Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The tags beginning with mail.proofpoint identify log events generated by Proofpoint products. 

Tag structure

The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type and must be one of tapsiem_v2sendmailtapsiem_syslogstdouttapsiem, or trap.

The fourth tag level (subtype) is only used by the main.proofpoint.tapsiem_v2 table, and can have one of the values in the table:

technology

brand

type

subtype

mail

proofpoint

  • tapsiem_v2
  • sendmail
  • tapsiem_syslog
  • stdout
  • tapsiem
  • trap

  • clicksblocked

  • clickspermitted

  • messagesblocked

  • messagesdelivered

Therefore, the valid tags include:

  • mail.proofpoint.tapsiem_v2 
  • mail.proofpoint.sendmail
  • mail.proofpoint.tapsiem_syslog (OBSOLETE)
  • mail.proofpoint.stdout
  • mail.proofpoint.tapsiem (OBSOLETE)
  • mail.proofpoint.trap
  • mail.proofpoint.tapsiem_v2.clicksblocked
  • mail.proofpoint.tapsiem_v2.clickspermitted
  • mail.proofpoint.tapsiem_v2.messagesblocked
  • mail.proofpoint.tapsiem_v2.messagesdelivered

For more information, read more about Devo tags.

Devo Relay rules

Rule 1 - Proofpoint Trap

  • Source port → 14001
  • Source data → (\[PTRAuditData [^\]]+\].*)$
  • Target tag → mail.proofpoint.trap
  • Target message → \\D1
  • Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

  • Source port → 13009
  • Source tag → filter_instance1
  • Target tag → mail.proofpoint.stdout
  • Select Stop processing

Rule 3 - Proofpoint sendmail

  • Source port → 13009
  • Target tag → mail.proofpoint.sendmail
  • Select Stop processing

Log samples

type

message

mail.proofpoint.sendmailxxxxxx: from=<xxxxx@xxxx.com>, size=148595, class=-60, nrcpts=1, msgid=<xxxxxxxxxx@xxxx.com>, proto=SMTP, daemon=MTA, tls_verify=NONE, auth=NONE, relay=xxxx[127.0.0.1]
mail.proofpoint.stdout[2011-10-23 16:05:59.502387 +0000] rprt s=xxxx mod=session cmd=connect ip=111.111.111.111 perlwait=0.085
mail.proofpoint.tapsiem{"threatTime":"2018-03-22T21:46:52.000Z","url":"http:/xxxxx","clickTime":"2018-03-19T12:35:54.000Z","eventType":"clicksPermitted","campaignId":null,"classification":"spam","sender":null,"threatID":"xxx","GUID":"xxx","threatStatus":"active","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.111.111.111 Safari/537.36","senderIP":null,"recipient":"xxx@xxx.com","threatURL":"https://threatinsight.proofpoint.com/xxx","messageID":"","clickIP":"111.111.111.111"}
mail.proofpoint.tapsiem_syslog<38>1 2019-05-11T00:57:53Z - ProofpointTAP - MSGBLK [tapmsg@21139 messageTime="2019-05-11T00:57:53Z" messageID="<xxx.xxx@xxx.xxx.com.ar>" recipient="xxx@xxx.xxx.edu" sender="xxx@xxx.com.ar" senderIP="111.111.111.111" phishScore="0" spamScore="100" QID="xxx-1" GUID="oDoRuf-xxx" threatsInfoMap="[{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://xxxxxxxxx",\\"threatTime\\":\\"2019-05-11T00:27:08.000Z\\",\\"threat\\":\\"xxx\\",\\"campaignID\\":null,\\"threatType\\":\\"attachment\\"},{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://threatinsight.proofpoint.com/xxx/threat/email/xxx\\",\\"threatTime\\":\\"2019-05-11T00:29:50.000Z\\",\\"threat\\":\\"simplifyglobalsolutions.com/xgcwh/INC/x/\\",\\"campaignID\\":null,\\"threatType\\":\\"url\\"},{\\"threatID\\":\\"xxx\\",\\"threatStatus\\":\\"active\\",\\"classification\\":\\"malware\\",\\"threatUrl\\":\\"https://threatinsight.proofpoint.com/77e3276e-ced0-b80a-dc32-8bd951f47db2/threat/email/xxx\\",\\"threatTime\\":\\"2019-05-13T19:12:51.000Z\\",\\"threat\\":\\"simplifyglobalsolutions.com/xgcwh/\\",\\"campaignID\\":null,\\"threatType\\":\\"url\\"}\\]" malwareScore="0" impostorScore="0.0" cluster="columbiaunivmedcenter_production" subject="Your Wellsfargo, N.A. Account Has Been Suspended" quarantineFolder="Attachment Defense" quarantineRule="module.sandbox.rule.threat" policyRoutes="default_inbound" modulesRun="access,dkim,smtpsrv,av,zerohour,spf,dkimv,sandbox,spam,dmarc,pdr,urldefense" messageSize="49696" headerFrom="\\"Wellsfargo (US)\\" <xxx@xxx.ar>" headerReplyTo="null" fromAddress="xxx@cxxx.ar" toAddresses="xxx@xxx.xxx.edu" ccAddresses="null" replyToAddress="null" xmailer="null" completelyRewritten="false" messageParts="[{\\"disposition\\":\\"attached\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"xxxugp xxx.pdf\\",\\"sandboxStatus\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"application/pdf\\",\\"contentType\\":\\"xxx/pdf\\"},{\\"disposition\\":\\"inline\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"text.txt\\",\\"xxx\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"text/plain\\",\\"contentType\\":\\"text/plain\\"},{\\"disposition\\":\\"inline\\",\\"sha256\\":\\"xxx\\",\\"md5\\":\\"xxx\\",\\"filename\\":\\"text.html\\",\\"xxx\\":\\"NOT_REQUESTED\\",\\"oContentType\\":\\"text/html\\",\\"contentType\\":\\"text/html\\"}\\]"]
mail.proofpoint.tapsiem_v2.messagesblocked{"spamScore": 100, "phishScore": 6, "threatsInfoMap": [{"threatID": "xxx", "threatStatus": "active", "classification": "malware", "threatUrl": "https://xxx", "threatTime": "2019-03-20T15:41:41.000Z", "threat": "xxx", "campaignID": null, "threatType": "attachment"}], "messageTime": "2019-03-20T14:29:29.000Z", "impostorScore": 0.0, "malwareScore": 0, "cluster": "nike_hosted2", "subject": "Re: New course, New email", "quarantineFolder": "Spam Definite", "quarantineRule": "module.spam.rule.inbound_spam_definite", "policyRoutes": ["default_inbound"], "modulesRun": ["access", "smtpsrv", "av", "zerohour", "spf", "sandbox", "spam", "pdr", "urldefense"], "messageSize": 69066, "headerFrom": "\\"xx@x.com\\" <x@x.com>", "headerReplyTo": null, "fromAddress": ["x@x.com"], "ccAddresses": [], "replyToAddress": [], "toAddresses": ["x.x@x.com"], "xmailer": "Outlook", "messageParts": [{"disposition": "attached", "sha256": "x", "md5": "x", "filename": "information.zip", "sandboxStatus": "NOT_REQUESTED", "oContentType": "application/zip", "contentType": "application/zip"}, {"disposition": "attached", "sha256": "", "md5": null, "filename": "", "sandboxStatus": null, "oContentType": "", "contentType": ""}, {"disposition": "inline", "sha256": "x", "md5": "x", "filename": "text.txt", "sandboxStatus": "NOT_REQUESTED", "oContentType": "text/plain", "contentType": "text/plain"}, {"disposition": "inline", "sha256": "x", "md5": "x", "filename": "text.html", "sandboxStatus": "NOT_REQUESTED", "oContentType": "text/html", "contentType": "text/html"}], "completelyRewritten": false, "QID": "2rbndvgg9n-1", "GUID": "x-3yp-x", "sender": "x@x.net", "recipient": ["x@x.com"], "senderIP": "111.111.111.111", "messageID": "<x@111.111.111.111>"}
mail.proofpoint.trap

[backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2027)"] name=Unsolicited Bulk Email state=new severity=CRITICAL alert_id=6230

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2028)"] name=Malicious content dropped during execution state=new severity=CRITICAL alert_id=6231

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Incident(2029)"] name=(not set) state=new severity=MAJOR alert_id=6232

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25251)"][incident_data incident_id="2026" activity_type="response"

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25252)"][incident_data incident_id="2026" activity_type="state_change"] old_value=created new_value=closed

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="IncidentActivity(25253)"][incident_data incident_id="2027" activity_type="state_change"] summary=Unsolicited Bulk Email old_value=none new_value=created

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Response(6474)"] incident_id=2032 type=QuarantineResponseDefinition automated=true

[PTRAuditData application_version="5.3.0" event="LOGIN" identity="User(34)"] vincentgoffin LOGIN User(34) username=vincentgoffin ip=10.41.36.78 result=success

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="MODIFY" identity="Incident(2026)"] name=Fake captcha that redirects to Phish state=new severity=MAJOR alert_id=6229

tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="RESOLVE" identity="Host(2479)"] host=52.32.252.160 ips=52.32.252.160 ttl=0

  • No labels