Proofpoint
Use the IBM® QRadar® Custom Properties for Proofpoint content extension to closely monitor your Proofpoint deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
IBM Security QRadar Custom Properties for Proofpoint V1.0.0
The following table shows the custom properties in IBM Security QRadar Custom Properties for Proofpoint V1.0.0.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Action | Yes | 1 | action=(\S+) |
| Adult Content Score | Yes | 1 | adultscore=(\d+) |
| Command | Yes | 1 | cmd=(\S+) |
| Error Code | Yes | 1 | err="([^\"]+) |
| File Extension | Yes | 1 | file=[^>.\s]*.([^>\s]*) |
| Filename | Yes | 1 | file=(\S+) |
| Message | Yes | 1 | msg="([^"]*) |
| Message Size | Yes | 1 | size=(\d+) size=(\d+) |
| MessageID | Yes | 1 | msgid=<(\S+)> |
| Number of Recipients | No | 1 | nrcpts=(\d+) |
| Originating Host | Yes | 1 | from=[^>@\s]*@([^>\s]*) |
| Originating_User | Yes | 1 | from=<(\S+)> |
| Phishing Score | Yes | 1 | phishscore=(\d+) |
| Recipient Host | Yes | 1 | to=[^>@\s]*@([^>\s]*) |
| Recipient_User | Yes | 1 | to=<(\S+)> |
| Spam Score | No | 1 | spamscore=(\d+) |
| Suspect Score | Yes | 1 | suspectscore=(\d+) |