msgParts__metadata__appname

msgParts__metadata__headingpairs_str

str

Code Block
join(msgParts__metadata__headingpairs, ',')

msgParts__metadata__headingpairs

msgParts__metadata__titlesofparts_str

str

Code Block
join(msgParts__metadata__titlesofparts, ',')

msgParts__metadata__titlesofparts

msgParts__metadata__appversion_str

str

Code Block
join(msgParts__metadata__appversion, ',')

msgParts__metadata__appversion

msgParts__labeledExt_str

str

Code Block
join(msgParts__labeledExt, ',')

msgParts__labeledExt

msgParts__labeledCharset_str

str

Code Block
join(msgParts__labeledCharset, ',')

msgParts__labeledCharset

msgParts__labeledName_str

str

Code Block
join(msgParts__labeledName, ',')

msgParts__labeledName

msgParts__isVirtual_str

str

Code Block
replace(replace(stringify(json(msgParts__isVirtual)), '[', ''), ']', '')

msgParts__isVirtual

msgParts__detectedExt_str

str

Code Block
join(msgParts__detectedExt, ',')

msgParts__detectedExt

msgParts__md5_str

str

Code Block
join(msgParts__md5, ',')

msgParts__md5

msgParts__detectedCharset_str

str

Code Block
join(msgParts__detectedCharset, ',')

msgParts__detectedCharset

msgParts__labeledMime_str

str

Code Block
join(msgParts__labeledMime, ',')

msgParts__labeledMime

msgParts__textExtracted_str

str

Code Block
join(msgParts__textExtracted, ',')

msgParts__textExtracted

msgParts__isDeleted_str

str

Code Block
replace(replace(stringify(json(msgParts__isDeleted)), '[', ''), ']', '')

msgParts__isDeleted

msgParts__urls_str

str

Code Block
join(msgParts__urls, ',')

msgParts__urls

msgParts__detectedSizeBytes_str

str

Code Block
replace(replace(stringify(json(msgParts__detectedSizeBytes)), '[', ''), ']', '')

msgParts__detectedSizeBytes

msgParts__structureId_str

str

Code Block
join(msgParts__structureId, ',')

msgParts__structureId

msgParts__sizeDecodedBytes_str

str

Code Block
replace(replace(stringify(json(msgParts__sizeDecodedBytes)), '[', ''), ']', '')

msgParts__sizeDecodedBytes

msgParts__disposition_str

str

Code Block
join(msgParts__disposition, ',')

msgParts__disposition

msgParts__sha256_str

str

Code Block
join(msgParts__sha256, ',')

msgParts__sha256

msgParts__isArchive_str

str

Code Block
replace(replace(stringify(json(msgParts__isArchive)), '[', ''), ']', '')

msgParts__isArchive

msgParts__detectedMime_str

str

Code Block
join(msgParts__detectedMime, ',')

msgParts__detectedMime

msgParts__detectedName_str

str

Code Block
join(msgParts__detectedName, ',')

msgParts__detectedName

msgParts__isCorrupted_str

str

Code Block
replace(replace(stringify(json(msgParts__isCorrupted)), '[', ''), ']', '')

msgParts__isCorrupted

filter__qid

str

filter__actions

str

filter__durationSecs

float8

filter__suborgs__sender

str

filter__suborgs__rcpts

str

filter__startTime

str

filter__isMsgReinjected

bool

filter__modules__pdr__v2__rscore

int4

filter__modules__pdr__v2__response

str

filter__modules__urldefense__counts__unique

int4

filter__modules__urldefense__counts__rewritten

int4

filter__modules__urldefense__counts__total

int4

filter__modules__urldefense__counts__noRewriteIsExcludedDomain

int4

filter__modules__urldefense__counts__noRewriteIsEmail

int4

filter__modules__urldefense__counts__noRewriteIsSchemeless

int4

filter__modules__urldefense__counts__noRewriteIsUnsupportedScheme

int4

filter__modules__urldefense__version__engine

str

filter__modules__spf__domain

str

filter__modules__spf__result

str

filter__modules__zerohour__score

str

filter__modules__spam__charsets

str

filter__modules__spam__langs

str

filter__modules__spam__version__definitions

str

filter__modules__spam__version__engine

str

filter__modules__spam__scores__engine

int4

filter__modules__spam__scores__classifiers__mlx

int4

filter__modules__spam__scores__classifiers__suspect

int4

filter__modules__spam__scores__classifiers__lowpriority

int4

filter__modules__spam__scores__classifiers__adult

int4

filter__modules__spam__scores__classifiers__mlxlog

int4

filter__modules__spam__scores__classifiers__spam

int4

filter__modules__spam__scores__classifiers__malware

int4

filter__modules__spam__scores__classifiers__impostor

int4

filter__modules__spam__scores__classifiers__phish

int4

filter__modules__spam__scores__classifiers__bulk

int4

filter__modules__spam__scores__classifiers__adjust

int4

filter__modules__spam__scores__classifiers__ndr

int4

filter__modules__spam__scores__overall

int4

filter__modules__spam__triggeredClassifier

str

filter__modules__spam__safeBlockedListMatches

str

filter__modules__regulation__rules

str

filter__modules__regulation__matches

str

filter__quarantine__folder

str

filter__quarantine__rule

str

filter__isMsgEncrypted

bool

filter__disposition

str

filter__routes

str

filter__routeDirection

str

filter__verified__rcptsHashed

str

filter__verified__rcpts

str

filter__msgSizeBytes

int8

filter__origGuid

str

pps__agent

str

pps__version

str

pps__cid

str

envelope__from2

str

envelope__rcptsHashed

str

envelope__fromHashed

str

envelope__rcpts

str

msg__parsedAddresses__fromHashed

str

msg__parsedAddresses__toHashed

str

msg__parsedAddresses__to

str

msg__parsedAddresses__from2

str

msg__parsedAddresses__ccHashed

str

msg__parsedAddresses__cc

str

msg__lang

str

msg__normalizedHeader__fromHashed

str

msg__normalizedHeader__reply_to

str

msg__normalizedHeader__message_id

str

msg__normalizedHeader__from2

str

msg__normalizedHeader__toHashed

str

msg__normalizedHeader__to

str

msg__normalizedHeader__reply_toHashed

str

msg__normalizedHeader__subject

str

msg__normalizedHeader__x_originating_ip

str

msg__normalizedHeader__x_mailer

str

msg__normalizedHeader__return_path

str

msg__normalizedHeader__return_pathHashed

str

msg__normalizedHeader__ccHashed

str

msg__normalizedHeader__cc

str

msg__sizeBytes

int8

msg__header__fromHashed

str

msg__header__reply_to

str

msg__header__message_id

str

msg__header__from2

str

msg__header__toHashed

str

msg__header__to

str

msg__header__reply_toHashed

str

msg__header__subject

str

msg__header__x_originating_ip

str

msg__header__x_mailer

str

msg__header__return_pathHashed

str

msg__header__return_path

str

guid

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag3
tag3
mail.proofpoint.pod.isolation

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

userId

str

userName

str

url

str

date

timestamp

region

str

zone

str

disposition

str

categories_str

str

Code Block
join(categories, ',')

categories

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag4
tag4
mail.proofpoint.pod.maillog

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

data

str

tls__verify

str

tls__version

str

tls__cipher

str

ts

str

pps__agent

str

pps__cid

str

id

str

sm__mailer

str

sm__stat

str

sm__pri

str

sm__to_str

str

Code Block
join(sm__to, ',')

sm__to

sm__xdelay

str

sm__relay

str

sm__qid

str

sm__dsn

str

sm__delay

str

metadata__customerId

str

metadata__origin__schemaVersion

str

metadata__origin__data__agent

str

metadata__origin__data__cid

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Rw tab

title	5-8

mail.proofpoint.pod.message
mail.proofpoint.sendmail
mail.proofpoint.stdout
mail.proofpoint.tapsiem

Anchor
tag5
tag5
mail.proofpoint.pod.message

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

msgParts__sizeDecodedBytes_str

str

Code Block
replace(replace(stringify(json(msgParts__sizeDecodedBytes)), '[', ''), ']', '')

msgParts__sizeDecodedBytes

msgParts__isVirtual_str

str

Code Block
replace(replace(stringify(json(msgParts__isVirtual)), '[', ''), ']', '')

msgParts__isVirtual

msgParts__detectedExt_str

str

Code Block
join(msgParts__detectedExt, ',')

msgParts__detectedExt

msgParts__labeledCharset_str

str

Code Block
join(msgParts__labeledCharset, ',')

msgParts__labeledCharset

msgParts__structureId_str

str

Code Block
join(msgParts__structureId, ',')

msgParts__structureId

msgParts__detectedSizeBytes_str

str

Code Block
replace(replace(stringify(json(msgParts__detectedSizeBytes)), '[', ''), ']', '')

msgParts__detectedSizeBytes

msgParts__labeledMime_str

str

Code Block
join(msgParts__labeledMime, ',')

msgParts__labeledMime

msgParts__detectedCharset_str

str

Code Block
join(msgParts__detectedCharset, ',')

msgParts__detectedCharset

msgParts__isCorrupted_str

str

Code Block
replace(replace(stringify(json(msgParts__isCorrupted)), '[', ''), ']', '')

msgParts__isCorrupted

msgParts__sha256_str

str

Code Block
join(msgParts__sha256, ',')

msgParts__sha256

msgParts__isProtected_str

str

Code Block
replace(replace(stringify(json(msgParts__isProtected)), '[', ''), ']', '')

msgParts__isProtected

msgParts__md5_str

str

Code Block
join(msgParts__md5, ',')

msgParts__md5

msgParts__urls_str

str

Code Block
join(msgParts__urls, ',')

msgParts__urls

msgParts__detectedName_str

str

Code Block
join(msgParts__detectedName, ',')

msgParts__detectedName

msgParts__isDeleted_str

str

Code Block
replace(replace(stringify(json(msgParts__isDeleted)), '[', ''), ']', '')

msgParts__isDeleted

msgParts__isTimedOut_str

str

Code Block
replace(replace(stringify(json(msgParts__isTimedOut)), '[', ''), ']', '')

msgParts__isTimedOut

msgParts__dataBase64_str

str

Code Block
join(msgParts__dataBase64, ',')

msgParts__dataBase64

msgParts__detectedMime_str

str

Code Block
join(msgParts__detectedMime, ',')

msgParts__detectedMime

msgParts__disposition_str

str

Code Block
join(msgParts__disposition, ',')

msgParts__disposition

msgParts__isArchive_str

str

Code Block
replace(replace(stringify(json(msgParts__isArchive)), '[', ''), ']', '')

msgParts__isArchive

msgParts__labeledExt_str

str

Code Block
join(msgParts__labeledExt, ',')

msgParts__labeledExt

msgParts__sandboxStatus_str

str

Code Block
join(msgParts__sandboxStatus, ',')

msgParts__sandboxStatus

msgParts__labeledName_str

str

Code Block
join(msgParts__labeledName, ',')

msgParts__labeledName

msgParts__textExtracted_str

str

Code Block
join(msgParts__textExtracted, ',')

msgParts__textExtracted

msg__lang

str

msg__normalizedHeader__message_id_str

str

Code Block
join(msg__normalizedHeader__message_id, ',')

msg__normalizedHeader__message_id

msg__normalizedHeader__subject_str

str

Code Block
join(msg__normalizedHeader__subject, ',')

msg__normalizedHeader__subject

msg__normalizedHeader__to_str

str

Code Block
join(msg__normalizedHeader__to, ',')

msg__normalizedHeader__to

msg__normalizedHeader__from_str

str

Code Block
join(msg__normalizedHeader__from, ',')

msg__normalizedHeader__from

msg__parsedAddresses__fromDisplayNames_str

str

Code Block
join(msg__parsedAddresses__fromDisplayNames, ',')

msg__parsedAddresses__fromDisplayNames

msg__parsedAddresses__to_str

str

Code Block
join(msg__parsedAddresses__to, ',')

msg__parsedAddresses__to

msg__parsedAddresses__from_str

str

Code Block
join(msg__parsedAddresses__from, ',')

msg__parsedAddresses__from

msg__header__subject_str

str

Code Block
join(msg__header__subject, ',')

msg__header__subject

msg__header__message_id_str

str

Code Block
join(msg__header__message_id, ',')

msg__header__message_id

msg__header__from_str

str

Code Block
join(msg__header__from, ',')

msg__header__from

msg__header__to_str

str

Code Block
join(msg__header__to, ',')

msg__header__to

msg__sizeBytes

int4

connection__resolveStatus

str

connection__helo

str

connection__host

str

connection__sid

str

connection__protocol

str

connection__ip

ip4

connection__country

str

connection__tls__inbound__cipher

str

connection__tls__inbound__cipherBits

int4

connection__tls__inbound__version

str

envelope__from

str

envelope__rcpts_str

str

Code Block
join(envelope__rcpts, ',')

envelope__rcpts

filter__durationSecs

float8

filter__delivered__rcpts_str

str

Code Block
join(filter__delivered__rcpts, ',')

filter__delivered__rcpts

filter__suborgs__rcpts_str

str

Code Block
join(filter__suborgs__rcpts, ',')

filter__suborgs__rcpts

filter__suborgs__sender

str

filter__modules__urldefense__counts__unique

int4

filter__modules__urldefense__counts__rewritten

int4

filter__modules__urldefense__counts__total

int4

filter__modules__urldefense__version__engine

str

filter__modules__spf__result

str

filter__modules__spf__domain

str

filter__modules__zerohour__score

str

filter__modules__spam__charsets_str

str

Code Block
join(filter__modules__spam__charsets, ',')

filter__modules__spam__charsets

filter__modules__spam__version__definitions

str

filter__modules__spam__version__engine

str

filter__modules__spam__scores__classifiers__mlxlog

int4

filter__modules__spam__scores__classifiers__suspect

int4

filter__modules__spam__scores__classifiers__phish

int4

filter__modules__spam__scores__classifiers__impostor

int4

filter__modules__spam__scores__classifiers__malware

int4

filter__modules__spam__scores__classifiers__bulk

int4

filter__modules__spam__scores__classifiers__spam

int4

filter__modules__spam__scores__classifiers__mlx

int4

filter__modules__spam__scores__classifiers__lowpriority

int4

filter__modules__spam__scores__classifiers__adult

int4

filter__modules__spam__scores__engine

int4

filter__modules__spam__scores__overall

int4

filter__modules__spam__langs_str

str

Code Block
join(filter__modules__spam__langs, ',')

filter__modules__spam__langs

filter__isMsgReinjected

bool

filter__actions__rule_str

str

Code Block
join(filter__actions__rule, ',')

filter__actions__rule

filter__actions__action_str

str

Code Block
join(filter__actions__action, ',')

filter__actions__action

filter__actions__module_str

str

Code Block
join(filter__actions__module, ',')

filter__actions__module

filter__actions__isFinal_str

str

Code Block
replace(replace(stringify(json(filter__actions__isFinal)), '[', ''), ']', '')

filter__actions__isFinal

filter__verified__rcpts_str

str

Code Block
join(filter__verified__rcpts, ',')

filter__verified__rcpts

filter__msgSizeBytes

int4

filter__routes_str

str

Code Block
join(filter__routes, ',')

filter__routes

filter__disposition

str

filter__routeDirection

str

filter__origGuid

str

filter__quarantine__rule

str

filter__quarantine__type

str

filter__quarantine__module

str

filter__quarantine__folderId

str

filter__quarantine__folder

str

filter__qid

str

guid

str

metadata__origin__data__version

ip4

metadata__origin__data__cid

str

metadata__origin__data__agent

str

ts

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag6
tag6
mail.proofpoint.sendmail

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

Code Block
split(hostchain, "=", 0)

hostchain

process_name

str

process_id

str

messageID

str

sender

str

size

str

class

str

nrcpts

str

msgid

str

proto

str

daemon

str

tls_verify

str

auth

str

relay

str

to

str

delay

str

xdelay

str

mailer

str

pri

str

dsn

str

reply

str

ctladdr

str

stat

str

unknown

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag7
tag7
mail.proofpoint.stdout

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

Code Block
split(hostchain, "=", 0)

hostchain

process_name

str

process_id

str

messageID

str

s

str

mod

str

cmd

str

lint

str

ip

ip4

perlwait

float8

m

int4

x

str

value

str

qid

str

r

int4

verified

str

tls

str

routes

str

notroutes

str

score

int4

ipScore

int4

spamScore

int4

suspectScore

int4

phishScore

int4

bulkScore

int4

adultScore

int4

duration

float8

module

str

rule

str

action

str

attachments

int4

rcpts

int4

subject

str

helo

str

msgs

int4

elapsed

float8

host_msg

str

country

str

lip

ip4

prot

str

hops_active

str

resolve

str

reverse

str

size

int4

guid

str

hdr_mid

str

hops_ip

ip4

virusname

str

folder

str

pri

int4

form

str

id

int4

file

str

mime

str

type

str

omime

str

oext

str

corrupted

int4

protected

int4

sha256

str

virtual

int4

a

int4

hostchain

str

✓

tag

str

✓

rawMessage

str

rawSource

✓

Anchor
tag8
tag8
mail.proofpoint.tapsiem

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

eventType

str

messageTime

timestamp

messageSize

int8

messageID

str

senderIP

str

sender

str

recipient

str

headerFrom

str

headerReplyTo

str

replyToAddress_str

str

Code Block
join(replyToAddress, ",")

replyToAddress

fromAddress_str

str

Code Block
join(fromAddress, ",")

fromAddress

toAddresses_str

str

Code Block
join(toAddresses, ",")

toAddresses

ccAddresses_str

str

Code Block
join(ccAddresses, ",")

ccAddresses

quarantineRule

str

quarantineFolder

str

cluster

str

phishScore

int4

spamScore

int4

malwareScore

int4

impostorScore

float8

modulesRun_str

str

Code Block
join(modulesRun, ",")

modulesRun

subject

str

messageParts_sha256_str

str

Code Block
join(messageParts_sha256, ",")

messageParts_sha256

messageParts_disposition_str

str

Code Block
join(messageParts_disposition, ",")

messageParts_disposition

messageParts_contentType_str

str

Code Block
join(messageParts_contentType, ",")

messageParts_contentType

messageParts_md5_str

str

Code Block
join(messageParts_md5, ",")

messageParts_md5

messageParts_sandboxStatus_str

str

Code Block
join(messageParts_sandboxStatus, ",")

messageParts_sandboxStatus

messageParts_filename_str

str

Code Block
join(messageParts_filename, ",")

messageParts_filename

messageParts_oContentType_str

str

Code Block
join(messageParts_oContentType, ",")

messageParts_oContentType

policyRoutes_str

str

Code Block
join(policyRoutes, ",")

policyRoutes

xmailer

str

completelyRewritten

bool

GUID

str

QID

str

campaignId

str

classification

str

clickTime

str

clickIP

str

url

str

userAgent

str

threatID

str

threatTime

str

threatURL

str

threatStatus

str

threatsInfoMap_threatID_str

str

Code Block
join(threatsInfoMap_threatID, ",")

threatsInfoMap_threatID

threatsInfoMap_threatType_str

str

Code Block
join(threatsInfoMap_threatType, ",")

threatsInfoMap_threatType

threatsInfoMap_threatStatus_str

str

Code Block
join(threatsInfoMap_threatStatus, ",")

threatsInfoMap_threatStatus

threatsInfoMap_threatTime_str

str

Code Block
join(threatsInfoMap_threatTime, ",")

threatsInfoMap_threatTime

threatsInfoMap_classification_str

str

Code Block
join(threatsInfoMap_classification, ",")

threatsInfoMap_classification

threatsInfoMap_campaignID_str

str

Code Block
join(threatsInfoMap_campaignID, ",")

threatsInfoMap_campaignID

threatsInfoMap_threat_str

str

Code Block
join(threatsInfoMap_threat, ",")

threatsInfoMap_threat

threatsInfoMap_threatUrl_str

str

Code Block
join(threatsInfoMap_threatUrl, ",")

threatsInfoMap_threatUrl

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Rw tab

title	9-12

mail.proofpoint.tapsiem_syslog
mail.proofpoint.tapsiem_v2
mail.proofpoint.tapsiem_v2.clicksblocked
mail.proofpoint.tapsiem_v2.clickspermitted

Anchor
tag9
tag9
mail.proofpoint.tapsiem_syslog

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

host

str

Code Block
split(hostchain, "=", 0)

hostchain

process_name

str

process_id

str

PriorityValue

int4

HeaderValue

str

EventTime

timestamp

HeaderValue2

str

EventType

str

SD_ID

str

ccAddresses

str

clusterId

str

completelyRewritten

str

fromAddress

str

GUID

str

headerReplyTo

str

messageID

str

messageParts

str

messageSize

str

modulesRun

str

policyRoutes

str

QID

str

quarantineFolder

str

quarantineRule

str

recipient

str

replyToAddress

str

sender

str

subject

str

threatsInfoMap

str

threatsInfoMap__threatID

[str]

threatsInfoMap__threatID_str

str

Code Block
join(threatsInfoMap__threatID, ", ")

threatsInfoMap__threatID

threatsInfoMap__threatStatus

[str]

threatsInfoMap__threatStatus_str

str

Code Block
join(threatsInfoMap__threatStatus, ", ")

threatsInfoMap__threatStatus

threatsInfoMap__classification

[str]

threatsInfoMap__classification_str

str

Code Block
join(threatsInfoMap__classification, ", ")

threatsInfoMap__classification

threatsInfoMap__threatUrl

[str]

threatsInfoMap__threatUrl_str

str

Code Block
join(threatsInfoMap__threatUrl, ", ")

threatsInfoMap__threatUrl

threatsInfoMap__threatTime

[str]

threatsInfoMap__threatTime_str

str

Code Block
join(threatsInfoMap__threatTime, ", ")

threatsInfoMap__threatTime

threatsInfoMap__threat

[str]

threatsInfoMap__threat_str

str

Code Block
join(threatsInfoMap__threat, ", ")

threatsInfoMap__threat

threatsInfoMap__campaignID

[str]

threatsInfoMap__campaignID_str

str

Code Block
join(threatsInfoMap__campaignID, ", ")

threatsInfoMap__campaignID

threatsInfoMap__threatType

[str]

threatsInfoMap__threatType_str

str

Code Block
join(threatsInfoMap__threatType, ", ")

threatsInfoMap__threatType

toAddresses

str

xmailer

str

cluster

str

headerFrom

str

impostorScore

float8

malwareScore

int4

phishScore

int4

spamScore

int4

messageTime

timestamp

campaignID

str

class

str

threatID

str

threatURL

str

url

str

userAgent

str

threatStatus

str

clickIP

ip4

senderIP

ip4

clickTime

timestamp

threatTime

timestamp

unknown

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag10
tag10
mail.proofpoint.tapsiem_v2

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

eventType

str

messageTime

timestamp

messageSize

int8

messageID

str

senderIP

str

sender

str

recipient

str

headerFrom

str

headerReplyTo

str

replyToAddress_str

str

Code Block
join(replyToAddress, ",")

replyToAddress

fromAddress_str

str

Code Block
join(fromAddress, ",")

fromAddress

toAddresses_str

str

Code Block
join(toAddresses, ",")

toAddresses

ccAddresses_str

str

Code Block
join(ccAddresses, ",")

ccAddresses

quarantineRule

str

quarantineFolder

str

cluster

str

phishScore

int4

spamScore

int4

malwareScore

int4

impostorScore

float8

modulesRun_str

str

Code Block
join(modulesRun, ",")

modulesRun

subject

str

messageParts_sha256_str

str

Code Block
join(messageParts_sha256, ",")

messageParts_sha256

messageParts_disposition_str

str

Code Block
join(messageParts_disposition, ",")

messageParts_disposition

messageParts_contentType_str

str

Code Block
join(messageParts_contentType, ",")

messageParts_contentType

messageParts_md5_str

str

Code Block
join(messageParts_md5, ",")

messageParts_md5

messageParts_sandboxStatus_str

str

Code Block
join(messageParts_sandboxStatus, ",")

messageParts_sandboxStatus

messageParts_filename_str

str

Code Block
join(messageParts_filename, ",")

messageParts_filename

messageParts_oContentType_str

str

Code Block
join(messageParts_oContentType, ",")

messageParts_oContentType

policyRoutes_str

str

Code Block
join(policyRoutes, ",")

policyRoutes

xmailer

str

completelyRewritten

bool

GUID

str

QID

str

campaignId

str

classification

str

clickTime

str

clickIP

str

url

str

userAgent

str

threatID

str

threatTime

str

threatURL

str

threatStatus

str

threatsInfoMap_threatID_str

str

Code Block
join(threatsInfoMap_threatID, ",")

threatsInfoMap_threatID

threatsInfoMap_threatType_str

str

Code Block
join(threatsInfoMap_threatType, ",")

threatsInfoMap_threatType

threatsInfoMap_threatStatus_str

str

Code Block
join(threatsInfoMap_threatStatus, ",")

threatsInfoMap_threatStatus

threatsInfoMap_threatTime_str

str

Code Block
join(threatsInfoMap_threatTime, ",")

threatsInfoMap_threatTime

threatsInfoMap_classification_str

str

Code Block
join(threatsInfoMap_classification, ",")

threatsInfoMap_classification

threatsInfoMap_campaignID_str

str

Code Block
join(threatsInfoMap_campaignID, ",")

threatsInfoMap_campaignID

threatsInfoMap_threat_str

str

Code Block
join(threatsInfoMap_threat, ",")

threatsInfoMap_threat

threatsInfoMap_threatUrl_str

str

Code Block
join(threatsInfoMap_threatUrl, ",")

threatsInfoMap_threatUrl

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag11
tag11
mail.proofpoint.tapsiem_v2.clicksblocked

Field	Type	Extra fields
eventdate	`timestamp`
eventType	`str`
messageTime	`timestamp`
messageSize	`int8`
messageID	`str`
GUID	`str`
id	`str`
senderIP	`str`
sender	`str`
recipient	`str`
campaignId	`str`
classification	`str`
clickTime	`str`
clickIP	`str`
url	`str`
userAgent	`str`
threatID	`str`
threatTime	`str`
threatURL	`str`
threatStatus	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
tag12
tag12
mail.proofpoint.tapsiem_v2.clickspermitted

Field	Type	Extra fields
eventdate	`timestamp`
eventType	`str`
messageTime	`timestamp`
messageSize	`int8`
messageID	`str`
GUID	`str`
id	`str`
senderIP	`str`
sender	`str`
recipient	`str`
campaignId	`str`
classification	`str`
clickTime	`str`
clickIP	`str`
url	`str`
userAgent	`str`
threatID	`str`
threatTime	`str`
threatURL	`str`
threatStatus	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Rw tab

title	13-16

mail.proofpoint.tapsiem_v2.messagesblocked
mail.proofpoint.tapsiem_v2.messagesdelivered
mail.proofpoint.trap
mail.proofpoint.trap_incident

Anchor
tag13
tag13
mail.proofpoint.tapsiem_v2.messagesblocked

Field	Type	Extra fields
eventdate	`timestamp`
eventType	`str`
messageTime	`timestamp`
messageSize	`int8`
messageID	`str`
senderIP	`str`
sender	`str`
recipient	`str`
headerFrom	`str`
headerReplyTo	`str`
replyToAddress_str	`str`
fromAddress_str	`str`
toAddresses_str	`str`
ccAddresses_str	`str`
quarantineRule	`str`
quarantineFolder	`str`
cluster	`str`
phishScore	`int4`
spamScore	`int4`
malwareScore	`int4`
impostorScore	`float8`
modulesRun_str	`str`
subject	`str`
messageParts_sha256_str	`str`
messageParts_disposition_str	`str`
messageParts_contentType_str	`str`
messageParts_md5_str	`str`
messageParts_sandboxStatus_str	`str`
messageParts_filename_str	`str`
messageParts_oContentType_str	`str`
policyRoutes_str	`str`
xmailer	`str`
completelyRewritten	`bool`
GUID	`str`
QID	`str`
campaignId	`str`
classification	`str`
clickTime	`str`
clickIP	`str`
url	`str`
userAgent	`str`
threatID	`str`
threatTime	`str`
threatURL	`str`
threatStatus	`str`
threatsInfoMap_threatID_str	`str`
threatsInfoMap_threatType_str	`str`
threatsInfoMap_threatStatus_str	`str`
threatsInfoMap_threatTime_str	`str`
threatsInfoMap_classification_str	`str`
threatsInfoMap_campaignID_str	`str`
threatsInfoMap_threat_str	`str`
threatsInfoMap_threatUrl_str	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
tag14
tag14
mail.proofpoint.tapsiem_v2.messagesdelivered

Field	Type	Extra fields
eventdate	`timestamp`
eventType	`str`
messageTime	`timestamp`
messageSize	`int8`
messageID	`str`
senderIP	`str`
sender	`str`
recipient	`str`
headerFrom	`str`
headerReplyTo	`str`
replyToAddress_str	`str`
fromAddress_str	`str`
toAddresses_str	`str`
ccAddresses_str	`str`
quarantineRule	`str`
quarantineFolder	`str`
cluster	`str`
phishScore	`int4`
spamScore	`int4`
malwareScore	`int4`
impostorScore	`float8`
modulesRun_str	`str`
subject	`str`
messageParts_sha256_str	`str`
messageParts_disposition_str	`str`
messageParts_contentType_str	`str`
messageParts_md5_str	`str`
messageParts_sandboxStatus_str	`str`
messageParts_filename_str	`str`
messageParts_oContentType_str	`str`
policyRoutes_str	`str`
xmailer	`str`
completelyRewritten	`bool`
GUID	`str`
QID	`str`
id	`str`
campaignId	`str`
classification	`str`
clickTime	`str`
clickIP	`str`
url	`str`
userAgent	`str`
threatID	`str`
threatTime	`str`
threatURL	`str`
threatStatus	`str`
threatsInfoMap_threatID_str	`str`
threatsInfoMap_threatType_str	`str`
threatsInfoMap_threatStatus_str	`str`
threatsInfoMap_threatTime_str	`str`
threatsInfoMap_classification_str	`str`
threatsInfoMap_campaignID_str	`str`
threatsInfoMap_threat_str	`str`
threatsInfoMap_threatUrl_str	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

Anchor
tag15
tag15
mail.proofpoint.trap

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
application_version	`str`
event	`str`
identity	`str`
identity_type	`str`
identity_id	`str`
incident_data	`str`
incident_id	`str`
activity_type	`str`
summary	`str`
old_value	`str`
new_value	`str`
type	`str`
automated	`bool`
name	`str`
state	`str`
severity	`str`
alert_id	`int4`
username	`str`
ip	`ip4`
result	`str`
host	`ip4`
ips	`ip4`
ttl	`int4`
enabled	`str`
condition_list	`str`
threshold_type	`str`
threshold_inequality	`str`
incident_severity_threshold	`str`
send_to_incident_owner	`str`
send_to_team	`str`
send_to_reporter	`str`
include_reported_email	`str`
additional_recipients	`str`
exclude_recipients	`str`
content	`str`
email_body_preface	`str`
email_subject	`str`
beginning_delimiter	`str`
ending_delimiter	`str`
messageId	`str`
originalMailbox	`str`
isMessageRead	`bool`
quarantineFolder	`str`
quarantineMailbox	`str`
mailProvider	`str`
updateMessage	`str`
source	`str`
category	`str`
attacker	`str`
target	`str`
cnc	`str`
other	`str`
url	`str`
role	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag16
tag16
mail.proofpoint.trap_incident

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

id

int4

score

int4

state

str

created_at

timestamp

updated_at

timestamp

closed_at

timestamp

close_summary

str

close_detail

str

event_count

int4

false_positive_count

int4

event_sources_str

str

Code Block
join(event_sources, ',')

event_sources

assignee

str

team

str

hosts__attacker_str

str

Code Block
join(hosts__attacker, ',')

hosts__attacker

incident_field_values__name_str

str

Code Block
join(incident_field_values__name, ',')

incident_field_values__name

incident_field_values__value_str

str

Code Block
join(incident_field_values__value, ',')

incident_field_values__value

quarantine_results__alertSource_str

str

Code Block
join(quarantine_results__alertSource, ',')

quarantine_results__alertSource

quarantine_results__startTime_str

str

Code Block
join(quarantine_results__startTime, ',')

quarantine_results__startTime

quarantine_results__endTime_str

str

Code Block
join(quarantine_results__endTime, ',')

quarantine_results__endTime

quarantine_results__status_str

str

Code Block
join(quarantine_results__status, ',')

quarantine_results__status

quarantine_results__recipientType_str

str

Code Block
join(quarantine_results__recipientType, ',')

quarantine_results__recipientType

quarantine_results__recipient_str

str

Code Block
join(quarantine_results__recipient, ',')

quarantine_results__recipient

quarantine_results__messageId_str

str

Code Block
join(quarantine_results__messageId, ',')

quarantine_results__messageId

quarantine_results__isRead_str

str

Code Block
join(quarantine_results__isRead, ',')

quarantine_results__isRead

quarantine_results__wasUndone_str

str

Code Block
join(quarantine_results__wasUndone, ',')

quarantine_results__wasUndone

quarantine_results__details_str

str

Code Block
join(quarantine_results__details, ',')

quarantine_results__details

successful_quarantines

int4

failed_quarantines

int4

pending_quarantines

int4

events__id

int4

events__category

str

events__alertType

str

events__severity

str

events__source

str

events__state

str

events__attackDirection

str

events__received

timestamp

events__emails__sender__email_str

str

Code Block
join(events__emails__sender__email, ',')

events__emails__sender__email

events__emails__recipient__email_str

str

Code Block
join(events__emails__recipient__email, ',')

events__emails__recipient__email

events__emails__subject_str

str

Code Block
join(events__emails__subject, ',')

events__emails__subject

events__emails__messageId_str

str

Code Block
join(events__emails__messageId, ',')

events__emails__messageId

events__emails__messageDeliveryTime__chronology__zone__fixed_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__chronology__zone__fixed)), '[', ''), ']', '')

events__emails__messageDeliveryTime__chronology__zone__fixed

events__emails__messageDeliveryTime__chronology__zone__id_str

str

Code Block
join(events__emails__messageDeliveryTime__chronology__zone__id, ',')

events__emails__messageDeliveryTime__chronology__zone__id

events__emails__messageDeliveryTime__millis_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__millis)), '[', ''), ']', '')

events__emails__messageDeliveryTime__millis

events__emails__messageDeliveryTime__zone__fixed_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__zone__fixed)), '[', ''), ']', '')

events__emails__messageDeliveryTime__zone__fixed

events__emails__messageDeliveryTime__zone__id_str

str

Code Block
join(events__emails__messageDeliveryTime__zone__id, ',')

events__emails__messageDeliveryTime__zone__id

events__emails__messageDeliveryTime__afterNow_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__afterNow)), '[', ''), ']', '')

events__emails__messageDeliveryTime__afterNow

events__emails__messageDeliveryTime__beforeNow_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__beforeNow)), '[', ''), ']', '')

events__emails__messageDeliveryTime__beforeNow

events__emails__messageDeliveryTime__equalNow_str

str

Code Block
replace(replace(stringify(json(events__emails__messageDeliveryTime__equalNow)), '[', ''), ']', '')

events__emails__messageDeliveryTime__equalNow

events__emails__abuseCopy_str

str

Code Block
replace(replace(stringify(json(events__emails__abuseCopy)), '[', ''), ']', '')

events__emails__abuseCopy

events__attackers__location_str

str

Code Block
join(events__attackers__location, ',')

events__attackers__location

events__falsePositive

bool

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Versions Compared

Old Version 10

New Version 11

Key

How is the data sent to Devo?

Rule 2 - Proofpoint stdout

Rule 3 - Proofpoint sendmail

Table structure

Anchor
tag1
tag1
mail.proofpoint.pod

Anchor
tag2
tag2
mail.proofpoint.pod.events

Anchor
tag3
tag3
mail.proofpoint.pod.isolation

Anchor
tag4
tag4
mail.proofpoint.pod.maillog

Anchor
tag5
tag5
mail.proofpoint.pod.message

Anchor
tag6
tag6
mail.proofpoint.sendmail

Anchor
tag7
tag7
mail.proofpoint.stdout

Anchor
tag8
tag8
mail.proofpoint.tapsiem

Anchor
tag9
tag9
mail.proofpoint.tapsiem_syslog

Anchor
tag10
tag10
mail.proofpoint.tapsiem_v2

Anchor
tag11
tag11
mail.proofpoint.tapsiem_v2.clicksblocked

Anchor
tag12
tag12
mail.proofpoint.tapsiem_v2.clickspermitted

Anchor
tag13
tag13
mail.proofpoint.tapsiem_v2.messagesblocked

Anchor
tag14
tag14
mail.proofpoint.tapsiem_v2.messagesdelivered

Anchor
tag15
tag15
mail.proofpoint.trap

Anchor
tag16
tag16
mail.proofpoint.trap_incident

Page Comparison

Versions Compared

Old Version 10

New Version 11

Key

How is the data sent to Devo?

Rule 2 - Proofpoint stdout

Rule 3 - Proofpoint sendmail

Table structure

Anchortag1tag1mail.proofpoint.pod

Anchortag2tag2mail.proofpoint.pod.events

Anchortag3tag3mail.proofpoint.pod.isolation

Anchortag4tag4mail.proofpoint.pod.maillog

Anchortag5tag5mail.proofpoint.pod.message

Anchortag6tag6mail.proofpoint.sendmail

Anchortag7tag7mail.proofpoint.stdout

Anchortag8tag8mail.proofpoint.tapsiem

Anchortag9tag9mail.proofpoint.tapsiem_syslog

Anchortag10tag10mail.proofpoint.tapsiem_v2

Anchortag11tag11mail.proofpoint.tapsiem_v2.clicksblocked

Anchortag12tag12mail.proofpoint.tapsiem_v2.clickspermitted

Anchortag13tag13mail.proofpoint.tapsiem_v2.messagesblocked

Anchortag14tag14mail.proofpoint.tapsiem_v2.messagesdelivered

Anchortag15tag15mail.proofpoint.trap

Anchortag16tag16mail.proofpoint.trap_incident

Anchor
tag1
tag1
mail.proofpoint.pod

Anchor
tag2
tag2
mail.proofpoint.pod.events

Anchor
tag3
tag3
mail.proofpoint.pod.isolation

Anchor
tag4
tag4
mail.proofpoint.pod.maillog

Anchor
tag5
tag5
mail.proofpoint.pod.message

Anchor
tag6
tag6
mail.proofpoint.sendmail

Anchor
tag7
tag7
mail.proofpoint.stdout

Anchor
tag8
tag8
mail.proofpoint.tapsiem

Anchor
tag9
tag9
mail.proofpoint.tapsiem_syslog

Anchor
tag10
tag10
mail.proofpoint.tapsiem_v2

Anchor
tag11
tag11
mail.proofpoint.tapsiem_v2.clicksblocked

Anchor
tag12
tag12
mail.proofpoint.tapsiem_v2.clickspermitted

Anchor
tag13
tag13
mail.proofpoint.tapsiem_v2.messagesblocked

Anchor
tag14
tag14
mail.proofpoint.tapsiem_v2.messagesdelivered

Anchor
tag15
tag15
mail.proofpoint.trap

Anchor
tag16
tag16
mail.proofpoint.trap_incident