The tags beginning with mail.proofpoint identify log events generated by Proofpoint products.
Tag structure
The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type and must be one of tapsiem_v2, sendmail, tapsiem_syslog, stdout, tapsiem, or trap.
The fourth tag level (subtype) is only used by the main.proofpoint.tapsiem_v2 table, and can have one of the values in the table:
technology | brand | type | subtype |
---|---|---|---|
proofpoint |
|
|
Therefore, the valid tags include:
- mail.proofpoint.tapsiem_v2
- mail.proofpoint.sendmail
- mail.proofpoint.tapsiem_syslog (OBSOLETE)
- mail.proofpoint.stdout
- mail.proofpoint.tapsiem (OBSOLETE)
- mail.proofpoint.trap
- mail.proofpoint.tapsiem_v2.clicksblocked
- mail.proofpoint.tapsiem_v2.clickspermitted
- mail.proofpoint.tapsiem_v2.messagesblocked
- mail.proofpoint.tapsiem_v2.messagesdelivered
For more information, read more about Devo tags.
Devo Relay rules
Rule 1 - Proofpoint Trap
- Source port → 14001
- Source data → (\[PTRAuditData [^\]]+\].*)$
- Target tag → mail.proofpoint.trap
- Target message → \\D1
- Select both Stop processing and Sent without syslog tag
Rule 2 - Proofpoint stdout
- Source port → 13009
- Source tag → filter_instance1
- Target tag → mail.proofpoint.stdout
- Select Stop processing
Rule 3 - Proofpoint sendmail
- Source port → 13009
- Target tag → mail.proofpoint.sendmail
- Select Stop processing
Log samples
type | message |
---|---|
mail.proofpoint.sendmail | xxxxxx: from=<xxxxx@xxxx.com>, size=148595, class=-60, nrcpts=1, msgid=<xxxxxxxxxx@xxxx.com>, proto=SMTP, daemon=MTA, tls_verify=NONE, auth=NONE, relay=xxxx[127.0.0.1] |
mail.proofpoint.stdout | [2011-10-23 16:05:59.502387 +0000] rprt s=xxxx mod=session cmd=connect ip=111.111.111.111 perlwait=0.085 |
mail.proofpoint.tapsiem | {"threatTime":"2018-03-22T21:46:52.000Z","url":"http:/xxxxx","clickTime":"2018-03-19T12:35:54.000Z","eventType":"clicksPermitted","campaignId":null,"classification":"spam","sender":null,"threatID":"xxx","GUID":"xxx","threatStatus":"active","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36","senderIP":null,"recipient":"xxx@xxx.com","threatURL":"https://threatinsight.proofpoint.com/xxx","messageID":"","clickIP":"111.111.111.111"} |
mail.proofpoint.tapsiem_syslog | <38>1 2019-05-11T00:57:53Z - ProofpointTAP - MSGBLK [tapmsg@21139 messageTime="2019-05-11T00:57:53Z" messageID="<xxx.xxx@xxx.xxx.com.ar>" recipient="xxx@xxx.xxx.edu" sender="xxx@xxx.com.ar" senderIP="111.111.111.111" phishScore="0" spamScore="100" QID="xxx-1" GUID="oDoRuf-xxx" threatsInfoMap="[{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://xxxxxxxxx",\\"threatTime\\":\\"2019-05-11T00:27:08.000Z\\",\\"threat\\":\\"xxx\\",\\"campaignID\\":null,\\"threatType\\":\\"attachment\\"},{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://threatinsight.proofpoint.com/xxx/threat/email/xxx\\",\\"threatTime\\":\\"2019-05-11T00:29:50.000Z\\",\\"threat\\":\\"simplifyglobalsolutions.com/xgcwh/INC/x/\\",\\"campaignID\\":null,\\"threatType\\":\\"url\\"},{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://threatinsight.proofpoint.com/77e3276e-ced0-b80a-dc32-8bd951f47db2/threat/email/xxx\\",\\"threatTime\\":\\"2019-05-13T19:12:51.000Z\\",\\"threat\\":\\"simplifyglobalsolutions.com/xgcwh/\\",\\"campaignID\\":null,\\"threatType\\":\\"url\\"}\\]" malwareScore="0" impostorScore="0.0" cluster="columbiaunivmedcenter_production" subject="Your Wellsfargo, N.A. Account Has Been Suspended" quarantineFolder="Attachment Defense" quarantineRule="module.sandbox.rule.threat" policyRoutes="default_inbound" modulesRun="access,dkim,smtpsrv,av,zerohour,spf,dkimv,sandbox,spam,dmarc,pdr,urldefense" messageSize="49696" headerFrom="\\"Wellsfargo (US)\\" <xxx@xxx.ar>" headerReplyTo="null" fromAddress="xxx@cxxx.ar" toAddresses="xxx@xxx.xxx.edu" ccAddresses="null" replyToAddress="null" xmailer="null" completelyRewritten="false" messageParts="[{\\"disposition\\":\\"attached\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"xxxugp xxx.pdf\\",\\"sandboxStatus\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"application/pdf\\",\\"contentType\\":\\"xxx/pdf\\"},{\\"disposition\\":\\"inline\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"text.txt\\",\\"xxx\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"text/plain\\",\\"contentType\\":\\"text/plain\\"},{\\"disposition\\":\\"inline\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"text.html\\",\\"xxx\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"text/html\\",\\"contentType\\":\\"text/html\\"}\\]"] |
mail.proofpoint.tapsiem_v2.messagesblocked | {"spamScore": 100, "phishScore": 6, "threatsInfoMap": [{"threatID": "xxx", "threatStatus": "active", "classification": "malware", "threatUrl": "https://xxx", "threatTime": "2019-03-20T15:41:41.000Z", "threat": "xxx", "campaignID": null, "threatType": "attachment"}], "messageTime": "2019-03-20T14:29:29.000Z", "impostorScore": 0.0, "malwareScore": 0, "cluster": "nike_hosted2", "subject": "Re: New course, New email", "quarantineFolder": "Spam Definite", "quarantineRule": "module.spam.rule.inbound_spam_definite", "policyRoutes": ["default_inbound"], "modulesRun": ["access", "smtpsrv", "av", "zerohour", "spf", "sandbox", "spam", "pdr", "urldefense"], "messageSize": 69066, "headerFrom": "\\"xx@x.com\\" <x@x.com>", "headerReplyTo": null, "fromAddress": ["x@x.com"], "ccAddresses": [], "replyToAddress": [], "toAddresses": ["x.x@x.com"], "xmailer": "Outlook", "messageParts": [{"disposition": "attached", "sha256": "x", "md5": "x", "filename": "information.zip", "sandboxStatus": "NOT_REQUESTED", "oContentType": "application/zip", "contentType": "application/zip"}, {"disposition": "attached", "sha256": "", "md5": null, "filename": "", "sandboxStatus": null, "oContentType": "", "contentType": ""}, {"disposition": "inline", "sha256": "x", "md5": "x", "filename": "text.txt", "sandboxStatus": "NOT_REQUESTED", "oContentType": "text/plain", "contentType": "text/plain"}, {"disposition": "inline", "sha256": "x", "md5": "x", "filename": "text.html", "sandboxStatus": "NOT_REQUESTED", "oContentType": "text/html", "contentType": "text/html"}], "completelyRewritten": false, "QID": "2rbndvgg9n-1", "GUID": "x-3yp-x", "sender": "x@x.net", "recipient": ["x@x.com"], "senderIP": "111.111.111.111", "messageID": "<x@111.111.111.111>"} |
mail.proofpoint.trap | [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2027)"] name=Unsolicited Bulk Email state=new severity=CRITICAL alert_id=6230 tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2028)"] name=Malicious content dropped during execution state=new severity=CRITICAL alert_id=6231 tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2029)"] name=(not set) state=new severity=MAJOR alert_id=6232 tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25251)"][incident_data incident_id="2026" activity_type="response" tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25252)"][incident_data incident_id="2026" activity_type="state_change"] old_value=created new_value=closed tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25253)"][incident_data incident_id="2027" activity_type="state_change"] summary=Unsolicited Bulk Email old_value=none new_value=created tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Response(6474)"] incident_id=2032 type=QuarantineResponseDefinition automated=true [PTRAuditData application_version="5.3.0" event="LOGIN" identity="User(34)"] vincentgoffin LOGIN User(34) username=vincentgoffin ip=10.41.36.78 result=success tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="MODIFY" identity="Incident(2026)"] name=Fake captcha that redirects to Phish state=new severity=MAJOR alert_id=6229 tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="RESOLVE" identity="Host(2479)"] host=52.32.252.160 ips=52.32.252.160 ttl=0 |