Read Permitted Malicious Clicks
Fetch events for clicks to malicious URLs permitted in the specified time period.
The events returned for a specified range are based on the time that the event was created, not the time that the event occurred. The time an event is created is the later time of the following:
-
The time that the click occurred
-
The time that the threat referenced by click was recognized by Proofpoint
The input fields in this card are dynamically generated based on your instance.
Options
| Field | Definition | Type | Required |
|---|---|---|---|
| Range Type | Choose from available ranges; options are Interval, Since Time, or Since Seconds Ago. |
Dropdown |
TRUE |
Input
| Field | Definition | Type | Required |
|---|---|---|---|
|
timeRange |
|||
| Interval | Time interval to query in ISO 8601 format. The minimum interval allowed is 30 seconds and the maximum interval is 1 hour. |
Date & Time |
TRUE |
| Since Time | Start time of query in ISO 8601 format. The end of the period is the current API server time rounded to the nearest minute. |
Date & Time |
TRUE |
| Since Seconds Ago | Set start time of query to this many seconds before the current API server time (rounded to the nearest minute). |
Number |
TRUE |
Output
| Field | Definition | Type |
|---|---|---|
| Query End Time | Time the period being queried ended. |
Date & Time |
| Links | ||
| URL | Malicious URL that was clicked. |
Text |
| Classification | Threat category of the URL. |
Text |
| Click Time | Time at which the user clicked the URL. |
Date & Time |
| Threat Time | Time at which Proofpoint identified the URL as a threat. |
Date & Time |
| User Agent | User-Agent header from the clicker's http request. |
Text |
| Campaign ID | ID of campaign the threat belongs to, if available. |
Text |
| Click IP | External IP address of user who clicked the URL. |
Text |
| Sender | Email address of sender; user-part is hashed and domain-part in plaintext. |
Text |
| Recipient | Email addresses of the recipient. |
Text |
| Sender IP | IP address of the sender. |
Text |
| ID | UUID of the event. |
Text |
| GUID | Unique Proofpoint Protection Server (PPS) identifier. |
Text |
| Threat ID | Unique identifier of the threat. |
Text |
| Threat URL | Link to threat entry on TAP dashboard. |
Text |
| Threat Status | Status of the threat. |
Text |
| Message ID | Message ID. |
Text |