Table of Contents | ||||
---|---|---|---|---|
|
...
technology | brand | type | subtype |
---|---|---|---|
proofpoint |
|
|
Therefore, the valid tags include:
- mail.proofpoint.tapsiem_v2
- mail.proofpoint.sendmailmail.proofpoint.tapsiem_syslog (OBSOLETE)
- mail.proofpoint.stdoutmail.proofpoint.tapsiem (OBSOLETE)
- mail.proofpoint.trap
- mail.proofpoint.tapsiem_v2.clicksblocked
- mail.proofpoint.tapsiem_v2.clickspermitted
- mail.proofpoint.tapsiem_v2.messagesblocked
- mail.proofpoint.tapsiem_v2.messagesdelivered
For more information, read more about Devo tags.
Devo Relay rules
Rule 1 - Proofpoint Trap
- Source port → 14001
- Source data → (\[PTRAuditData [^\]]+\].*)$
- Target tag → mail.proofpoint.trap
- Target message → \\D1
- Select both Stop processing and Sent without syslog tag
Rule 2 - Proofpoint stdout
- Source port → 13009
- Source tag → filter_instance1
- Target tag → mail.proofpoint.stdout
- Select Stop processing
Rule 3 - Proofpoint sendmail
- Source port → 13009
- Target tag → mail.proofpoint.sendmail
- Select Stop processing
Log samples
...
type
...
message
The following are sample logs sent to each of the mail.proofpoint
...
[backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2027)"] name=Unsolicited Bulk Email state=new severity=CRITICAL alert_id=6230
data tables. Also, find how the information will be parsed in your data table under each sample log.
Note | ||
---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
mail.proofpoint.trap
Code Block |
---|
2021-09-17 08:56:20.987 localhost=127.0.0.1 mail.proofpoint.trap: tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity=" |
...
Response( |
...
6474)"] |
...
incident_id=2032 type=QuarantineResponseDefinition automated=true |
And this is how the log would be parsed:
Field | Value | Type | Extra field | ||||
---|---|---|---|---|---|---|---|
eventdate |
|
| |||||
hostname |
|
| |||||
application_version |
| " event="CREATE" identity="Incident(2029)"] name=(not set) state=new severity=MAJOR alert_id=6232
| |||||
event |
|
| |||||
identity |
|
| |||||
identity_type |
|
| |||||
identity_id |
|
| |||||
incident_data |
|
| |||||
incident_id |
|
| |||||
activity_type |
|
| |||||
summary |
|
| |||||
old_value |
|
| |||||
new_value |
|
| |||||
type |
|
| |||||
automated |
|
| |||||
name |
|
| |||||
state |
|
| |||||
severity |
|
| |||||
alert_id |
|
| |||||
username |
|
| |||||
ip |
|
| |||||
result |
|
| |||||
host |
|
| |||||
ips |
|
| |||||
ttl |
|
| |||||
enabled |
|
| |||||
condition_list |
|
| |||||
threshold_type |
|
| |||||
threshold_inequality |
|
| |||||
incident_severity_threshold |
|
| |||||
send_to_incident_owner |
|
| |||||
send_to_team |
|
| |||||
send_to_reporter |
|
| |||||
include_reported_email |
|
| |||||
additional_recipients |
|
| |||||
exclude_recipients |
|
| |||||
content |
|
| |||||
email_body_preface |
|
| |||||
email_subject |
|
| |||||
beginning_delimiter |
|
| |||||
ending_delimiter |
|
| |||||
messageId |
|
| |||||
originalMailbox |
|
| |||||
isMessageRead |
|
| |||||
quarantineFolder |
|
| |||||
quarantineMailbox |
|
| |||||
mailProvider |
|
| |||||
updateMessage |
|
| |||||
source |
|
| |||||
category |
|
| |||||
attacker |
|
| |||||
target |
|
| |||||
cnc |
|
| |||||
other |
|
| |||||
url |
|
| |||||
role |
|
| |||||
hostchain |
|
| ✓ | ||||
tag |
|
| ✓ | ||||
rawMessage |
| MODIFY
| Incident
| 2026
| name=Fake captcha that redirects to Phish state=new severity=MAJOR alert_id=6229tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="RESOLVE" identity="Host(2479)"] host=52.32.252.160 ips=52.32.252.160 ttl=0
|
| ✓ |