VirtualMetric · KorayErkan · Feb 19, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/docs/configuration/devices/overview.mdx b/docs/configuration/devices/overview.mdx
@@ -128,7 +128,7 @@ The system supports the following device types:
 
 * **Security Integration** - These devices integrate with security products:
   * **eStreamer**: Connects to Cisco eStreamer servers
-  * **Proofpoint**: Consumes Proofpoint TAP log stream via WebSocket
+  * **Proofpoint**: Consumes Proofpoint On Demand log stream via WebSocket
   * **SNMP Trap**: Receives SNMP trap notifications
 
 * **System Integration** - These devices interact with operating systems:

diff --git a/docs/configuration/devices/proofpoint.mdx → ...guration/devices/proofpoint-on-demand.mdx b/docs/configuration/devices/proofpoint.mdx → ...guration/devices/proofpoint-on-demand.mdx
@@ -1,17 +1,17 @@
 ---
-description: Proofpoint Targeted Attack Protection log stream consumer
+description: Proofpoint On Demand email security log stream consumer
 sidebar_custom_props:
   customCategory: "Devices"
   customIcon: "🛡️"
 ---
 
-# Proofpoint
+# Proofpoint On Demand
 
 <span className="theme-doc-version-badge badge badge--secondary">Pull</span>
 
 ## Synopsis
 
-Creates a WebSocket consumer that connects to Proofpoint's Targeted Attack Protection (TAP) log stream service and receives security event data. Supports both message and maillog data types with secure token authentication.
+Creates a WebSocket consumer that connects to Proofpoint's On Demand (POD) log stream service and receives email security event data. Supports both message and maillog data types with secure token authentication.
 
 ## Schema
 
@@ -70,14 +70,14 @@ The following fields are used to define the device:
 
 ### WebSocket Connection
 
-The device establishes a persistent WebSocket connection to Proofpoint's TAP log stream service. The connection URL includes query parameters for cluster ID and data type. Bearer token authentication is used in the Authorization header.
+The device establishes a persistent WebSocket connection to Proofpoint's On Demand log stream service. The connection URL includes query parameters for cluster ID and data type. Bearer token authentication is used in the Authorization header.
 
 ### Data Types
 
 Proofpoint supports two log data types:
 
-- **message**: Security event messages including threats detected, clicks permitted/blocked, and message disposition
-- **maillog**: Mail flow logs including message routing and delivery information
+- **message**: Email processing logs including connection metadata, envelope details, message headers, and filter module results
+- **maillog**: Mail transfer agent logs including SMTP transactions and delivery status
 
 ### Token Security
 
@@ -101,13 +101,13 @@ The minimum required configuration creates the consumer:
 
 <ExampleGrid>
   <CommentCol>
-    Creating a basic Proofpoint consumer for security messages...
+    Creating a basic Proofpoint On Demand consumer for email processing logs...
   </CommentCol>
   <CodeCol>
     ```yaml
     devices:
       - id: 1
-        name: proofpoint-tap
+        name: proofpoint-pod
         type: proofpoint
         properties:
           cluster: "your-cluster-id"
@@ -116,15 +116,17 @@ The minimum required configuration creates the consumer:
     ```
   </CodeCol>
   <CommentCol>
-    Device receives Proofpoint threat events in real-time...
+    Device receives Proofpoint email events in real-time...
   </CommentCol>
   <CodeCol>
     ```json
     {
-      "GUID": "abc123",
-      "threatType": "url",
-      "classification": "malware",
-      "threatUrl": "http://malicious.example.com"
+      "guid": "abc123-def456",
+      "ts": "2025-01-02T10:30:00.000000",
+      "connection": { "ip": "192.0.2.10", "host": "mail.example.com" },
+      "envelope": { "from": "sender@example.com", "rcpts": ["user@company.com"] },
+      "msg": { "header": { "subject": "Quarterly Report", "from": ["sender@example.com"] } },
+      "filter": { "modules": { "spam": { "verdict": "notspam" } } }
     }
     ```
   </CodeCol>
@@ -181,15 +183,16 @@ Mail flow logs can be consumed:
     ```
   </CodeCol>
   <CommentCol>
-    Device receives mail flow events including routing decisions...
+    Device receives mail transfer agent log events including delivery status...
   </CommentCol>
   <CodeCol>
     ```json
     {
-      "ts": "2025-01-02T10:30:00Z",
-      "sender": "user@example.com",
-      "recipient": "dest@company.com",
-      "action": "delivered"
+      "ts": "2025-01-02T10:30:00.000000",
+      "data": "smtp;250 2.0.0 OK",
+      "sm": { "from": "sender@example.com", "to": ["dest@company.com"] },
+      "pps": { "cid": "cluster01", "agent": "m0042.ppops.net" },
+      "id": "msg-20250102-001"
     }
     ```
   </CodeCol>
@@ -250,11 +253,11 @@ Alternative Proofpoint endpoints can be configured:
 
 ### Pipeline Processing
 
-Threat events can be preprocessed:
+Email events can be preprocessed:
 
 <ExampleGrid>
   <CommentCol>
-    Applying custom processing to threat events...
+    Applying custom processing to email security events...
   </CommentCol>
   <CodeCol>
     ```yaml
@@ -263,7 +266,7 @@ Threat events can be preprocessed:
         name: proofpoint-pipeline
         type: proofpoint
         pipelines:
-          - threat_enrichment
+          - email_enrichment
           - geo_lookup
         properties:
           cluster: "your-cluster-id"
@@ -272,7 +275,7 @@ Threat events can be preprocessed:
     ```
   </CodeCol>
   <CommentCol>
-    Pipelines enrich threat data before routing to targets...
+    Pipelines enrich email data before routing to targets...
   </CommentCol>
 </ExampleGrid>
 

diff --git a/sidebars.ts b/sidebars.ts
@@ -100,7 +100,7 @@ const sidebars: SidebarsConfig = {
             "configuration/devices/microsoft-sentinel",
             "configuration/devices/nats",
             "configuration/devices/netflow",
-            "configuration/devices/proofpoint",
+            "configuration/devices/proofpoint-on-demand",
             "configuration/devices/rabbitmq",
             "configuration/devices/redis",
             "configuration/devices/sflow",

diff --git a/src/css/custom.css b/src/css/custom.css
@@ -247,12 +247,6 @@ img[alt$="#width600"] {
 article ul { list-style-type: disc; }
 article ol { list-style-type: decimal; }
 
-/* Prose line length: cap at 75 characters for readability */
-article .markdown > p,
-article .markdown > ul,
-article .markdown > ol {
-  max-width: 75ch;
-}
 
 /* Section spacing: consistent vertical rhythm */
 article .markdown > h2 { margin-top: 2rem; }