The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Supported log types
Proofpoint.Event
Proofpoint.Event logs represent activity within a Proofpoint instance. For more information, see Proofpoint's documentation.
schema: Proofpoint.Event
description: Event logs pulled from Proofpoint's API
referenceURL: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
fields:
- name: messageTime
description: The timestamp of the log.
isEventTime: true
timeFormats:
- rfc3339
type: timestamp
- name: messageParts
description: JSON structure containing parts of the message.
type: json
- name: fromAddress
description: Array of email addresses from which the message was sent.
type: array
element:
type: string
indicator: email
- name: toAddresses
description: Array of email addresses to which the message was sent.
type: array
element:
type: string
indicator: email
- name: recipient
description: Array of email addresses to which the message was sent.
type: array
element:
type: string
indicator: email
- name: threatsInfoMap
description: Array of objects containing threat information.
type: array
element:
type: object
fields:
- name: threatUrl
description: URL associated with the threat.
type: string
indicator: url
- name: threatID
description: Unique identifier for the threat.
type: string
- name: threatStatus
description: Status of the threat.
type: string
- name: classification
description: Classification type of the threat.
type: string
- name: threatTime
description: Timestamp of the threat.
type: string
indicator:
- timestamp
- name: threat
description: Details of the threat.
type: string
- name: campaignID
description: Identifier for the associated campaign.
type: string
- name: threatType
description: Type of threat.
type: string
- name: completelyRewritten
description: Indicates whether the message was completely rewritten or not.
type: boolean
- name: id
description: Unique identifier for the event.
type: string
- name: QID
description: Queue identifier for the message.
type: string
- name: GUID
description: Globally unique identifier for the event.
type: string
- name: sender
description: Email address of the sender.
type: string
indicator:
- email
- name: senderIP
description: IP address of the sender.
type: string
indicator:
- ip
- name: messageID
description: Unique identifier for the message.
type: string
- name: spamScore
description: Score indicating the likelihood the message is spam.
type: int
- name: phishScore
description: Score indicating the likelihood the message is a phishing attempt.
type: int
- name: impostorScore
description: Score indicating the likelihood the sender is an impostor.
type: int
- name: malwareScore
description: Score indicating the likelihood the message contains malware.
type: int
- name: cluster
description: Cluster information related to the event.
type: string
- name: subject
description: Subject line of the email.
type: string
- name: quarantineFolder
description: Folder where the message is quarantined.
type: string
- name: quarantineRule
description: Rule applied for quarantining the message.
type: string
- name: policyRoutes
description: JSON structure containing policy routing information.
type: json
- name: modulesRun
description: JSON structure containing information on the modules run for processing the message.
type: json
- name: messageSize
description: Size of the message in bytes.
type: int
- name: headerFrom
description: Email address in the 'From' header.
type: string
indicator: email
- name: headerReplyTo
description: Email address in the 'Reply-To' header.
type: string
indicator: email
- name: ccAddresses
description: Array of email addresses in the 'CC' field.
type: array
element:
type: string
indicator: email
- name: replyToAddress
description: Array of email addresses in the 'Reply-To' field.
type: array
element:
type: string
indicator: email
- name: xmailer
description: Information about the email client or server that sent the message.
type: string