Explore and Analyze Proofpoint Events
After Logpoint ingests Proofpoint logs:
Use Search to access and examine events.
View events in real time through Dashboards.
Use Search Templates for pre-built analysis scenarios.
Search
Use the following queries to explore common Proofpoint events:
All Proofpoint logs
col_type = "proofpoint"
All normalized Proofpoint events
norm_id = "Proofpoint*"
Blocked email messages
norm_id = "Proofpoint*" label = "Blocked" label = "Email"
Delivered malicious emails
norm_id = "Proofpoint*" label = "Delivered" label = "Email"
Blocked URL clicks
norm_id = "Proofpoint*" label = "Blocked" label = "Click"
Permitted URL clicks
norm_id = "Proofpoint*" label = "Permitted" label = "Click"
Phishing threats
norm_id = "Proofpoint*" classification = "phish"
Malware detections
norm_id = "Proofpoint*" threat_type = "malware"
URL rewriting events
norm_id = "Proofpoint*" label = "URL" label = "Rewritten"
High spam score messages
norm_id = "Proofpoint*" spam_score > 80
Active threats
norm_id = "Proofpoint*" threat_status = "active"
Search Templates
LP_Proofpoint Targeted Attack Protection Search Template
The LP_Proofpoint Targeted Attack Protection search template provides pre-configured analysis scenarios for common Proofpoint TAP monitoring and investigation use cases. These templates help you quickly analyze email threats, click events, and attack patterns and identify malicious URLs, phishing attempts, and security incidents.
The search template provides an overview of the Proofpoint Targeted Attack Protection (TAP) message event and click event. The Message Event search template provides an overview of the threat email blocked, threat email delivered, and the top threats based on their threat types. The Click Event search template provides an overview of click events on malicious URLs that were blocked or permitted.
Using LP_Proofpoint Targeted Attack Protection Search Template
Update parameters
In Update Parameters, enter the required parameter(s).
Select Override widget time range to set a time range.
Select REPOS.
Click Update.
After updating, the widgets start populating the results. Logpoint forwards you to Search Template View to access the dashboards of the search template.
Note: At the top of the dashboard, click Report to create a report in PDF format.
Dashboards
LP_Proofpoint Targeted Attack Protection - Message Event Dashboard
The LP_Proofpoint Targeted Attack Protection - Message Event dashboard provides real-time insights into email security threats across your environment, showing patterns in malicious email delivery, blocking actions, URL rewriting, and threat detection. It helps you monitor email-based attacks, track threat types, identify malicious senders and recipients, and analyze attack distribution by geography.
Widget overview:
Time trend for Delivered Email
The time trend of events where malicious emails are detected and delivered as recorded by the recipient email server.
Time trend for Blocked Email
The time trend of events where malicious emails are detected and blocked as rejected by the receiving server.
Email Blocked
Data of emails with malicious content blocked by the recipient email server.
Email Delivered
Data of emails with malicious content delivered on recipient email server.
URL Rewritten
Data of emails where instances of URL threats within the message were successfully rewritten. Administrators can manipulate URL paths before the Web server handles the request.
URL Not Rewritten
Data of emails where instances of URL threats within the message were not rewritten, so administrators can check if the URL is not currently on any of your organization's safelists.
Top Threats Detected by threat_type
The top threats detected on email servers based on threat type for administrators to check whether they are blocked or allowed.
Attack Distribution by Source Country
Data on the malicious attempt to disrupt the regular traffic of an email server based on the source countries from where the email was received.
Top 10 Recipient
Top ten malicious email recipients.
Top 10 Sender
Top ten malicious email senders.
LP_Proofpoint Targeted Attack Protection - Click Event Dashboard
The LP_Proofpoint Targeted Attack Protection - Click Event dashboard provides real-time insights into clickjacking attempts and malicious URL interactions across your environment, showing patterns in click events, threat isolation, and geographic distribution. It helps you monitor user interactions with malicious URLs, track blocked and permitted clicks, identify targeted recipients, and analyze attack vectors.
Widget overview:
Time trend for Permitted Click
The time trend of the number of clicks on malicious URLs that are detected and permitted.
Time trend for Blocked Click
The time trend of the number of clicks on malicious URLs that are detected and blocked.
Click Blocked
The number of clicks on malicious URLs blocked to prevent clickjacking.
Click Permitted
The number of clicks permitted after TAP isolates riskiest URLs.
Attack Distribution by Source Country
Data on the clickjacking attempt to disrupt the regular traffic of an email server based on the source countries from where the click events were generated.
Top 10 Recipient
Top ten click event recipients detected.
Top 10 Sender
Top ten click event senders detected.
Attack Distribution by Destination Country
Data on clickjacking attempts based on the source countries where the click events were targeted.
Malicious URL by Category
The top ten malicious URLs on a click event by malicious URL, threat category, threat status and user-agent.
LP_Proofpoint Targeted Attack Protection - Overview Dashboard
The LP_Proofpoint Targeted Attack Protection - Overview dashboard provides a comprehensive real-time view of all Proofpoint TAP activities across your environment, consolidating both message and click events. It helps you get a holistic view of email security posture, identify top threat actors, track blocked versus allowed events, and analyze geographic threat distribution.
Widget overview:
Event Time Trend
The time trend of events based on their message and click event types.
Blocked Email
The total count of blocked emails temporarily rejected because of their contents.
Delivered Email
The total count of delivered malicious emails accepted by the recipient's mail server.
Blocked URL Click
The click events resulting in user interface (UI) redressing on malicious URLs that were detected and blocked.
Permitted URL Click
The total count of permitted URL clicks, even though threats were detected.
Top 10 Sender in Blocked Events
The top ten senders where email threats were detected and blocked for the click and message event.
Top 10 Sender in Allowed Events
The top ten senders where threats were detected and delivered for message events and permitted for the click event.
Top 10 Receiver in Blocked Events
The top ten receivers where email threats were detected and blocked for the click and message event.
Top 10 Receiver in Allowed Events
The top ten receivers where threats were detected and delivered for message events and permitted for the click event.
Top 10 Country in Blocked Events
The top ten countries where email threats were detected and blocked for the click and message event.
Top 10 Country in Allowed Events
The top ten countries where email threats were detected and delivered for the message event and permitted for the click event.
Adding Proofpoint Dashboards
Navigate to Settings >> Knowledge Base >> Dashboards.
Select VENDOR DASHBOARD from the dropdown.
Click the Add icon under Actions of the required dashboard.
Click Choose Repos.
Select the repository configured for Proofpoint logs and click Done.
In Ask Repos, select the dashboard and click Ok.
The dashboard will appear under Dashboards. You can view details about each widget by clicking the Info icon.
Last updated
Was this helpful?