Proofpoint
Use the IBM Security QRadar Custom Properties for Proofpoint content extension to closely monitor your Proofpoint deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Proofpoint V1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Proofpoint V1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Action | Yes | 1 | action=(\S+) |
| Adult Content Score | Yes | 1 | adultscore=(\d+) |
| Command | Yes | 1 | cmd=(\S+) |
| Error Code | Yes | 1 | err="([^\"]+) |
| File Extension | Yes | 1 | file=[^>.\s]*.([^>\s]*) |
| Filename | Yes | 1 | file=(\S+) |
| Message | Yes | 1 | msg="([^"]*) |
| Message Size | Yes | 1 | size=(\d+) size=(\d+) |
| MessageID | Yes | 1 | msgid=<(\S+)> |
| Number of Recipients | No | 1 | nrcpts=(\d+) |
| Originating Host | Yes | 1 | from=[^>@\s]*@([^>\s]*) |
| Originating_User | Yes | 1 | from=<(\S+)> |
| Phishing Score | Yes | 1 | phishscore=(\d+) |
| Recipient Host | Yes | 1 | to=[^>@\s]*@([^>\s]*) |
| Recipient_User | Yes | 1 | to=<(\S+)> |
| Spam Score | No | 1 | spamscore=(\d+) |
| Suspect Score | Yes | 1 | suspectscore=(\d+) |