Table of Contents | ||||
---|---|---|---|---|
|
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Proofpoint Email Protection |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
...
Source port → Required one
Source data →
(\[PTRAuditData [^\]]+\].*)$
Target tag →
mail.proofpoint.trap
Target message →
\\D1
Select both Stop processing and Sent without syslog tag
Rule 2 - Proofpoint stdout
Source port → Required one
Source tag →
filter_instance1
Target tag →
mail.proofpoint.stdout
Select Stop processing
Rule 3 - Proofpoint sendmail
Source port → Required one
Target tag →
mail.proofpoint.sendmail
Select Stop processing
Table structure
...
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Rw tab | | 7-12 |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
host |
|
| hostchain | |||
process_name |
|
|
| |||
process_id |
|
|
| |||
messageID |
|
|
| |||
s |
|
|
| |||
mod |
|
|
| |||
cmd |
|
|
| |||
lint |
|
|
| |||
ip |
|
|
| |||
perlwait |
|
|
| |||
m |
|
|
| |||
x |
|
|
| |||
value |
|
|
| |||
qid |
|
|
| |||
r |
|
|
| |||
verified |
|
|
| |||
tls |
|
|
| |||
routes |
|
|
| |||
notroutes |
|
|
| |||
score |
|
|
| |||
ipScore |
|
|
| |||
spamScore |
|
|
| |||
suspectScore |
|
|
| |||
phishScore |
|
|
| |||
bulkScore |
|
|
| |||
adultScore |
|
|
| |||
duration |
|
|
| |||
module |
|
|
| |||
rule |
|
|
| |||
action |
|
|
| |||
attachments |
|
|
| |||
rcpts |
|
|
| |||
subject |
|
|
| |||
helo |
|
|
| |||
msgs |
|
|
| |||
elapsed |
|
|
| |||
host_msg |
|
|
| |||
country |
|
|
| |||
lip |
|
|
| |||
prot |
|
|
| |||
hops_active |
|
|
| |||
resolve |
|
|
| |||
reverse |
|
|
| |||
size |
|
|
| |||
guid |
|
|
| |||
hdr_mid |
|
|
| |||
hops_ip |
|
|
| |||
virusname |
|
|
| |||
folder |
|
|
| |||
pri |
|
|
| |||
form |
|
|
| |||
id |
|
|
| |||
file |
|
|
| |||
mime |
|
|
| |||
type |
|
|
| |||
omime |
|
|
| |||
oext |
|
|
| |||
corrupted |
|
|
| |||
protected |
|
|
| |||
sha256 |
|
|
| |||
virtual |
|
|
| |||
a |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
| rawSource | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | |||
---|---|---|---|---|---|---|---|
eventdate |
|
|
| ||||
eventType |
|
|
| ||||
messageTime |
|
|
| ||||
messageSize |
|
|
| ||||
messageID |
|
|
| ||||
senderIP |
|
|
| ||||
sender |
|
|
| ||||
recipient |
|
|
| ||||
headerFrom |
|
|
| ||||
headerReplyTo |
|
|
| ||||
replyToAddress_str |
|
| replyToAddress | ||||
fromAddress_str |
|
| fromAddress | ||||
toAddresses_str |
|
| toAddresses | ||||
ccAddresses_str |
|
| ccAddresses | ||||
quarantineRule |
|
|
| ||||
quarantineFolder |
|
|
| ||||
cluster |
|
|
| ||||
phishScore |
|
|
| ||||
spamScore |
|
|
| ||||
malwareScore |
|
|
| ||||
impostorScore |
|
|
| ||||
modulesRun_str |
|
| modulesRun | ||||
subject |
|
|
| ||||
messageParts_sha256_str |
|
| messageParts_sha256 | ||||
messageParts_disposition_str |
|
| messageParts_disposition | ||||
messageParts_contentType_str |
|
| messageParts_contentType | ||||
messageParts_md5_str |
|
| messageParts_md5 | ||||
messageParts_sandboxStatus_str |
|
| messageParts_sandboxStatus | ||||
messageParts_filename_str |
|
| messageParts_filename | ||||
messageParts_oContentType_str |
|
| messageParts_oContentType | ||||
policyRoutes_str |
|
| policyRoutes | ||||
xmailer |
|
|
| ||||
completelyRewritten |
|
|
| ||||
GUID |
|
|
| ||||
QID |
|
|
| ||||
campaignId |
|
|
| ||||
classification |
|
|
| ||||
clickTime |
|
|
| ||||
clickIP |
|
|
| ||||
url |
|
|
| ||||
userAgent |
|
|
| ||||
threatID |
|
|
| ||||
threatTime |
|
|
| ||||
threatURL |
|
|
| ||||
threatStatus |
|
|
| ||||
threatsInfoMap_threatID_str |
|
| threatsInfoMap_threatID | ||||
threatsInfoMap_threatType_str |
|
| threatsInfoMap_threatType | ||||
threatsInfoMap_threatStatus_str |
|
| threatsInfoMap_threatStatus | ||||
threatsInfoMap_threatTime_str |
|
| threatsInfoMap_threatTime | ||||
threatsInfoMap_classification_str |
|
| threatsInfoMap_classification | ||||
threatsInfoMap_campaignID_str |
|
| threatsInfoMap_campaignID | ||||
threatsInfoMap_threat_str |
|
| threatsInfoMap_threat | ||||
threatsInfoMap_threatUrl_str |
|
| threatsInfoMap_threatUrl | ||||
hostchain |
|
|
| ✓ | |||
tag |
|
|
| ✓ | rawMessage | ||
|
|
| ✓rawMessage |
|
|
| ✓ |
Rw tab | ||
---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
host |
|
| hostchain | |||
process_name |
|
|
| |||
process_id |
|
|
| |||
PriorityValue |
|
|
| |||
HeaderValue |
|
|
| |||
EventTime |
|
|
| |||
HeaderValue2 |
|
|
| |||
EventType |
|
|
| |||
SD_ID |
|
|
| |||
ccAddresses |
|
|
| |||
clusterId |
|
|
| |||
completelyRewritten |
|
|
| |||
fromAddress |
|
|
| |||
GUID |
|
|
| |||
headerReplyTo |
|
|
| |||
messageID |
|
|
| |||
messageParts |
|
|
| |||
messageSize |
|
|
| |||
modulesRun |
|
|
| |||
policyRoutes |
|
|
| |||
QID |
|
|
| |||
quarantineFolder |
|
|
| |||
quarantineRule |
|
|
| |||
recipient |
|
|
| |||
replyToAddress |
|
|
| |||
sender |
|
|
| |||
subject |
|
|
| |||
threatsInfoMap |
|
|
| |||
threatsInfoMap__threatID |
|
|
| |||
threatsInfoMap__threatID_str |
|
| threatsInfoMap__threatID | |||
threatsInfoMap__threatStatus |
|
|
| |||
threatsInfoMap__threatStatus_str |
|
| threatsInfoMap__threatStatus | |||
threatsInfoMap__classification |
|
|
| |||
threatsInfoMap__classification_str |
|
| threatsInfoMap__classification | |||
threatsInfoMap__threatUrl |
|
|
| |||
threatsInfoMap__threatUrl_str |
|
| threatsInfoMap__threatUrl | |||
threatsInfoMap__threatTime |
|
|
| |||
threatsInfoMap__threatTime_str |
|
| threatsInfoMap__threatTime | |||
threatsInfoMap__threat |
|
|
| |||
threatsInfoMap__threat_str |
|
| threatsInfoMap__threat | |||
threatsInfoMap__campaignID |
|
|
| |||
threatsInfoMap__campaignID_str |
|
| threatsInfoMap__campaignID | |||
threatsInfoMap__threatType |
|
|
| |||
threatsInfoMap__threatType_str |
|
| threatsInfoMap__threatType | |||
toAddresses |
|
|
| |||
xmailer |
|
|
| |||
cluster |
|
|
| |||
headerFrom |
|
|
| |||
impostorScore |
|
|
| |||
malwareScore |
|
|
| |||
phishScore |
|
|
| |||
spamScore |
|
|
| |||
messageTime |
|
|
| |||
campaignID |
|
|
| |||
class |
|
|
| |||
threatID |
|
|
| |||
threatURL |
|
|
| |||
url |
|
|
| |||
userAgent |
|
|
| |||
threatStatus |
|
|
| |||
clickIP |
|
|
| |||
senderIP |
|
|
| |||
clickTime |
|
|
| |||
threatTime |
|
|
| |||
unknown |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
eventType |
|
|
| |||
messageTime |
|
|
| |||
messageSize |
|
|
| |||
messageID |
|
|
| |||
senderIP |
|
|
| |||
sender |
|
|
| |||
recipient |
|
|
| |||
headerFrom |
|
|
| |||
headerReplyTo |
|
|
| |||
replyToAddress_str |
|
| replyToAddress | |||
fromAddress_str |
|
| fromAddress | |||
toAddresses_str |
|
| toAddresses | |||
ccAddresses_str |
|
| ccAddresses | |||
quarantineRule |
|
|
| |||
quarantineFolder |
|
|
| |||
cluster |
|
|
| |||
phishScore |
|
|
| |||
spamScore |
|
|
| |||
malwareScore |
|
|
| |||
impostorScore |
|
|
| |||
modulesRun_str |
|
| modulesRun | |||
subject |
|
|
| |||
messageParts_sha256_str |
|
| messageParts_sha256 | |||
messageParts_disposition_str |
|
| messageParts_disposition | |||
messageParts_contentType_str |
|
| messageParts_contentType | |||
messageParts_md5_str |
|
| messageParts_md5 | |||
messageParts_sandboxStatus_str |
|
| messageParts_sandboxStatus | |||
messageParts_filename_str |
|
| messageParts_filename | |||
messageParts_oContentType_str |
|
| messageParts_oContentType | |||
policyRoutes_str |
|
| policyRoutes | |||
xmailer |
|
|
| |||
completelyRewritten |
|
|
| |||
GUID |
|
|
| |||
QID |
|
|
| |||
campaignId |
|
|
| |||
classification |
|
|
| |||
clickTime |
|
|
| |||
clickIP |
|
|
| |||
url |
|
|
| |||
userAgent |
|
|
| |||
threatID |
|
|
| |||
threatTime |
|
|
| |||
threatURL |
|
|
| |||
threatStatus |
|
|
| |||
threatsInfoMap_threatID_str |
|
| threatsInfoMap_threatID | |||
threatsInfoMap_threatType_str |
|
| threatsInfoMap_threatType | |||
threatsInfoMap_threatStatus_str |
|
| threatsInfoMap_threatStatus | |||
threatsInfoMap_threatTime_str |
|
| threatsInfoMap_threatTime | |||
threatsInfoMap_classification_str |
|
| threatsInfoMap_classification | |||
threatsInfoMap_campaignID_str |
|
| threatsInfoMap_campaignID | |||
threatsInfoMap_threat_str |
|
| threatsInfoMap_threat | |||
threatsInfoMap_threatUrl_str |
|
| threatsInfoMap_threatUrl | |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |
Rw tab | ||
---|---|---|
|
Anchor |
---|
|
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Extra fields |
---|---|---|
eventdate |
|
|
hostname |
|
|
application_version |
|
|
event |
|
|
identity |
|
|
identity_type |
|
|
identity_id |
|
|
incident_data |
|
|
incident_id |
|
|
activity_type |
|
|
summary |
|
|
old_value |
|
|
new_value |
|
|
type |
|
|
automated |
|
|
name |
|
|
state |
|
|
severity |
|
|
alert_id |
|
|
username |
|
|
ip |
|
|
result |
|
|
host |
|
|
ips |
|
|
ttl |
|
|
enabled |
|
|
condition_list |
|
|
threshold_type |
|
|
threshold_inequality |
|
|
incident_severity_threshold |
|
|
send_to_incident_owner |
|
|
send_to_team |
|
|
send_to_reporter |
|
|
include_reported_email |
|
|
additional_recipients |
|
|
exclude_recipients |
|
|
content |
|
|
email_body_preface |
|
|
email_subject |
|
|
beginning_delimiter |
|
|
ending_delimiter |
|
|
messageId |
|
|
originalMailbox |
|
|
isMessageRead |
|
|
quarantineFolder |
|
|
quarantineMailbox |
|
|
mailProvider |
|
|
updateMessage |
|
|
source |
|
|
category |
|
|
attacker |
|
|
target |
|
|
cnc |
|
|
other |
|
|
url |
|
|
role |
|
|
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
Anchor |
---|
|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
hostname |
|
|
| |||
id |
|
|
| |||
score |
|
|
| |||
state |
|
|
| |||
created_at |
|
|
| |||
updated_at |
|
|
| |||
closed_at |
|
|
| |||
close_summary |
|
|
| |||
close_detail |
|
|
| |||
event_count |
|
|
| |||
false_positive_count |
|
|
| |||
event_sources_str |
|
| event_sources | |||
assignee |
|
|
| |||
team |
|
|
| |||
hosts__attacker_str |
|
| hosts__attacker | |||
incident_field_values__name_str |
|
| incident_field_values__name | |||
incident_field_values__value_str |
|
| incident_field_values__value | |||
quarantine_results__alertSource_str |
|
| quarantine_results__alertSource | |||
quarantine_results__startTime_str |
|
| quarantine_results__startTime | |||
quarantine_results__endTime_str |
|
| quarantine_results__endTime | |||
quarantine_results__status_str |
|
| quarantine_results__status | |||
quarantine_results__recipientType_str |
|
| quarantine_results__recipientType | |||
quarantine_results__recipient_str |
|
| quarantine_results__recipient | |||
quarantine_results__messageId_str |
|
| quarantine_results__messageId | |||
quarantine_results__isRead_str |
|
| quarantine_results__isRead | |||
quarantine_results__wasUndone_str |
|
| quarantine_results__wasUndone | |||
quarantine_results__details_str |
|
| quarantine_results__details | |||
successful_quarantines |
|
|
| |||
failed_quarantines |
|
|
| |||
pending_quarantines |
|
|
| |||
events__id |
|
|
| |||
events__category |
|
|
| |||
events__alertType |
|
|
| |||
events__severity |
|
|
| |||
events__source |
|
|
| |||
events__state |
|
|
| |||
events__attackDirection |
|
|
| |||
events__received |
|
|
| |||
events__emails__sender__email_str |
|
| events__emails__sender__email | |||
events__emails__recipient__email_str |
|
| events__emails__recipient__email | |||
events__emails__subject_str |
|
| events__emails__subject | |||
events__emails__messageId_str |
|
| events__emails__messageId | |||
events__emails__messageDeliveryTime__chronology__zone__fixed_str |
|
| events__emails__messageDeliveryTime__chronology__zone__fixed | |||
events__emails__messageDeliveryTime__chronology__zone__id_str |
|
| events__emails__messageDeliveryTime__chronology__zone__id | |||
events__emails__messageDeliveryTime__millis_str |
|
| events__emails__messageDeliveryTime__millis | |||
events__emails__messageDeliveryTime__zone__fixed_str |
|
| events__emails__messageDeliveryTime__zone__fixed | |||
events__emails__messageDeliveryTime__zone__id_str |
|
| events__emails__messageDeliveryTime__zone__id | |||
events__emails__messageDeliveryTime__afterNow_str |
|
| events__emails__messageDeliveryTime__afterNow | |||
events__emails__messageDeliveryTime__beforeNow_str |
|
| events__emails__messageDeliveryTime__beforeNow | |||
events__emails__messageDeliveryTime__equalNow_str |
|
| events__emails__messageDeliveryTime__equalNow | |||
events__emails__abuseCopy_str |
|
| events__emails__abuseCopy | |||
events__attackers__location_str |
|
| events__attackers__location | |||
events__falsePositive |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ |