New Permitted Malicious Click

Start FLO when there are new events for clicks to malicious URLs permitted.

This is a polling event that returns at most one hour's worth of data. Setting the polling interval to an interval greater than one hour will result in no data being returned.

Unless otherwise mentioned, all fields are text.



  • URL: malicious URL that was clicked

  • Classification: threat category of the URL

  • Click Time (date): the time at which the user clicked the URL

  • Threat Time (date): the time at which Proofpoint identified the URL as a threat

  • User Agent: User-Agent header from the clicker's HTTP request

  • Campaign ID: identifer for the campaign the threat belongs to, if available

  • Click IP: external IP address of the user who clicked the link

  • Sender: email address of sender; user-part is hashed and domain-part in plaintext

  • Recipient: email address of the recipient

  • Sender IP: IP address of the sender

  • ID: UUID of the event

  • GUID: unique identifier of the message in Proofpoint Protection Server (PPS)

  • Threat ID: unique identifier of the threat

  • Threat URL: link to threat entry on TAP dashboard

  • Threat Status: status of the threat

  • Message ID: non-unique message ID extracted from headers of email message


  • Execution ID: unique identifier associated with the execution of the Flow