- Identity
- Observed Data
### Supported STIX Operators *Comparison AND/OR operators are inside the observation while observation AND/OR operators are between observations (square brackets).*
| STIX Operator | Data Source Operator |
|---|---|
| AND (Comparision) | AND |
| OR (Comparision) | OR |
| > | > |
| >= | >= |
| < | < |
| <= | <= |
| = | = |
| != | != |
| LIKE | LIKE |
| IN | IN |
| MATCHES | LIKE |
| OR (Observation) | OR |
| AND (Observation) | OR |
| STIX Object and Property | Mapped Data Source Fields |
|---|---|
| x-proofpoint:threatstatus | threatStatus |
| x-proofpoint:threattype | threatType |
| email-addr:value | ccAddresses, fromAddress, headerFrom, headerReplyTo, replyToAddress, toAddresses, recipient, sender, headerTo, headerCC |
| email-message:cc_refs | ccAddresses, headerCC |
| email-message:from_ref | fromAddress, headerFrom, headerReplyTo, replyToAddress |
| email-message:to_refs | toAddresses, recipient, headerTo |
| email-message:body_multipart | messageParts |
| email-message:date | messageTime |
| email-message:sender_ref | sender |
| email-message:subject | subject |
| email-message:is_multipart | is_multipart |
| ipv4-addr:value | senderIP, clickIP |
| ipv6-addr:value | senderIP, clickIP |
| network-traffic:src_ref | senderIP, clickIP |
| url:value | threatUrl, url |
| x-proofpoint-msgevents:guid | GUID |
| x-proofpoint-msgevents:xmailer | xmailer |
| x-proofpoint-msgevents:cluster | cluster |
| x-proofpoint-msgevents:rewrittenstatus | completelyRewritten |
| x-proofpoint-msgevents:impostorscore | impostorScore |
| x-proofpoint-msgevents:malwareScore | malwareScore |
| x-proofpoint-msgevents:messageid | messageID |
| x-proofpoint-msgevents:size | messageSize |
| x-proofpoint-msgevents:modulesrun | modulesRun |
| x-proofpoint-msgevents:phishscore | phishScore |
| x-proofpoint-msgevents:policyroutes | policyRoutes |
| x-proofpoint-msgevents:quarantinefolder | quarantineFolder |
| x-proofpoint-msgevents:quarantinerule | quarantineRule |
| x-proofpoint-msgevents:senderip | senderIP |
| x-proofpoint-msgevents:spamscore | spamScore |
| x-proofpoint-msgevents:campaignid | campaignID |
| x-proofpoint-msgevents:classification | classification |
| x-proofpoint-msgevents:threat | threat |
| x-proofpoint-msgevents:threatid | threatID |
| x-proofpoint-msgevents:threatstatus | threatStatus |
| x-proofpoint-msgevents:threattime | threatTime |
| x-proofpoint-msgevents:threattype | threatType |
| x-proofpoint-msgevents:clicktime | clickTime |
| x-proofpoint-msgevents:qid | QID |
| x-proofpoint-msgevents:clusterid | clusterId |
| x-proofpoint-msgevents:useragent | userAgent |
| STIX Object | STIX Property | Data Source Field |
|---|---|---|
| email-addr | value | ccAddresses |
| email-addr | value | fromAddress |
| email-addr | value | headerFrom |
| email-addr | value | headerReplyTo |
| email-addr | value | replyToAddress |
| email-addr | value | toAddresses |
| email-addr | value | recipient |
| email-addr | value | sender |
| email-addr | value | headerTo |
| email-addr | value | headerCC |
| email-message | cc_refs | ccAddresses |
| email-message | from_ref | fromAddress |
| email-message | from_ref | headerFrom |
| email-message | from_ref | headerReplyTo |
| email-message | from_ref | replyToAddress |
| email-message | to_refs | toAddresses |
| email-message | body_multipart | messageParts |
| email-message | date | messageTime |
| email-message | to_refs | recipient |
| email-message | sender_ref | sender |
| email-message | subject | subject |
| email-message | is_multipart | is_multipart |
| email-message | to_refs | headerTo |
| email-message | cc_refs | headerCC |
| ipv4-addr | value | senderIP |
| ipv4-addr | value | clickIP |
| ipv6-addr | value | senderIP |
| ipv6-addr | value | clickIP |
| network-traffic | src_ref | senderIP |
| network-traffic | src_ref | clickIP |
| url | value | threatUrl |
| url | value | url |
| x-proofpoint-msgevents | guid | GUID |
| x-proofpoint-msgevents | xmailer | xmailer |
| x-proofpoint-msgevents | cluster | cluster |
| x-proofpoint-msgevents | rewrittenstatus | completelyRewritten |
| x-proofpoint-msgevents | impostorscore | impostorScore |
| x-proofpoint-msgevents | malwarescore | malwareScore |
| x-proofpoint-msgevents | messageid | messageID |
| x-proofpoint-msgevents | size | messageSize |
| x-proofpoint-msgevents | modulesrun | modulesRun |
| x-proofpoint-msgevents | phishscore | phishScore |
| x-proofpoint-msgevents | policyroutes | policyRoutes |
| x-proofpoint-msgevents | quarantinefolder | quarantineFolder |
| x-proofpoint-msgevents | quarantinerule | quarantineRule |
| x-proofpoint-msgevents | senderip | senderIP |
| x-proofpoint-msgevents | spamscore | spamScore |
| x-proofpoint-msgevents | campaignid | campaignID |
| x-proofpoint-msgevents | classification | classification |
| x-proofpoint-msgevents | threat | threat |
| x-proofpoint-msgevents | threatid | threatID |
| x-proofpoint-msgevents | threatstatus | threatStatus |
| x-proofpoint-msgevents | threattime | threatTime |
| x-proofpoint-msgevents | threattype | threatType |
| x-proofpoint-msgevents | clicktime | clickTime |
| x-proofpoint-msgevents | qid | QID |
| x-proofpoint-msgevents | clusterid | clusterId |
| x-proofpoint-msgevents | useragent | userAgent |