Versions Compared

Old Version 1

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Converted from version 'v7.0.8'.

Table of Contents
maxLevel2
typeflat

...

technology

brand

type

subtype

mail

proofpoint

  • tapsiem_v2
  • sendmail
  • tapsiem_syslog
  • stdout
  • tapsiem
  • trap

  • clicksblocked

  • clickspermitted

  • messagesblocked

  • messagesdelivered

Therefore, the valid tags include:

  • mail.proofpoint.tapsiem_v2 
  • mail.proofpoint.sendmailmail.proofpoint.tapsiem_syslog (OBSOLETE)
  • mail.proofpoint.stdoutmail.proofpoint.tapsiem (OBSOLETE)
  • mail.proofpoint.trap
  • mail.proofpoint.tapsiem_v2.clicksblocked
  • mail.proofpoint.tapsiem_v2.clickspermitted
  • mail.proofpoint.tapsiem_v2.messagesblocked
  • mail.proofpoint.tapsiem_v2.messagesdelivered

For more information, read more about Devo tags.

Devo Relay rules

Rule 1 - Proofpoint Trap

  • Source port → 14001
  • Source data → (\[PTRAuditData [^\]]+\].*)$
  • Target tag → mail.proofpoint.trap
  • Target message → \\D1
  • Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

  • Source port → 13009
  • Source tag → filter_instance1
  • Target tag → mail.proofpoint.stdout
  • Select Stop processing

Rule 3 - Proofpoint sendmail

  • Source port → 13009
  • Target tag → mail.proofpoint.sendmail
  • Select Stop processing

Log samples

...

type

...

message

The following are sample logs sent to each of the mail.proofpoint

...

[backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2027)"] name=Unsolicited Bulk Email state=new severity=CRITICAL alert_id=6230

data tables. Also, find how the information will be parsed in your data table under each sample log.

Note
titleExtra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

mail.proofpoint.trap

Code Block
2021-09-17 08:56:20.987 localhost=127.0.0.1 mail.proofpoint.trap: tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="

...

Response(

...

6474)"]

...

 incident_id=2032 type=QuarantineResponseDefinition automated=true

And this is how the log would be parsed:

" event="CREATE" identity="Incident(2029)"] name=(not set) state=new severity=MAJOR alert_id=6232

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25251)"][incident_data incident_id="2026" activity_type="response"

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25252)"][incident_data incident_id="2026" activity_type="state_change"] old_value=created new_value=closed

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25253)"][incident_data incident_id="2027" activity_type="state_change"] summary=Unsolicited Bulk Email old_value=none new_value=created

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Response(6474)"] incident_id=2032 type=QuarantineResponseDefinition automated=true

[PTRAuditData application_version="5.3.0" event="LOGIN" identity="User(34)"] vincentgoffin LOGIN User(34) username=vincentgoffin ip=10.41.36.78 result=successMODIFYIncident2026 name=Fake captcha that redirects to Phish state=new severity=MAJOR alert_id=6229tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="RESOLVE" identity="Host(2479)"] host=52.32.252.160 ips=52.32.252.160 ttl=0

Field

Value 

Type

Extra field

eventdate

2021-09-17 08:56:20.987

timestamp


hostname

localhost

str


application_version

5.3.0

str


event

CREATE

str


identity

Response(6474)

str


identity_type

Response

str


identity_id

6474

str


incident_data

null

str


incident_id

2032

str


activity_type

null

str


summary

null

str


old_value

null

str


new_value

null

str


type

QuarantineResponseDefinition

str


automated

true

bool


name

null

str


state

null

str


severity

null

str


alert_id

null

int4


username

null

str


ip

null

ip4


result

null

str


host

null

ip4


ips

null

ip4


ttl

null

int4


enabled

null

str


condition_list

null

str


threshold_type

null

str


threshold_inequality

null

str


incident_severity_threshold

null

str


send_to_incident_owner

null

str


send_to_team

null

str


send_to_reporter

null

str


include_reported_email

null

str


additional_recipients

null

str


exclude_recipients

null

str


content

null

str


email_body_preface

null

str


email_subject

null

str


beginning_delimiter

null

str


ending_delimiter

null

str


messageId

null

str


originalMailbox

null

str


isMessageRead

null

bool


quarantineFolder

null

str


quarantineMailbox

null

str


mailProvider

null

str


updateMessage

null

str


source

null

str


category

null

str


attacker

null

str


target

null

str


cnc

null

str


other

null

str


url

null

str


role

null

str


hostchain

localhost=127.0.0.1

str

tag

mail.proofpoint.trap

str

rawMessage

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="

CREATE" identity="

Response(

6474)"]

incident_id=2032 type=QuarantineResponseDefinition automated=true

str