New Permitted Malicious Click
Start a flow when there are new events for clicks to malicious URLs permitted.
This is a polling event that returns at most one hour's worth of data. Setting the polling interval to an interval greater than one hour will result in no data being returned.
Output
| Field | Definition | Type |
|---|---|---|
| Links | ||
| URL | Malicious URL that was clicked. | String |
| Classification | Threat category of the URL. | String |
| Click Time | The time at which the user clicked the URL. | Date & Time |
| Threat Time | The time at which Proofpoint identified the URL as a threat. | Date & Time |
| User Agent | User-Agent header from the clicker's HTTP request. | String |
| Campaign ID | Identifier for the campaign the threat belongs to, if available. | String |
| Click IP | External IP address of the user who clicked the link. | String |
| Sender | Email address of sender; user-part is hashed and domain-part in plain text. | String |
| Recipient | Email address of the recipient. | String |
| Sender IP | IP address of the sender. | String |
| ID | UUID of the event. | String |
| GUID | Unique identifier of the message in Proofpoint Protection Server (PPS). | String |
| Threat ID | Unique identifier of the threat. | String |
| Threat URL | Link to threat entry on TAP dashboard. | String |
| Threat Status | Status of the threat. | String |
| Message ID | Non-unique message ID extracted from headers of email message. | String |