mail.proofpoint

The tags beginning with mail.proofpoint identify log events generated by Proofpoint products.

Tag structure

The full tag must have three levels. The first two are fixed as mail.proofpoint. The third level identifies the event type and must be one of tapsiem_v2, sendmail, tapsiem_syslog, stdout, tapsiem, or trap.

The fourth tag level (subtype) is only used by the main.proofpoint.tapsiem_v2 table, and can have one of the values in the table:

technology	brand	type	subtype
mail	proofpoint	tapsiem_v2 sendmail stdout trap	clicksblocked clickspermitted messagesblocked messagesdelivered

Therefore, the valid tags include:

mail.proofpoint.tapsiem_v2
mail.proofpoint.sendmail
mail.proofpoint.stdout
mail.proofpoint.trap
mail.proofpoint.tapsiem_v2.clicksblocked
mail.proofpoint.tapsiem_v2.clickspermitted
mail.proofpoint.tapsiem_v2.messagesblocked
mail.proofpoint.tapsiem_v2.messagesdelivered

For more information, read more about Devo tags.

Devo Relay rules

Rule 1 - Proofpoint Trap

Source port → 14001
Source data → (\[PTRAuditData [^\]]+\].*)$
Target tag → mail.proofpoint.trap
Target message → \\D1
Select both Stop processing and Sent without syslog tag

Rule 2 - Proofpoint stdout

Source port → 13009
Source tag → filter_instance1
Target tag → mail.proofpoint.stdout
Select Stop processing

Rule 3 - Proofpoint sendmail

Source port → 13009
Target tag → mail.proofpoint.sendmail
Select Stop processing

Log samples

The following are sample logs sent to each of the mail.proofpoint data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

mail.proofpoint.trap

2021-09-17 08:56:20.987 localhost=127.0.0.1 mail.proofpoint.trap: tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Response(6474)"] incident_id=2032 type=QuarantineResponseDefinition automated=true

And this is how the log would be parsed:

Field	Value	Type	Extra field
eventdate	`2021-09-17 08:56:20.987`	`timestamp`
hostname	`localhost`	`str`
application_version	`5.3.0`	`str`
event	`CREATE`	`str`
identity	`Response(6474)`	`str`
identity_type	`Response`	`str`
identity_id	`6474`	`str`
incident_data	`null`	`str`
incident_id	`2032`	`str`
activity_type	`null`	`str`
summary	`null`	`str`
old_value	`null`	`str`
new_value	`null`	`str`
type	`QuarantineResponseDefinition`	`str`
automated	`true`	`bool`
name	`null`	`str`
state	`null`	`str`
severity	`null`	`str`
alert_id	`null`	`int4`
username	`null`	`str`
ip	`null`	`ip4`
result	`null`	`str`
host	`null`	`ip4`
ips	`null`	`ip4`
ttl	`null`	`int4`
enabled	`null`	`str`
condition_list	`null`	`str`
threshold_type	`null`	`str`
threshold_inequality	`null`	`str`
incident_severity_threshold	`null`	`str`
send_to_incident_owner	`null`	`str`
send_to_team	`null`	`str`
send_to_reporter	`null`	`str`
include_reported_email	`null`	`str`
additional_recipients	`null`	`str`
exclude_recipients	`null`	`str`
content	`null`	`str`
email_body_preface	`null`	`str`
email_subject	`null`	`str`
beginning_delimiter	`null`	`str`
ending_delimiter	`null`	`str`
messageId	`null`	`str`
originalMailbox	`null`	`str`
isMessageRead	`null`	`bool`
quarantineFolder	`null`	`str`
quarantineMailbox	`null`	`str`
mailProvider	`null`	`str`
updateMessage	`null`	`str`
source	`null`	`str`
category	`null`	`str`
attacker	`null`	`str`
target	`null`	`str`
cnc	`null`	`str`
other	`null`	`str`
url	`null`	`str`
role	`null`	`str`
hostchain	`localhost=127.0.0.1`	`str`	✓
tag	`mail.proofpoint.trap`	`str`	✓
rawMessage	`tc_tc-backend_1.tc_threatrespons [backend.INFO][PTRAuditData application_version="5.3.0" event="CREATE" identity="Response(6474)"] incident_id=2032 type=QuarantineResponseDefinition automated=true`	`str`	✓