New Permitted Malicious Click
Start a flow when there are new events for clicks to malicious URLs permitted.
This is a polling event that returns at most one hour's worth of data. Setting the polling interval to an interval greater than one hour will result in no data being returned.
Output
| Field | Definition | Type |
|---|---|---|
|
Links |
||
| URL | Malicious URL that was clicked. |
Text |
| Classification | Threat category of the URL. |
Text |
| Click Time | The time at which the user clicked the URL. |
Date & Time |
| Threat Time | The time at which Proofpoint identified the URL as a threat. |
Date & Time |
| User Agent | User-Agent header from the clicker's HTTP request. |
Text |
| Campaign ID | Identifier for the campaign the threat belongs to, if available. |
Text |
| Click IP | External IP address of the user who clicked the link. |
Text |
| Sender | Email address of sender; user-part is hashed and domain-part in plain text. |
Text |
| Recipient | Email address of the recipient. |
Text |
| Sender IP | IP address of the sender. |
Text |
| ID | UUID of the event. |
Text |
| GUID | Unique identifier of the message in Proofpoint Protection Server (PPS). |
Text |
| Threat ID | Unique identifier of the threat. |
Text |
| Threat URL | Link to threat entry on TAP dashboard. |
Text |
| Threat Status | Status of the threat. |
Text |
| Message ID | Non-unique message ID extracted from headers of email message. |
Text |