Read Permitted Malicious Clicks

Fetch events for clicks to malicious URLs permitted in the specified time period.

The events returned for a specified range are based on the time that the event was created, not the time that the event occurred. The time an event is created is the later time of the following:

  • The time that the click occurred

  • The time that the threat referenced by click was recognized by Proofpoint

The input fields in this card are dynamically generated based on your instance.


Field Definition Type Required
Range Type Choose from available ranges; options are Interval, Since Time, or Since Seconds Ago. Dropdown TRUE


Field Definition Type Required
Interval Time interval to query in ISO 8601 format. The minimum interval allowed is 30 seconds and the maximum interval is 1 hour. Date & Time TRUE
Since Time Start time of query in ISO 8601 format. The end of the period is the current API server time rounded to the nearest minute. Date & Time TRUE
Since Seconds Ago Set start time of query to this many seconds before the current API server time (rounded to the nearest minute). Number TRUE


Field Definition Type
Query End Time Time the period being queried ended. Date & Time
URL Malicious URL that was clicked. String
Classification Threat category of the URL. String
Click Time Time at which the user clicked the URL. Date & Time
Threat Time Time at which Proofpoint identified the URL as a threat. Date & Time
User Agent User-Agent header from the clicker's http request. String
Campaign ID ID of campaign the threat belongs to, if available. String
Click IP External IP address of user who clicked the URL. String
Sender Email address of sender; user-part is hashed and domain-part in plaintext. String
Recipient Email addresses of the recipient. String
Sender IP IP address of the sender. String
ID UUID of the event. String
GUID Unique Proofpoint Protection Server (PPS) identifier. String
Threat ID Unique identifier of the threat. String
Threat URL Link to threat entry on TAP dashboard. String
Threat Status Status of the threat. String
Message ID Message ID. String

Related topics

Proofpoint connector

Workflow elements

Proofpoint API documentation