diff --git a/docs/configuration/devices/overview.mdx b/docs/configuration/devices/overview.mdx
index 921e8e5d..80c546b7 100644
--- a/docs/configuration/devices/overview.mdx
+++ b/docs/configuration/devices/overview.mdx
@@ -128,7 +128,7 @@ The system supports the following device types:
* **Security Integration** - These devices integrate with security products:
* **eStreamer**: Connects to Cisco eStreamer servers
- * **Proofpoint**: Consumes Proofpoint TAP log stream via WebSocket
+ * **Proofpoint**: Consumes Proofpoint On Demand log stream via WebSocket
* **SNMP Trap**: Receives SNMP trap notifications
* **System Integration** - These devices interact with operating systems:
diff --git a/docs/configuration/devices/proofpoint.mdx b/docs/configuration/devices/proofpoint-on-demand.mdx
similarity index 76%
rename from docs/configuration/devices/proofpoint.mdx
rename to docs/configuration/devices/proofpoint-on-demand.mdx
index b916d84d..bc1749ba 100644
--- a/docs/configuration/devices/proofpoint.mdx
+++ b/docs/configuration/devices/proofpoint-on-demand.mdx
@@ -1,17 +1,17 @@
---
-description: Proofpoint Targeted Attack Protection log stream consumer
+description: Proofpoint On Demand email security log stream consumer
sidebar_custom_props:
customCategory: "Devices"
customIcon: "🛡️"
---
-# Proofpoint
+# Proofpoint On Demand
Pull
## Synopsis
-Creates a WebSocket consumer that connects to Proofpoint's Targeted Attack Protection (TAP) log stream service and receives security event data. Supports both message and maillog data types with secure token authentication.
+Creates a WebSocket consumer that connects to Proofpoint's On Demand (POD) log stream service and receives email security event data. Supports both message and maillog data types with secure token authentication.
## Schema
@@ -70,14 +70,14 @@ The following fields are used to define the device:
### WebSocket Connection
-The device establishes a persistent WebSocket connection to Proofpoint's TAP log stream service. The connection URL includes query parameters for cluster ID and data type. Bearer token authentication is used in the Authorization header.
+The device establishes a persistent WebSocket connection to Proofpoint's On Demand log stream service. The connection URL includes query parameters for cluster ID and data type. Bearer token authentication is used in the Authorization header.
### Data Types
Proofpoint supports two log data types:
-- **message**: Security event messages including threats detected, clicks permitted/blocked, and message disposition
-- **maillog**: Mail flow logs including message routing and delivery information
+- **message**: Email processing logs including connection metadata, envelope details, message headers, and filter module results
+- **maillog**: Mail transfer agent logs including SMTP transactions and delivery status
### Token Security
@@ -101,13 +101,13 @@ The minimum required configuration creates the consumer:
- Creating a basic Proofpoint consumer for security messages...
+ Creating a basic Proofpoint On Demand consumer for email processing logs...
```yaml
devices:
- id: 1
- name: proofpoint-tap
+ name: proofpoint-pod
type: proofpoint
properties:
cluster: "your-cluster-id"
@@ -116,15 +116,17 @@ The minimum required configuration creates the consumer:
```
- Device receives Proofpoint threat events in real-time...
+ Device receives Proofpoint email events in real-time...
```json
{
- "GUID": "abc123",
- "threatType": "url",
- "classification": "malware",
- "threatUrl": "http://malicious.example.com"
+ "guid": "abc123-def456",
+ "ts": "2025-01-02T10:30:00.000000",
+ "connection": { "ip": "192.0.2.10", "host": "mail.example.com" },
+ "envelope": { "from": "sender@example.com", "rcpts": ["user@company.com"] },
+ "msg": { "header": { "subject": "Quarterly Report", "from": ["sender@example.com"] } },
+ "filter": { "modules": { "spam": { "verdict": "notspam" } } }
}
```
@@ -181,15 +183,16 @@ Mail flow logs can be consumed:
```
- Device receives mail flow events including routing decisions...
+ Device receives mail transfer agent log events including delivery status...
```json
{
- "ts": "2025-01-02T10:30:00Z",
- "sender": "user@example.com",
- "recipient": "dest@company.com",
- "action": "delivered"
+ "ts": "2025-01-02T10:30:00.000000",
+ "data": "smtp;250 2.0.0 OK",
+ "sm": { "from": "sender@example.com", "to": ["dest@company.com"] },
+ "pps": { "cid": "cluster01", "agent": "m0042.ppops.net" },
+ "id": "msg-20250102-001"
}
```
@@ -250,11 +253,11 @@ Alternative Proofpoint endpoints can be configured:
### Pipeline Processing
-Threat events can be preprocessed:
+Email events can be preprocessed:
- Applying custom processing to threat events...
+ Applying custom processing to email security events...
```yaml
@@ -263,7 +266,7 @@ Threat events can be preprocessed:
name: proofpoint-pipeline
type: proofpoint
pipelines:
- - threat_enrichment
+ - email_enrichment
- geo_lookup
properties:
cluster: "your-cluster-id"
@@ -272,7 +275,7 @@ Threat events can be preprocessed:
```
- Pipelines enrich threat data before routing to targets...
+ Pipelines enrich email data before routing to targets...
diff --git a/sidebars.ts b/sidebars.ts
index 0c7b3d1a..17cf133b 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -100,7 +100,7 @@ const sidebars: SidebarsConfig = {
"configuration/devices/microsoft-sentinel",
"configuration/devices/nats",
"configuration/devices/netflow",
- "configuration/devices/proofpoint",
+ "configuration/devices/proofpoint-on-demand",
"configuration/devices/rabbitmq",
"configuration/devices/redis",
"configuration/devices/sflow",
diff --git a/src/css/custom.css b/src/css/custom.css
index eba6f6b6..f4320c09 100644
--- a/src/css/custom.css
+++ b/src/css/custom.css
@@ -247,12 +247,6 @@ img[alt$="#width600"] {
article ul { list-style-type: disc; }
article ol { list-style-type: decimal; }
-/* Prose line length: cap at 75 characters for readability */
-article .markdown > p,
-article .markdown > ul,
-article .markdown > ol {
- max-width: 75ch;
-}
/* Section spacing: consistent vertical rhythm */
article .markdown > h2 { margin-top: 2rem; }