Proofpoint On Demand (POD) Email Security for Sentinel

Solution: Proofpoint On demand(POD) Email Security

Proofpoint On demand(POD) Email Security Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Proofpoint, Inc.
Support Tier	Partner
Support Link	https://proofpoint.my.site.com/community/s/
Categories	domains
Version	3.1.4
Author	Proofpoint, Inc. - azure-support@proofpoint.com
First Published	2021-03-31
Last Updated	2026-04-22
Solution Folder	Proofpoint On demand(POD) Email Security
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)

The Proofpoint on Demand Email Security solution for Microsoft Sentinel enables you to ingest Proofpoint on Demand Email Protection data and activity logs for monitoring email activity, events and threats in your organization.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

• Microsoft Sentinel Codeless Connector Framework

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s) (plus 1 discovered⚠️):

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 7 table(s):

Table	Used By Connectors	Used By Content
`ProofpointPODMailLog_CL`	Proofpoint On Demand Email Security (via Codeless Connector Platform), [Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks
`ProofpointPODMessage_CL`	Proofpoint On Demand Email Security (via Codeless Connector Platform), [Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks
`ProofpointPOD_maillog_CL` 🔶	[Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks
`ProofpointPOD_message_CL` 🔶	[Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks
`ThreatIntelligenceIndicator`	-	Analytics
`maillog_CL` 🔶	[Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks
`message_CL` 🔶	[Deprecated] Proofpoint On Demand Email Security	Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
ProofpointPOD - Binary file in attachment	Medium	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Email sender IP in TI list	Medium	Exfiltration, InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `ThreatIntelligenceIndicator` `maillog_CL` `message_CL`
ProofpointPOD - Email sender in TI list	Medium	Exfiltration, InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `ThreatIntelligenceIndicator` `maillog_CL` `message_CL`
ProofpointPOD - High risk message not discarded	Low	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Multiple archived attachments to the same recipient	Medium	Exfiltration	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Multiple large emails to the same recipient	Medium	Exfiltration	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Multiple protected emails to unknown recipient	Medium	Exfiltration	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Possible data exfiltration to private email	Medium	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Suspicious attachment	Medium	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Weak ciphers	Low	CommandAndControl	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`

Hunting Queries

Name	Tactics	Tables Used
ProofpointPOD - Emails with high score of 'adult' filter classifier value	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Emails with high score of 'malware' filter classifier value	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Emails with high score of 'phish' filter classifier value	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Emails with high score of 'spam' filter classifier value	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Emails with high score of 'suspect' filter classifier value	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Large size outbound emails	Exfiltration	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Recipients with high number of discarded or rejected emails	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Recipients with large number of corrupted emails	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Senders with large number of corrupted messages	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`
ProofpointPOD - Suspicious file types in attachments	InitialAccess	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`

Workbooks

Name	Tables Used
ProofpointPOD	`ProofpointPODMailLog_CL` `ProofpointPODMessage_CL` `ProofpointPOD_maillog_CL` `ProofpointPOD_message_CL` `maillog_CL` `message_CL`

Parsers

Name	Description	Tables Used
ProofpointPOD	-	`ProofpointPODMailLog_CL` (read) `ProofpointPODMessage_CL` (read) `ProofpointPOD_maillog_CL` (read) `ProofpointPOD_message_CL` (read) `maillog_CL` (read) `message_CL` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.1.4	17-04-2026	Update ProofpointPOD_PollingConfig.json to pass sinceTime parameter with firstWindowBackfillInMin configuration.
3.1.3	19-03-2026	Update ProofpointPOD_PollingConfig.json to pass user-agent header with solution package version.
3.1.2	08-12-2025	Update ProofpointPOD_PollingConfig.json to remove start and end time query params, it impacts time frames at server side and causes duplicate data ingestion.
3.1.1	03-11-2025	Update support url in SolutionMetadata.json.
3.1.0	31-07-2025	Updated Support details and publisherId in SolutionMetadata.json, updated Author details and Logo in Solution_ProofPointPOD.json from Microsoft to Proofpoint.
3.0.5	28-07-2025	Removed Deprecated Data Connector.
3.0.4	06-05-2025	Launching CCP Data Connector - Proofpoint On Demand Email Security from Public Preview to Global Availability.
3.0.3	12-03-2025	Added new CCP Data Connector - Proofpoint On Demand Email Security.
3.0.2	06-09-2024	Updated the python runtime version to 3.11 in Data Connector Function App.
3.0.1	02-05-2024	Optimized Parser.
3.0.0	01-08-2023	Updated solution logo with Microsoft Sentinel logo.