diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 85364d081e6..0316496996c 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -375,6 +375,7 @@
 /packages/prometheus/data_stream/query @elastic/obs-infraobs-integrations
 /packages/prometheus/data_stream/remote_write @elastic/obs-ds-hosted-services
 /packages/prometheus_input @elastic/obs-infraobs-integrations
+/packages/proofpoint_essentials @elastic/security-service-integrations
 /packages/proofpoint_itm @elastic/security-service-integrations
 /packages/proofpoint_on_demand @elastic/security-service-integrations
 /packages/proofpoint_tap @elastic/security-service-integrations
diff --git a/packages/proofpoint_essentials/_dev/build/build.yml b/packages/proofpoint_essentials/_dev/build/build.yml
new file mode 100644
index 00000000000..b2596b96490
--- /dev/null
+++ b/packages/proofpoint_essentials/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v9.2.0
diff --git a/packages/proofpoint_essentials/_dev/build/docs/README.md b/packages/proofpoint_essentials/_dev/build/docs/README.md
new file mode 100644
index 00000000000..73f54bbc983
--- /dev/null
+++ b/packages/proofpoint_essentials/_dev/build/docs/README.md
@@ -0,0 +1,130 @@
+# Proofpoint Essentials Integration for Elastic
+
+## Overview
+The Proofpoint Essentials integration with Elastic enables the collection of threats for monitoring and analysis. This valuable data can be leveraged within Elastic to analyze potential threat signals, including spam, phishing, business email compromise (BEC), imposter emails, ransomware, and malware.
+
+This integration utilizes the [Proofpoint Essentials Threat API](https://help.proofpoint.com/Essentials/Additional_Resources/API_Documentation/Essentials_Threat_API) to collect threat events.
+
+### Compatibility
+
+The Proofpoint Essentials integration uses the REST API. It uses the `/v2/siem/all` to collect threat events.
+
+### How it works
+
+The **threat** data stream uses the `/v2/siem/all` endpoint to gather all threats starting from the configured initial interval. Subsequently, it fetches the recent threats available at each specified interval.
+
+The gathered threat data is subsequently routed into individual data streams, each corresponding to a specific threat type.
+
+## What data does this integration collect?
+
+The Proofpoint Essentials integration collects threat events of the following types:
+
+- `clicks_blocked`: events for clicks on malicious URLs blocked by URL Defense.
+- `clicks_permitted`: events for clicks on malicious URLs permitted by URL Defense.
+- `message_blocked`: events for blocked messages that contain threats recognized by URL Defense or Attachment Defense.
+- `message_delivered`: events for delivered messages that contain threats recognized by URL Defense or Attachment Defense.
+
+### Supported use cases
+Integrating Proofpoint Essentials with Elastic SIEM enriches your security operations with targeted email threat intelligence. It enables the detection, investigation, and analysis of phishing, malware, and other email-based threats by leveraging detailed data on clicks and message events.
+
+## What do I need to use this integration?
+
+### From Proofpoint Essentials
+
+#### Collecting data from Essentials Threat API
+
+1. Navigate to 
+  - Go to **Account Management > Integrations**, then select the **Integration Keys** tab.
+2. Add a New Key
+  - Click **Add Integration Key** in the upper right-hand corner.
+3. Enter Key Details
+  - Provide a **description** to help identify the purpose of the key.
+  - In the **Access Type** dropdown, select **SIEM Threat Events**
+4. Set Scope
+  - If you are part of an **organisation**, the **Scope** field will be locked to **My Organisation Only**.
+  - If you are a **partner**, you can choose between:
+    - **My Organisation Only**
+    - **My Organisation and All Child Organisations**
+5. Create and Save Credentials
+  - After clicking **Create**, you’ll receive **API Key** and **API Key Secret**.
+6. Activation Time
+  - The key may take up to **30 minutes** to become active.
+
+For more details, check [Documentation](https://help.proofpoint.com/Essentials/Product_Documentation/Account_Management/Integrations/Integration_Keys).
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) 
+
+### Onboard / configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Proofpoint Essentials**.
+3. Select the **Proofpoint Essentials** integration from the search results.
+4. Select **Add Proofpoint Essentials** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect Proofpoint Essentials logs via API**, you'll need to:
+
+        - Configure **URL**, **API Key**, and **API Key Secret**.
+        - Adjust the integration configuration parameters if required, including the Interval, Collect Customer Data, Collect Own Data, Preserve original event etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboards populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Proofpoint Essentials**.
+3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Clicks Blocked
+
+{{fields "clicks_blocked"}}
+
+#### Clicks Permitted
+
+{{fields "clicks_permitted"}}
+
+#### Messages Blocked
+
+{{fields "message_blocked"}}
+
+#### Messages Delivered
+
+{{fields "message_delivered"}}
+
+### Inputs used
+
+These inputs are used in this integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration uses the following APIs:
+
+- [Proofpoint Essentials Threat API](https://help.proofpoint.com/Essentials/Additional_Resources/API_Documentation/Essentials_Threat_API).
diff --git a/packages/proofpoint_essentials/changelog.yml b/packages/proofpoint_essentials/changelog.yml
new file mode 100644
index 00000000000..6524a8338e2
--- /dev/null
+++ b/packages/proofpoint_essentials/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16073
diff --git a/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/base-fields.yml b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/base-fields.yml
new file mode 100644
index 00000000000..633ce775bef
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials.clicks_blocked
+- name: '@timestamp'
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/beats.yml b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/ecs.yml b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/ecs.yml
new file mode 100644
index 00000000000..e9f4f003382
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/ecs.yml
@@ -0,0 +1,4 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/fields.yml b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/fields.yml
new file mode 100644
index 00000000000..326b5e6551f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_blocked/fields/fields.yml
@@ -0,0 +1,166 @@
+- name: proofpoint_essentials
+  type: group
+  fields:
+    - name: threat
+      type: group
+      fields:
+        - name: cc_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the CC: header, excluding friendly names.'
+        - name: classification
+          type: keyword
+          description: The threat category of the malicious URL.
+        - name: click_ip
+          type: ip
+          description: The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
+        - name: click_time
+          type: date
+          description: The time the user clicked on the URL.
+        - name: completely_rewritten
+          type: keyword
+          description: The rewrite status of the message.
+        - name: customer_eid
+          type: keyword
+          description: The customer's entity ID.
+        - name: customer_name
+          type: keyword
+          description: The customer's name, as configured in Essentials.
+        - name: event_type
+          type: keyword
+        - name: from_address
+          type: keyword
+          description: 'The email address contained in the From: header, excluding friendly name.'
+        - name: guid
+          type: keyword
+          description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
+        - name: header_from
+          type: keyword
+          description: 'The full content of the From: header, including any friendly name.'
+        - name: header_reply_to
+          type: keyword
+          description: 'If present, the full content of the Reply-To: header, including any friendly names.'
+        - name: id
+          type: keyword
+          description: The unique id of the click.
+        - name: impostor_score
+          type: long
+          description: The impostor score of the message. Higher scores indicate higher certainty.
+        - name: malware_score
+          type: long
+          description: The malware score of the message. Higher scores indicate higher certainty.
+        - name: message_details_url
+          type: keyword
+          description: A permalink to the messages' details page.
+        - name: message_id
+          type: keyword
+          description: Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
+        - name: message_parts
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The true, detected Content-Type of the message_part. This may differ from the o_content_type value.
+            - name: disposition
+              type: keyword
+              description: If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment.
+            - name: filename
+              type: keyword
+              description: The filename of the message_part.
+            - name: md5
+              type: keyword
+              description: The MD5 hash of the message_part contents.
+            - name: o_content_type
+              type: keyword
+              description: The declared Content-Type of the message_part.
+            - name: sandbox_status
+              type: keyword
+              description: The verdict returned by the sandbox during the scanning process.
+            - name: sha256
+              type: keyword
+              description: The SHA256 hash of the message_part contents.
+        - name: message_size
+          type: long
+          description: The size in bytes of the message, including headers and attachments.
+        - name: message_time
+          type: date
+          description: When the message was delivered to the user or quarantined by PPS.
+        - name: parent_eid
+          type: keyword
+          description: The parent's EID.
+        - name: parent_name
+          type: keyword
+          description: The parent's name, as configured in Essentials.
+        - name: phish_score
+          type: long
+          description: The phish score of the message. Higher scores indicate higher certainty.
+        - name: quarantine_rule
+          type: keyword
+          description: The name of the rule which quarantined the message. This appears only for messages_blocked events.
+        - name: recipient
+          type: keyword
+          description: An array containing the email addresses of the SMTP (envelope) recipients.
+        - name: reply_to_address
+          type: keyword
+          description: 'The email address contained in the Reply-To: header, excluding friendly name.'
+        - name: sender
+          type: keyword
+          description: The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
+        - name: sender_ip
+          type: ip
+          description: The IP address of the sender.
+        - name: spam_score
+          type: long
+          description: The spam score of the message. Higher scores indicate higher certainty.
+        - name: stack_name
+          type: keyword
+          description: The name of the Essentials stack which processed the message.
+        - name: subject
+          type: keyword
+          description: The subject line of the message, if available.
+        - name: threat_id
+          type: keyword
+          description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+        - name: threat_time
+          type: date
+          description: Proofpoint identified the URL as a threat at this time.
+        - name: threat_status
+          type: keyword
+          description: The current state of the threat.
+        - name: threats_info_map
+          type: group
+          fields:
+            - name: actors
+              type: nested
+              description: An array of structures which contain details about the actors associated with a threat.
+            - name: classification
+              type: keyword
+              description: The category of threat found in the message.
+            - name: detection_type
+              type: keyword
+            - name: threat
+              type: keyword
+              description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
+            - name: threat_id
+              type: keyword
+              description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+            - name: threat_status
+              type: keyword
+              description: The current state of the threat.
+            - name: threat_time
+              type: date
+              description: Proofpoint assigned the threat_status at this time.
+            - name: threat_type
+              type: keyword
+              description: Whether the threat was an attachment, URL, or message type.
+        - name: to_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the To: header, excluding friendly names.'
+        - name: url
+          type: keyword
+          description: The malicious URL which was clicked.
+        - name: user_agent
+          type: keyword
+          description: The User-Agent header from the clicker's HTTP request.
+        - name: xmailer
+          type: keyword
+          description: 'The content of the X-Mailer: header, if present.'
diff --git a/packages/proofpoint_essentials/data_stream/clicks_blocked/manifest.yml b/packages/proofpoint_essentials/data_stream/clicks_blocked/manifest.yml
new file mode 100644
index 00000000000..fdf9f714835
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_blocked/manifest.yml
@@ -0,0 +1,9 @@
+title: Proofpoint Essentials Clicks Blocked Events
+dataset: proofpoint_essentials.clicks_blocked
+type: logs
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true
+  index_template:
+    mappings:
+      dynamic: true
diff --git a/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/base-fields.yml b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/base-fields.yml
new file mode 100644
index 00000000000..f47e7d4ea0d
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials.clicks_permitted
+- name: '@timestamp'
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/beats.yml b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/ecs.yml b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/ecs.yml
new file mode 100644
index 00000000000..e9f4f003382
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/ecs.yml
@@ -0,0 +1,4 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/fields.yml b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/fields.yml
new file mode 100644
index 00000000000..326b5e6551f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_permitted/fields/fields.yml
@@ -0,0 +1,166 @@
+- name: proofpoint_essentials
+  type: group
+  fields:
+    - name: threat
+      type: group
+      fields:
+        - name: cc_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the CC: header, excluding friendly names.'
+        - name: classification
+          type: keyword
+          description: The threat category of the malicious URL.
+        - name: click_ip
+          type: ip
+          description: The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
+        - name: click_time
+          type: date
+          description: The time the user clicked on the URL.
+        - name: completely_rewritten
+          type: keyword
+          description: The rewrite status of the message.
+        - name: customer_eid
+          type: keyword
+          description: The customer's entity ID.
+        - name: customer_name
+          type: keyword
+          description: The customer's name, as configured in Essentials.
+        - name: event_type
+          type: keyword
+        - name: from_address
+          type: keyword
+          description: 'The email address contained in the From: header, excluding friendly name.'
+        - name: guid
+          type: keyword
+          description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
+        - name: header_from
+          type: keyword
+          description: 'The full content of the From: header, including any friendly name.'
+        - name: header_reply_to
+          type: keyword
+          description: 'If present, the full content of the Reply-To: header, including any friendly names.'
+        - name: id
+          type: keyword
+          description: The unique id of the click.
+        - name: impostor_score
+          type: long
+          description: The impostor score of the message. Higher scores indicate higher certainty.
+        - name: malware_score
+          type: long
+          description: The malware score of the message. Higher scores indicate higher certainty.
+        - name: message_details_url
+          type: keyword
+          description: A permalink to the messages' details page.
+        - name: message_id
+          type: keyword
+          description: Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
+        - name: message_parts
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The true, detected Content-Type of the message_part. This may differ from the o_content_type value.
+            - name: disposition
+              type: keyword
+              description: If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment.
+            - name: filename
+              type: keyword
+              description: The filename of the message_part.
+            - name: md5
+              type: keyword
+              description: The MD5 hash of the message_part contents.
+            - name: o_content_type
+              type: keyword
+              description: The declared Content-Type of the message_part.
+            - name: sandbox_status
+              type: keyword
+              description: The verdict returned by the sandbox during the scanning process.
+            - name: sha256
+              type: keyword
+              description: The SHA256 hash of the message_part contents.
+        - name: message_size
+          type: long
+          description: The size in bytes of the message, including headers and attachments.
+        - name: message_time
+          type: date
+          description: When the message was delivered to the user or quarantined by PPS.
+        - name: parent_eid
+          type: keyword
+          description: The parent's EID.
+        - name: parent_name
+          type: keyword
+          description: The parent's name, as configured in Essentials.
+        - name: phish_score
+          type: long
+          description: The phish score of the message. Higher scores indicate higher certainty.
+        - name: quarantine_rule
+          type: keyword
+          description: The name of the rule which quarantined the message. This appears only for messages_blocked events.
+        - name: recipient
+          type: keyword
+          description: An array containing the email addresses of the SMTP (envelope) recipients.
+        - name: reply_to_address
+          type: keyword
+          description: 'The email address contained in the Reply-To: header, excluding friendly name.'
+        - name: sender
+          type: keyword
+          description: The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
+        - name: sender_ip
+          type: ip
+          description: The IP address of the sender.
+        - name: spam_score
+          type: long
+          description: The spam score of the message. Higher scores indicate higher certainty.
+        - name: stack_name
+          type: keyword
+          description: The name of the Essentials stack which processed the message.
+        - name: subject
+          type: keyword
+          description: The subject line of the message, if available.
+        - name: threat_id
+          type: keyword
+          description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+        - name: threat_time
+          type: date
+          description: Proofpoint identified the URL as a threat at this time.
+        - name: threat_status
+          type: keyword
+          description: The current state of the threat.
+        - name: threats_info_map
+          type: group
+          fields:
+            - name: actors
+              type: nested
+              description: An array of structures which contain details about the actors associated with a threat.
+            - name: classification
+              type: keyword
+              description: The category of threat found in the message.
+            - name: detection_type
+              type: keyword
+            - name: threat
+              type: keyword
+              description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
+            - name: threat_id
+              type: keyword
+              description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+            - name: threat_status
+              type: keyword
+              description: The current state of the threat.
+            - name: threat_time
+              type: date
+              description: Proofpoint assigned the threat_status at this time.
+            - name: threat_type
+              type: keyword
+              description: Whether the threat was an attachment, URL, or message type.
+        - name: to_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the To: header, excluding friendly names.'
+        - name: url
+          type: keyword
+          description: The malicious URL which was clicked.
+        - name: user_agent
+          type: keyword
+          description: The User-Agent header from the clicker's HTTP request.
+        - name: xmailer
+          type: keyword
+          description: 'The content of the X-Mailer: header, if present.'
diff --git a/packages/proofpoint_essentials/data_stream/clicks_permitted/manifest.yml b/packages/proofpoint_essentials/data_stream/clicks_permitted/manifest.yml
new file mode 100644
index 00000000000..7bd613d9255
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/clicks_permitted/manifest.yml
@@ -0,0 +1,9 @@
+title: Proofpoint Essentials Clicks Permitted Events
+dataset: proofpoint_essentials.clicks_permitted
+type: logs
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true
+  index_template:
+    mappings:
+      dynamic: true
diff --git a/packages/proofpoint_essentials/data_stream/message_blocked/fields/base-fields.yml b/packages/proofpoint_essentials/data_stream/message_blocked/fields/base-fields.yml
new file mode 100644
index 00000000000..b623cefbef0
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_blocked/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials.message_blocked
+- name: '@timestamp'
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/message_blocked/fields/beats.yml b/packages/proofpoint_essentials/data_stream/message_blocked/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_blocked/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/proofpoint_essentials/data_stream/message_blocked/fields/ecs.yml b/packages/proofpoint_essentials/data_stream/message_blocked/fields/ecs.yml
new file mode 100644
index 00000000000..e9f4f003382
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_blocked/fields/ecs.yml
@@ -0,0 +1,4 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/message_blocked/fields/fields.yml b/packages/proofpoint_essentials/data_stream/message_blocked/fields/fields.yml
new file mode 100644
index 00000000000..326b5e6551f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_blocked/fields/fields.yml
@@ -0,0 +1,166 @@
+- name: proofpoint_essentials
+  type: group
+  fields:
+    - name: threat
+      type: group
+      fields:
+        - name: cc_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the CC: header, excluding friendly names.'
+        - name: classification
+          type: keyword
+          description: The threat category of the malicious URL.
+        - name: click_ip
+          type: ip
+          description: The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
+        - name: click_time
+          type: date
+          description: The time the user clicked on the URL.
+        - name: completely_rewritten
+          type: keyword
+          description: The rewrite status of the message.
+        - name: customer_eid
+          type: keyword
+          description: The customer's entity ID.
+        - name: customer_name
+          type: keyword
+          description: The customer's name, as configured in Essentials.
+        - name: event_type
+          type: keyword
+        - name: from_address
+          type: keyword
+          description: 'The email address contained in the From: header, excluding friendly name.'
+        - name: guid
+          type: keyword
+          description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
+        - name: header_from
+          type: keyword
+          description: 'The full content of the From: header, including any friendly name.'
+        - name: header_reply_to
+          type: keyword
+          description: 'If present, the full content of the Reply-To: header, including any friendly names.'
+        - name: id
+          type: keyword
+          description: The unique id of the click.
+        - name: impostor_score
+          type: long
+          description: The impostor score of the message. Higher scores indicate higher certainty.
+        - name: malware_score
+          type: long
+          description: The malware score of the message. Higher scores indicate higher certainty.
+        - name: message_details_url
+          type: keyword
+          description: A permalink to the messages' details page.
+        - name: message_id
+          type: keyword
+          description: Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
+        - name: message_parts
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The true, detected Content-Type of the message_part. This may differ from the o_content_type value.
+            - name: disposition
+              type: keyword
+              description: If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment.
+            - name: filename
+              type: keyword
+              description: The filename of the message_part.
+            - name: md5
+              type: keyword
+              description: The MD5 hash of the message_part contents.
+            - name: o_content_type
+              type: keyword
+              description: The declared Content-Type of the message_part.
+            - name: sandbox_status
+              type: keyword
+              description: The verdict returned by the sandbox during the scanning process.
+            - name: sha256
+              type: keyword
+              description: The SHA256 hash of the message_part contents.
+        - name: message_size
+          type: long
+          description: The size in bytes of the message, including headers and attachments.
+        - name: message_time
+          type: date
+          description: When the message was delivered to the user or quarantined by PPS.
+        - name: parent_eid
+          type: keyword
+          description: The parent's EID.
+        - name: parent_name
+          type: keyword
+          description: The parent's name, as configured in Essentials.
+        - name: phish_score
+          type: long
+          description: The phish score of the message. Higher scores indicate higher certainty.
+        - name: quarantine_rule
+          type: keyword
+          description: The name of the rule which quarantined the message. This appears only for messages_blocked events.
+        - name: recipient
+          type: keyword
+          description: An array containing the email addresses of the SMTP (envelope) recipients.
+        - name: reply_to_address
+          type: keyword
+          description: 'The email address contained in the Reply-To: header, excluding friendly name.'
+        - name: sender
+          type: keyword
+          description: The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
+        - name: sender_ip
+          type: ip
+          description: The IP address of the sender.
+        - name: spam_score
+          type: long
+          description: The spam score of the message. Higher scores indicate higher certainty.
+        - name: stack_name
+          type: keyword
+          description: The name of the Essentials stack which processed the message.
+        - name: subject
+          type: keyword
+          description: The subject line of the message, if available.
+        - name: threat_id
+          type: keyword
+          description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+        - name: threat_time
+          type: date
+          description: Proofpoint identified the URL as a threat at this time.
+        - name: threat_status
+          type: keyword
+          description: The current state of the threat.
+        - name: threats_info_map
+          type: group
+          fields:
+            - name: actors
+              type: nested
+              description: An array of structures which contain details about the actors associated with a threat.
+            - name: classification
+              type: keyword
+              description: The category of threat found in the message.
+            - name: detection_type
+              type: keyword
+            - name: threat
+              type: keyword
+              description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
+            - name: threat_id
+              type: keyword
+              description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+            - name: threat_status
+              type: keyword
+              description: The current state of the threat.
+            - name: threat_time
+              type: date
+              description: Proofpoint assigned the threat_status at this time.
+            - name: threat_type
+              type: keyword
+              description: Whether the threat was an attachment, URL, or message type.
+        - name: to_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the To: header, excluding friendly names.'
+        - name: url
+          type: keyword
+          description: The malicious URL which was clicked.
+        - name: user_agent
+          type: keyword
+          description: The User-Agent header from the clicker's HTTP request.
+        - name: xmailer
+          type: keyword
+          description: 'The content of the X-Mailer: header, if present.'
diff --git a/packages/proofpoint_essentials/data_stream/message_blocked/manifest.yml b/packages/proofpoint_essentials/data_stream/message_blocked/manifest.yml
new file mode 100644
index 00000000000..b360d95e568
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_blocked/manifest.yml
@@ -0,0 +1,9 @@
+title: Proofpoint Essentials Messages Blocked Events
+dataset: proofpoint_essentials.message_blocked
+type: logs
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true
+  index_template:
+    mappings:
+      dynamic: true
diff --git a/packages/proofpoint_essentials/data_stream/message_delivered/fields/base-fields.yml b/packages/proofpoint_essentials/data_stream/message_delivered/fields/base-fields.yml
new file mode 100644
index 00000000000..f481037d757
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_delivered/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials.message_delivered
+- name: '@timestamp'
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/message_delivered/fields/beats.yml b/packages/proofpoint_essentials/data_stream/message_delivered/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_delivered/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/proofpoint_essentials/data_stream/message_delivered/fields/ecs.yml b/packages/proofpoint_essentials/data_stream/message_delivered/fields/ecs.yml
new file mode 100644
index 00000000000..e9f4f003382
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_delivered/fields/ecs.yml
@@ -0,0 +1,4 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/message_delivered/fields/fields.yml b/packages/proofpoint_essentials/data_stream/message_delivered/fields/fields.yml
new file mode 100644
index 00000000000..326b5e6551f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_delivered/fields/fields.yml
@@ -0,0 +1,166 @@
+- name: proofpoint_essentials
+  type: group
+  fields:
+    - name: threat
+      type: group
+      fields:
+        - name: cc_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the CC: header, excluding friendly names.'
+        - name: classification
+          type: keyword
+          description: The threat category of the malicious URL.
+        - name: click_ip
+          type: ip
+          description: The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
+        - name: click_time
+          type: date
+          description: The time the user clicked on the URL.
+        - name: completely_rewritten
+          type: keyword
+          description: The rewrite status of the message.
+        - name: customer_eid
+          type: keyword
+          description: The customer's entity ID.
+        - name: customer_name
+          type: keyword
+          description: The customer's name, as configured in Essentials.
+        - name: event_type
+          type: keyword
+        - name: from_address
+          type: keyword
+          description: 'The email address contained in the From: header, excluding friendly name.'
+        - name: guid
+          type: keyword
+          description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
+        - name: header_from
+          type: keyword
+          description: 'The full content of the From: header, including any friendly name.'
+        - name: header_reply_to
+          type: keyword
+          description: 'If present, the full content of the Reply-To: header, including any friendly names.'
+        - name: id
+          type: keyword
+          description: The unique id of the click.
+        - name: impostor_score
+          type: long
+          description: The impostor score of the message. Higher scores indicate higher certainty.
+        - name: malware_score
+          type: long
+          description: The malware score of the message. Higher scores indicate higher certainty.
+        - name: message_details_url
+          type: keyword
+          description: A permalink to the messages' details page.
+        - name: message_id
+          type: keyword
+          description: Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
+        - name: message_parts
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The true, detected Content-Type of the message_part. This may differ from the o_content_type value.
+            - name: disposition
+              type: keyword
+              description: If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment.
+            - name: filename
+              type: keyword
+              description: The filename of the message_part.
+            - name: md5
+              type: keyword
+              description: The MD5 hash of the message_part contents.
+            - name: o_content_type
+              type: keyword
+              description: The declared Content-Type of the message_part.
+            - name: sandbox_status
+              type: keyword
+              description: The verdict returned by the sandbox during the scanning process.
+            - name: sha256
+              type: keyword
+              description: The SHA256 hash of the message_part contents.
+        - name: message_size
+          type: long
+          description: The size in bytes of the message, including headers and attachments.
+        - name: message_time
+          type: date
+          description: When the message was delivered to the user or quarantined by PPS.
+        - name: parent_eid
+          type: keyword
+          description: The parent's EID.
+        - name: parent_name
+          type: keyword
+          description: The parent's name, as configured in Essentials.
+        - name: phish_score
+          type: long
+          description: The phish score of the message. Higher scores indicate higher certainty.
+        - name: quarantine_rule
+          type: keyword
+          description: The name of the rule which quarantined the message. This appears only for messages_blocked events.
+        - name: recipient
+          type: keyword
+          description: An array containing the email addresses of the SMTP (envelope) recipients.
+        - name: reply_to_address
+          type: keyword
+          description: 'The email address contained in the Reply-To: header, excluding friendly name.'
+        - name: sender
+          type: keyword
+          description: The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
+        - name: sender_ip
+          type: ip
+          description: The IP address of the sender.
+        - name: spam_score
+          type: long
+          description: The spam score of the message. Higher scores indicate higher certainty.
+        - name: stack_name
+          type: keyword
+          description: The name of the Essentials stack which processed the message.
+        - name: subject
+          type: keyword
+          description: The subject line of the message, if available.
+        - name: threat_id
+          type: keyword
+          description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+        - name: threat_time
+          type: date
+          description: Proofpoint identified the URL as a threat at this time.
+        - name: threat_status
+          type: keyword
+          description: The current state of the threat.
+        - name: threats_info_map
+          type: group
+          fields:
+            - name: actors
+              type: nested
+              description: An array of structures which contain details about the actors associated with a threat.
+            - name: classification
+              type: keyword
+              description: The category of threat found in the message.
+            - name: detection_type
+              type: keyword
+            - name: threat
+              type: keyword
+              description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
+            - name: threat_id
+              type: keyword
+              description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+            - name: threat_status
+              type: keyword
+              description: The current state of the threat.
+            - name: threat_time
+              type: date
+              description: Proofpoint assigned the threat_status at this time.
+            - name: threat_type
+              type: keyword
+              description: Whether the threat was an attachment, URL, or message type.
+        - name: to_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the To: header, excluding friendly names.'
+        - name: url
+          type: keyword
+          description: The malicious URL which was clicked.
+        - name: user_agent
+          type: keyword
+          description: The User-Agent header from the clicker's HTTP request.
+        - name: xmailer
+          type: keyword
+          description: 'The content of the X-Mailer: header, if present.'
diff --git a/packages/proofpoint_essentials/data_stream/message_delivered/manifest.yml b/packages/proofpoint_essentials/data_stream/message_delivered/manifest.yml
new file mode 100644
index 00000000000..8d82de8d8d6
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/message_delivered/manifest.yml
@@ -0,0 +1,9 @@
+title: Proofpoint Essentials Messages Delivered Events
+dataset: proofpoint_essentials.message_delivered
+type: logs
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true
+  index_template:
+    mappings:
+      dynamic: true
diff --git a/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-common-config.yml b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..4da22641654
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event
diff --git a/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log
new file mode 100644
index 00000000000..0c35b0286c1
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log
@@ -0,0 +1,14 @@
+{"event_type":"clicks_blocked","url":"https://www.example.com/?name=john","classification":"phish","clickTime":"2022-03-21T07:52:11.000Z","threatTime":"2022-03-18T14:54:20.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39","id":"8760d0fc-1234-1234-1234-2exxfxxxxx1xd","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"123abc@example.com","senderIP":"81.2.69.143","GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","threatID":"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_blocked","url":"http://www.example.com/public/download-shares/wwwxxxyyyzzz12345","classification":"phish","clickTime":"2022-03-30T07:22:52.000Z","threatTime":"2022-03-07T01:21:41.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","id":"b80af74a-1234-1234-1234-43xdxxbxxxxx6","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"bd5da771530b11830e6dfd25838b0240@example.com","senderIP":"81.2.69.143","GUID":"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH","threatID":"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_blocked","url":"https://www.example.com/?name=abcd","classification":"phish","clickTime":"2025-03-21T07:52:11.000Z","threatTime":"2025-03-18T14:54:20.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39","id":"8760d0fc-1234-5678-1234-2exxfxxxxx1xd","clickIP":"89.160.20.112","sender":"test@example.com","recipient":"badguy@example.com","senderIP":"1.128.0.1","GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","threatID":"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_blocked","url":"http://www.example.com/public/download-shares/wwwxxxskvdljyyyzzz12345","classification":"malware","clickTime":"2025-03-30T07:22:52.000Z","threatTime":"2025-03-07T01:21:41.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","id":"b80af74a-1234-adfe-1234-43xdxxbxxxxx6","clickIP":"175.16.199.2","sender":"manager@example.com","recipient":"john@example.com","senderIP":"81.2.69.143","GUID":"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH","threatID":"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c","threatStatus":"falsepositive","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_permitted","url":"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn","classification":"spam","clickTime":"2022-03-30T10:51:53.000Z","threatTime":"2022-02-26T00:36:25.000Z","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36","id":"90dd54bc-1234-1234-1234-cxxxxxxxxx4","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com","senderIP":"81.2.69.143","GUID":"QUWXXxXXJHlYXRXXXXVXUXXk","threatID":"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9","threatStatus":"cleared","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_permitted","url":"https://xyz123456789.support.com#xyz@example.com","classification":"phish","clickTime":"2022-03-30T00:56:14.000Z","threatTime":"2022-03-30T00:53:43.000Z","userAgent":"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36","id":"4b4ae949-1234-1234-1234-6axxxxx9xxxxx3","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com","senderIP":"81.2.69.143","GUID":"VXXhXiXyXBXlXdXXfXXXXXWXLXXX","threatID":"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_permitted","url":"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xsjbvkajbsdffIhxlx2qxxnxvxPxn","classification":"spam","clickTime":"2025-03-30T10:51:53.000Z","threatTime":"2025-02-26T00:36:25.000Z","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36","id":"90dd54bc-acdf-1234-1234-cxxxxxxxxx4","clickIP":"1.128.0.1","sender":"qa@example.com","recipient":"sony@example.com","senderIP":"81.2.69.143","GUID":"QUWXXxXXJHlYXRXXXXVXUXXk","threatID":"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9","threatStatus":"falsepositive","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"clicks_permitted","url":"https://xyz123456789.support.com#xyz@example.com","classification":"phish","clickTime":"2025-03-30T00:56:14.000Z","threatTime":"2025-03-30T00:53:43.000Z","userAgent":"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36","id":"4b4ae949-1234-1234-abcd-6axxxdv9xxxxx3","clickIP":"89.160.20.112","sender":"support@example.com","recipient":"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com","senderIP":"175.16.199.1","GUID":"VXXhXiXyXBXlXdXXfXXXXXWXLXXX","threatID":"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"event_type":"messages_blocked","GUID":"PE10US31763448305Iuh6KWTOOjEJV01","completelyRewritten":"false","customerEid":"1234567","customerName":"Plan ABC","fromAddress":"john@example.com","headerFrom":"john@example.com","impostorScore":0,"malwareScore":0,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg","messageID":"<20251118064504.GA125698@m1234567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"7d793037a0760186574b0282f2f435e7","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"},{"contentType":"application/octet-stream","disposition":"attached","filename":"demo_146987645346416845132.docx.lrf","md5":"5eb63bbbe01eeed093cb22bb8f5acdc3","oContentType":"application/vnd.openxmlformats-officedocument.wordprocessingml.document","sandboxStatus":"notrequested","sha256":"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"}],"messageSize":52944,"messageTime":"2025-11-18T06:45:05.000000Z","parentEid":"12365","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"malware","recipient":["bob@example.org"],"replyToAddress":"","sender":"test@example.org","senderIP":"1.128.0.1","spamScore":0,"stackName":"us3","subject":"attachment threat","threatsInfoMap":[{"classification":"malware","threat":"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e","threatId":"ABCD1234-1234-5678-ABEF-80123456789D","threatStatus":"active","threatTime":"2025-11-18T06:47:26.915Z","threatType":"attachment"}],"toAddresses":["bob@example.org"],"xmailer":""}
+{"event_type":"messages_blocked","GUID":"nadjkbgajgakjnvjkrgnaergevVFHJBvyujb","completelyRewritten":"false","customerEid":"1235567","customerName":"Customer 4","fromAddress":"john@example.com","headerFrom":"alice@example.com","impostorScore":10,"malwareScore":30,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=jsdbivugjkaegklmffdvdfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg","messageID":"<20251118064504.GA125698@m1235567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"7d793037a0760186574b0282f2f435e7","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"},{"contentType":"application/octet-stream","disposition":"attached","filename":"demo_146987645346416845132.docx.lrf","md5":"5eb63bbbe01eeed093cb22bb8f5acdc3","oContentType":"application/vnd.openxmlformats-officedocument.wordprocessingml.document","sandboxStatus":"notrequested","sha256":"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"}],"messageSize":52944,"messageTime":"2025-11-18T16:45:05.000000Z","parentEid":"12365","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"spam","recipient":["alex@example.org"],"replyToAddress":"","sender":"test@example.org","senderIP":"1.128.0.1","spamScore":0,"stackName":"us3","subject":"attachment threat","threatsInfoMap":[{"classification":"spam","threat":"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e","threatId":"ABCD1234-1234-5678-ABEF-80123456789D","threatStatus":"active","threatTime":"2025-11-18T06:47:26.915Z","threatType":"attachment"}],"toAddresses":["bob@example.org"],"xmailer":""}
+{"event_type":"messages_blocked","GUID":"PE10US317634483018F4D6V464S6V46S5Iuh6KWTOOjEJV01","completelyRewritten":"na","customerEid":"1234567","customerName":"Plan ABC","fromAddress":"john@example.com","headerFrom":"alice@example.com","impostorScore":70,"malwareScore":80,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdvdfdfbdfbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg","messageID":"<20251118064504.GA125698@m1234567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"7d793037a0760186574b0282f2f435e7","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"},{"contentType":"application/octet-stream","disposition":"attached","filename":"demo_146987645346416845132.docx.lrf","md5":"5eb63bbbe01eeed093cb22bb8f5acdc3","oContentType":"application/vnd.openxmlformats-officedocument.wordprocessingml.document","sandboxStatus":"notrequested","sha256":"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"}],"messageSize":52944,"messageTime":"2025-11-19T16:45:05.000000Z","parentEid":"12365","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"PHish Detection","recipient":["alex@example.org"],"replyToAddress":"","sender":"support@example.org","senderIP":"1.128.0.1","spamScore":0,"stackName":"us3","subject":"attachment threat","threatsInfoMap":[{"classification":"spam","threat":"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e","threatId":"ABCD1234-1234-5678-ABEF-80123456789D","threatStatus":"active","threatTime":"2025-11-18T06:47:26.915Z","threatType":"attachment"}],"toAddresses":["bob@example.org"],"xmailer":""}
+{"event_type":"messages_delivered","GUID":"GBCJHVbvfdjHIVBDBbliuvsvoehfb64V9SFgvuvhVUYVbi-abcd","completelyRewritten":"true","customerEid":"1234567","customerName":"Customer 1","fromAddress":"not_a_badguy@example.com","headerFrom":"not_a_badguy@example.com","impostorScore":0,"malwareScore":0,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=4i7f2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6","messageID":"<20251118073503.GA12345@m1234567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"5d41402abc4b2a76b9719d911017c592","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"}],"messageSize":2319,"messageTime":"2025-11-18T07:35:04.000000Z","parentEid":"56890","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"N/A","recipient":["qa@example.org"],"replyToAddress":"","sender":"www-data@example.com","senderIP":"175.16.199.1","spamScore":0,"stackName":"us3","subject":"URL threat","threatsInfoMap":[{"classification":"malware","threat":"https://example.com/files/demo_1234567890.docx","threatId":"6abcdef4-1234-5678-9012-dabcdef12314","threatStatus":"active","threatTime":"2025-11-18T07:37:18Z","threatType":"URL"}],"toAddresses":["qa@example.org"],"xmailer":""}
+{"event_type":"messages_delivered","GUID":"GBCJHVbvfdjHIVsvoehfb64V9SFgvuvhVUYVbi-abcd","completelyRewritten":"true","customerEid":"1235567","customerName":"Customer 4","fromAddress":"devil@example.com","headerFrom":"not_a_badguy@example.com","impostorScore":30,"malwareScore":40,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7dfvfdvf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6","messageID":"<20251118073503.GA12345@m1235567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"5d41402abc4b2a76b9719d911017c592","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"}],"messageSize":2319,"messageTime":"2025-11-19T09:35:04.000000Z","parentEid":"56890","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"N/A","recipient":["support@example.com"],"replyToAddress":"","sender":"www-data@example.com","senderIP":"1.128.0.2","spamScore":0,"stackName":"us3","subject":"URL threat","threatsInfoMap":[{"classification":"toad","threat":"https://example.com/files/demo_1234567890.docx","threatId":"6abcdef4-1234-5678-9012-dabcdef12314","threatStatus":"active","threatTime":"2025-11-18T07:37:18Z","threatType":"URL"}],"toAddresses":["qa@example.org"],"xmailer":""}
+{"event_type":"messages_delivered","GUID":"GBCJHVbvfdjHIVBDBbliuvsvojsdvnlaehfb64V9SFgvuvhVUYVbi-abcd","completelyRewritten":"true","customerEid":"1235567","customerName":"Customer 4","fromAddress":"devil@example.com","headerFrom":"not_a_badguy@example.com","impostorScore":20,"malwareScore":30,"messageDetailsUrl":"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7ffvdf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6","messageID":"<20251118073503.GA12345@m1235567.ppops.net>","messageParts":[{"contentType":"text/html","disposition":"inline","filename":"text.html","md5":"5d41402abc4b2a76b9719d911017c592","oContentType":"text/html","sandboxStatus":"notrequested","sha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"}],"messageSize":2319,"messageTime":"2025-11-18T09:35:04.000000Z","parentEid":"56890","parentName":"QA Test Account - example.net","phishScore":0,"quarantineRule":"N/A","recipient":["test@example.org"],"replyToAddress":"","sender":"www-data@example.com","senderIP":"175.16.199.1","spamScore":0,"stackName":"us3","subject":"URL threat","threatsInfoMap":[{"classification":"phish","threat":"https://example.com/files/demo_1234567890.docx","threatId":"6abcdef4-1234-5678-9012-dabcdef12314","threatStatus":"active","threatTime":"2025-11-18T07:37:18Z","threatType":"URL"}],"toAddresses":["qa@example.org"],"xmailer":""}
diff --git a/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log-expected.json b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log-expected.json
new file mode 100644
index 00000000000..dae82835ddf
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/_dev/test/pipeline/test-threat.log-expected.json
@@ -0,0 +1,1757 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-03-21T07:52:11Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "abc123@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "abc123@example.com"
+                },
+                "to": {
+                    "address": [
+                        "123abc@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "8760d0fc-1234-1234-1234-2exxfxxxxx1xd",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_blocked\",\"url\":\"https://www.example.com/?name=john\",\"classification\":\"phish\",\"clickTime\":\"2022-03-21T07:52:11.000Z\",\"threatTime\":\"2022-03-18T14:54:20.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39\",\"id\":\"8760d0fc-1234-1234-1234-2exxfxxxxx1xd\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"123abc@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"threatID\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "phish",
+                    "click_time": "2022-03-21T07:52:11.000Z",
+                    "event_type": "clicks_blocked",
+                    "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx",
+                    "id": "8760d0fc-1234-1234-1234-2exxfxxxxx1xd",
+                    "threat_id": "3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx",
+                    "threat_status": "active",
+                    "threat_time": "2022-03-18T14:54:20.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "abc123@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2022-03-18T14:54:20.000Z",
+                    "name": "https://www.example.com/?name=john",
+                    "type": "url",
+                    "url": {
+                        "original": "https://www.example.com/?name=john"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Edge",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "99.0.1150.39"
+            }
+        },
+        {
+            "@timestamp": "2022-03-30T07:22:52Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "abc123@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "abc123@example.com"
+                },
+                "to": {
+                    "address": [
+                        "bd5da771530b11830e6dfd25838b0240@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "b80af74a-1234-1234-1234-43xdxxbxxxxx6",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_blocked\",\"url\":\"http://www.example.com/public/download-shares/wwwxxxyyyzzz12345\",\"classification\":\"phish\",\"clickTime\":\"2022-03-30T07:22:52.000Z\",\"threatTime\":\"2022-03-07T01:21:41.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\",\"id\":\"b80af74a-1234-1234-1234-43xdxxbxxxxx6\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"bd5da771530b11830e6dfd25838b0240@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH\",\"threatID\":\"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "phish",
+                    "click_time": "2022-03-30T07:22:52.000Z",
+                    "event_type": "clicks_blocked",
+                    "guid": "bXkXXUrXAXVXWXGXxXrXAXXX-XXXH",
+                    "id": "b80af74a-1234-1234-1234-43xdxxbxxxxx6",
+                    "threat_id": "fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c",
+                    "threat_status": "active",
+                    "threat_time": "2022-03-07T01:21:41.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "abc123@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2022-03-07T01:21:41.000Z",
+                    "name": "http://www.example.com/public/download-shares/wwwxxxyyyzzz12345",
+                    "type": "url",
+                    "url": {
+                        "original": "http://www.example.com/public/download-shares/wwwxxxyyyzzz12345"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "100.0.4896.60"
+            }
+        },
+        {
+            "@timestamp": "2025-03-21T07:52:11Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "test@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "test@example.com"
+                },
+                "to": {
+                    "address": [
+                        "badguy@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "8760d0fc-1234-5678-1234-2exxfxxxxx1xd",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_blocked\",\"url\":\"https://www.example.com/?name=abcd\",\"classification\":\"phish\",\"clickTime\":\"2025-03-21T07:52:11.000Z\",\"threatTime\":\"2025-03-18T14:54:20.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39\",\"id\":\"8760d0fc-1234-5678-1234-2exxfxxxxx1xd\",\"clickIP\":\"89.160.20.112\",\"sender\":\"test@example.com\",\"recipient\":\"badguy@example.com\",\"senderIP\":\"1.128.0.1\",\"GUID\":\"x11xxxx1-12f9-111x-x12x-1x1x123456xx\",\"threatID\":\"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "phish",
+                    "click_time": "2025-03-21T07:52:11.000Z",
+                    "event_type": "clicks_blocked",
+                    "guid": "x11xxxx1-12f9-111x-x12x-1x1x123456xx",
+                    "id": "8760d0fc-1234-5678-1234-2exxfxxxxx1xd",
+                    "threat_id": "3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx",
+                    "threat_status": "active",
+                    "threat_time": "2025-03-18T14:54:20.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39"
+                }
+            },
+            "related": {
+                "ip": [
+                    "1.128.0.1",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "test@example.com"
+                ]
+            },
+            "source": {
+                "ip": "1.128.0.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2025-03-18T14:54:20.000Z",
+                    "name": "https://www.example.com/?name=abcd",
+                    "type": "url",
+                    "url": {
+                        "original": "https://www.example.com/?name=abcd"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Edge",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "99.0.1150.39"
+            }
+        },
+        {
+            "@timestamp": "2025-03-30T07:22:52Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Changchun",
+                    "continent_name": "Asia",
+                    "country_iso_code": "CN",
+                    "country_name": "China",
+                    "location": {
+                        "lat": 43.88,
+                        "lon": 125.3228
+                    },
+                    "region_iso_code": "CN-22",
+                    "region_name": "Jilin Sheng"
+                },
+                "ip": "175.16.199.2"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "manager@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "manager@example.com"
+                },
+                "to": {
+                    "address": [
+                        "john@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "b80af74a-1234-adfe-1234-43xdxxbxxxxx6",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_blocked\",\"url\":\"http://www.example.com/public/download-shares/wwwxxxskvdljyyyzzz12345\",\"classification\":\"malware\",\"clickTime\":\"2025-03-30T07:22:52.000Z\",\"threatTime\":\"2025-03-07T01:21:41.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36\",\"id\":\"b80af74a-1234-adfe-1234-43xdxxbxxxxx6\",\"clickIP\":\"175.16.199.2\",\"sender\":\"manager@example.com\",\"recipient\":\"john@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH\",\"threatID\":\"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c\",\"threatStatus\":\"falsepositive\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "malware",
+                    "click_time": "2025-03-30T07:22:52.000Z",
+                    "event_type": "clicks_blocked",
+                    "guid": "bXkXXUrXAXVXWXGXxXrXAXXX-XXXH",
+                    "id": "b80af74a-1234-adfe-1234-43xdxxbxxxxx6",
+                    "threat_id": "fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c",
+                    "threat_status": "falsepositive",
+                    "threat_time": "2025-03-07T01:21:41.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "175.16.199.2"
+                ],
+                "user": [
+                    "manager@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2025-03-07T01:21:41.000Z",
+                    "name": "http://www.example.com/public/download-shares/wwwxxxskvdljyyyzzz12345",
+                    "type": "url",
+                    "url": {
+                        "original": "http://www.example.com/public/download-shares/wwwxxxskvdljyyyzzz12345"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "100.0.4896.60"
+            }
+        },
+        {
+            "@timestamp": "2022-03-30T10:51:53Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_permitted",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "abc123@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "abc123@example.com"
+                },
+                "to": {
+                    "address": [
+                        "exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "90dd54bc-1234-1234-1234-cxxxxxxxxx4",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_permitted\",\"url\":\"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn\",\"classification\":\"spam\",\"clickTime\":\"2022-03-30T10:51:53.000Z\",\"threatTime\":\"2022-02-26T00:36:25.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36\",\"id\":\"90dd54bc-1234-1234-1234-cxxxxxxxxx4\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"exxxxxxx8x2xxxx2x6x6xxxxx6xxxx5@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"QUWXXxXXJHlYXRXXXXVXUXXk\",\"threatID\":\"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9\",\"threatStatus\":\"cleared\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "spam",
+                    "click_time": "2022-03-30T10:51:53.000Z",
+                    "event_type": "clicks_permitted",
+                    "guid": "QUWXXxXXJHlYXRXXXXVXUXXk",
+                    "id": "90dd54bc-1234-1234-1234-cxxxxxxxxx4",
+                    "threat_id": "xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9",
+                    "threat_status": "cleared",
+                    "threat_time": "2022-02-26T00:36:25.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "abc123@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2022-02-26T00:36:25.000Z",
+                    "name": "http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn",
+                    "type": "url",
+                    "url": {
+                        "original": "http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xIhxlx2qxxnxvxPxn"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36",
+                "os": {
+                    "full": "Windows 7",
+                    "name": "Windows",
+                    "version": "7"
+                },
+                "version": "72.0.3626.109"
+            }
+        },
+        {
+            "@timestamp": "2022-03-30T00:56:14Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_permitted",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "abc123@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "abc123@example.com"
+                },
+                "to": {
+                    "address": [
+                        "f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "4b4ae949-1234-1234-1234-6axxxxx9xxxxx3",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_permitted\",\"url\":\"https://xyz123456789.support.com#xyz@example.com\",\"classification\":\"phish\",\"clickTime\":\"2022-03-30T00:56:14.000Z\",\"threatTime\":\"2022-03-30T00:53:43.000Z\",\"userAgent\":\"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36\",\"id\":\"4b4ae949-1234-1234-1234-6axxxxx9xxxxx3\",\"clickIP\":\"89.160.20.112\",\"sender\":\"abc123@example.com\",\"recipient\":\"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"VXXhXiXyXBXlXdXXfXXXXXWXLXXX\",\"threatID\":\"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "phish",
+                    "click_time": "2022-03-30T00:56:14.000Z",
+                    "event_type": "clicks_permitted",
+                    "guid": "VXXhXiXyXBXlXdXXfXXXXXWXLXXX",
+                    "id": "4b4ae949-1234-1234-1234-6axxxxx9xxxxx3",
+                    "threat_id": "xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5",
+                    "threat_status": "active",
+                    "threat_time": "2022-03-30T00:53:43.000Z",
+                    "user_agent": "Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "abc123@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2022-03-30T00:53:43.000Z",
+                    "name": "https://xyz123456789.support.com#xyz@example.com",
+                    "type": "url",
+                    "url": {
+                        "original": "https://xyz123456789.support.com#xyz@example.com"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Samsung SM-N976U"
+                },
+                "name": "Chrome Mobile",
+                "original": "Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36",
+                "os": {
+                    "full": "Android 12",
+                    "name": "Android",
+                    "version": "12"
+                },
+                "version": "99.0.4844.88"
+            }
+        },
+        {
+            "@timestamp": "2025-03-30T10:51:53Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_permitted",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "ip": "1.128.0.1"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "qa@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "qa@example.com"
+                },
+                "to": {
+                    "address": [
+                        "sony@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "90dd54bc-acdf-1234-1234-cxxxxxxxxx4",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_permitted\",\"url\":\"http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xsjbvkajbsdffIhxlx2qxxnxvxPxn\",\"classification\":\"spam\",\"clickTime\":\"2025-03-30T10:51:53.000Z\",\"threatTime\":\"2025-02-26T00:36:25.000Z\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36\",\"id\":\"90dd54bc-acdf-1234-1234-cxxxxxxxxx4\",\"clickIP\":\"1.128.0.1\",\"sender\":\"qa@example.com\",\"recipient\":\"sony@example.com\",\"senderIP\":\"81.2.69.143\",\"GUID\":\"QUWXXxXXJHlYXRXXXXVXUXXk\",\"threatID\":\"xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9\",\"threatStatus\":\"falsepositive\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "spam",
+                    "click_time": "2025-03-30T10:51:53.000Z",
+                    "event_type": "clicks_permitted",
+                    "guid": "QUWXXxXXJHlYXRXXXXVXUXXk",
+                    "id": "90dd54bc-acdf-1234-1234-cxxxxxxxxx4",
+                    "threat_id": "xxxxxxbx1cxcxx0xcx5xxxxdx5xex8xbx7xxxeexxxxxxxx9",
+                    "threat_status": "falsepositive",
+                    "threat_time": "2025-02-26T00:36:25.000Z",
+                    "user_agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.143",
+                    "1.128.0.1"
+                ],
+                "user": [
+                    "qa@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.143"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2025-02-26T00:36:25.000Z",
+                    "name": "http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xsjbvkajbsdffIhxlx2qxxnxvxPxn",
+                    "type": "url",
+                    "url": {
+                        "original": "http://example.com/ixxxx464xxx6x6xxd_cXxxxT_kxxTuQx_xsjbvkajbsdffIhxlx2qxxnxvxPxn"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36",
+                "os": {
+                    "full": "Windows 7",
+                    "name": "Windows",
+                    "version": "7"
+                },
+                "version": "72.0.3626.109"
+            }
+        },
+        {
+            "@timestamp": "2025-03-30T00:56:14Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.clicks_permitted",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "destination": {
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "support@example.com"
+                    ]
+                },
+                "message_id": "12345678912345.12345.mail@example.com",
+                "sender": {
+                    "address": "support@example.com"
+                },
+                "to": {
+                    "address": [
+                        "f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "4b4ae949-1234-1234-abcd-6axxxdv9xxxxx3",
+                "kind": "event",
+                "original": "{\"event_type\":\"clicks_permitted\",\"url\":\"https://xyz123456789.support.com#xyz@example.com\",\"classification\":\"phish\",\"clickTime\":\"2025-03-30T00:56:14.000Z\",\"threatTime\":\"2025-03-30T00:53:43.000Z\",\"userAgent\":\"Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36\",\"id\":\"4b4ae949-1234-1234-abcd-6axxxdv9xxxxx3\",\"clickIP\":\"89.160.20.112\",\"sender\":\"support@example.com\",\"recipient\":\"f3xxxx0x2xcx3xaxbxcx2xaxxxcxxxx2@example.com\",\"senderIP\":\"175.16.199.1\",\"GUID\":\"VXXhXiXyXBXlXdXXfXXXXXWXLXXX\",\"threatID\":\"xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5\",\"threatStatus\":\"active\",\"messageID\":\"12345678912345.12345.mail@example.com\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "classification": "phish",
+                    "click_time": "2025-03-30T00:56:14.000Z",
+                    "event_type": "clicks_permitted",
+                    "guid": "VXXhXiXyXBXlXdXXfXXXXXWXLXXX",
+                    "id": "4b4ae949-1234-1234-abcd-6axxxdv9xxxxx3",
+                    "threat_id": "xxxdxxdx6x7x6xxxxx5xxx837ex4x4xcx8xcxxxexxx2xxxxxx5",
+                    "threat_status": "active",
+                    "threat_time": "2025-03-30T00:53:43.000Z",
+                    "user_agent": "Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36"
+                }
+            },
+            "related": {
+                "ip": [
+                    "175.16.199.1",
+                    "89.160.20.112"
+                ],
+                "user": [
+                    "support@example.com"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Changchun",
+                    "continent_name": "Asia",
+                    "country_iso_code": "CN",
+                    "country_name": "China",
+                    "location": {
+                        "lat": 43.88,
+                        "lon": 125.3228
+                    },
+                    "region_iso_code": "CN-22",
+                    "region_name": "Jilin Sheng"
+                },
+                "ip": "175.16.199.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "last_seen": "2025-03-30T00:53:43.000Z",
+                    "name": "https://xyz123456789.support.com#xyz@example.com",
+                    "type": "url",
+                    "url": {
+                        "original": "https://xyz123456789.support.com#xyz@example.com"
+                    }
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Samsung SM-N976U"
+                },
+                "name": "Chrome Mobile",
+                "original": "Mozilla/5.0 (Linux; Android 12; SM-N976U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Mobile Safari/537.36",
+                "os": {
+                    "full": "Android 12",
+                    "name": "Android",
+                    "version": "12"
+                },
+                "version": "99.0.4844.88"
+            }
+        },
+        {
+            "@timestamp": "2025-11-18T06:47:26.915Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "attachments": [
+                    {
+                        "file": {
+                            "hash": {
+                                "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                                "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                            },
+                            "mime_type": "application/octet-stream",
+                            "name": "demo_146987645346416845132.docx.lrf"
+                        }
+                    }
+                ],
+                "from": {
+                    "address": [
+                        "john@example.com"
+                    ]
+                },
+                "message_id": "20251118064504.GA125698@m1234567.ppops.net",
+                "sender": {
+                    "address": "test@example.org"
+                },
+                "subject": "attachment threat",
+                "to": {
+                    "address": [
+                        "bob@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "PE10US31763448305Iuh6KWTOOjEJV01",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_blocked\",\"GUID\":\"PE10US31763448305Iuh6KWTOOjEJV01\",\"completelyRewritten\":\"false\",\"customerEid\":\"1234567\",\"customerName\":\"Plan ABC\",\"fromAddress\":\"john@example.com\",\"headerFrom\":\"john@example.com\",\"impostorScore\":0,\"malwareScore\":0,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg\",\"messageID\":\"<20251118064504.GA125698@m1234567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"7d793037a0760186574b0282f2f435e7\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7\"},{\"contentType\":\"application/octet-stream\",\"disposition\":\"attached\",\"filename\":\"demo_146987645346416845132.docx.lrf\",\"md5\":\"5eb63bbbe01eeed093cb22bb8f5acdc3\",\"oContentType\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\"}],\"messageSize\":52944,\"messageTime\":\"2025-11-18T06:45:05.000000Z\",\"parentEid\":\"12365\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"malware\",\"recipient\":[\"bob@example.org\"],\"replyToAddress\":\"\",\"sender\":\"test@example.org\",\"senderIP\":\"1.128.0.1\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"attachment threat\",\"threatsInfoMap\":[{\"classification\":\"malware\",\"threat\":\"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e\",\"threatId\":\"ABCD1234-1234-5678-ABEF-80123456789D\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T06:47:26.915Z\",\"threatType\":\"attachment\"}],\"toAddresses\":[\"bob@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "false",
+                    "customer_eid": "1234567",
+                    "customer_name": "Plan ABC",
+                    "event_type": "messages_blocked",
+                    "guid": "PE10US31763448305Iuh6KWTOOjEJV01",
+                    "header_from": "john@example.com",
+                    "impostor_score": 0,
+                    "malware_score": 0,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "7d793037a0760186574b0282f2f435e7",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"
+                        },
+                        {
+                            "content_type": "application/octet-stream",
+                            "disposition": "attached",
+                            "filename": "demo_146987645346416845132.docx.lrf",
+                            "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                            "o_content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+                            "sandbox_status": "notrequested",
+                            "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                        }
+                    ],
+                    "message_size": 52944,
+                    "message_time": "2025-11-18T06:45:05.000Z",
+                    "parent_eid": "12365",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "malware",
+                            "threat": "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                            "threat_id": "ABCD1234-1234-5678-ABEF-80123456789D",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T06:47:26.915Z",
+                            "threat_type": "attachment"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                    "7d793037a0760186574b0282f2f435e7",
+                    "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                    "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7",
+                    "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                ],
+                "ip": [
+                    "1.128.0.1"
+                ],
+                "user": [
+                    "john@example.com",
+                    "test@example.org",
+                    "bob@example.org"
+                ]
+            },
+            "rule": {
+                "name": "malware"
+            },
+            "source": {
+                "ip": "1.128.0.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e"
+                    ]
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-11-18T16:45:05Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "attachments": [
+                    {
+                        "file": {
+                            "hash": {
+                                "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                                "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                            },
+                            "mime_type": "application/octet-stream",
+                            "name": "demo_146987645346416845132.docx.lrf"
+                        }
+                    }
+                ],
+                "from": {
+                    "address": [
+                        "john@example.com"
+                    ]
+                },
+                "message_id": "20251118064504.GA125698@m1235567.ppops.net",
+                "sender": {
+                    "address": "test@example.org"
+                },
+                "subject": "attachment threat",
+                "to": {
+                    "address": [
+                        "alex@example.org",
+                        "bob@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "nadjkbgajgakjnvjkrgnaergevVFHJBvyujb",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_blocked\",\"GUID\":\"nadjkbgajgakjnvjkrgnaergevVFHJBvyujb\",\"completelyRewritten\":\"false\",\"customerEid\":\"1235567\",\"customerName\":\"Customer 4\",\"fromAddress\":\"john@example.com\",\"headerFrom\":\"alice@example.com\",\"impostorScore\":10,\"malwareScore\":30,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=jsdbivugjkaegklmffdvdfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg\",\"messageID\":\"<20251118064504.GA125698@m1235567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"7d793037a0760186574b0282f2f435e7\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7\"},{\"contentType\":\"application/octet-stream\",\"disposition\":\"attached\",\"filename\":\"demo_146987645346416845132.docx.lrf\",\"md5\":\"5eb63bbbe01eeed093cb22bb8f5acdc3\",\"oContentType\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\"}],\"messageSize\":52944,\"messageTime\":\"2025-11-18T16:45:05.000000Z\",\"parentEid\":\"12365\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"spam\",\"recipient\":[\"alex@example.org\"],\"replyToAddress\":\"\",\"sender\":\"test@example.org\",\"senderIP\":\"1.128.0.1\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"attachment threat\",\"threatsInfoMap\":[{\"classification\":\"spam\",\"threat\":\"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e\",\"threatId\":\"ABCD1234-1234-5678-ABEF-80123456789D\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T06:47:26.915Z\",\"threatType\":\"attachment\"}],\"toAddresses\":[\"bob@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=jsdbivugjkaegklmffdvdfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "false",
+                    "customer_eid": "1235567",
+                    "customer_name": "Customer 4",
+                    "event_type": "messages_blocked",
+                    "guid": "nadjkbgajgakjnvjkrgnaergevVFHJBvyujb",
+                    "header_from": "alice@example.com",
+                    "impostor_score": 10,
+                    "malware_score": 30,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "7d793037a0760186574b0282f2f435e7",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"
+                        },
+                        {
+                            "content_type": "application/octet-stream",
+                            "disposition": "attached",
+                            "filename": "demo_146987645346416845132.docx.lrf",
+                            "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                            "o_content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+                            "sandbox_status": "notrequested",
+                            "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                        }
+                    ],
+                    "message_size": 52944,
+                    "message_time": "2025-11-18T16:45:05.000Z",
+                    "parent_eid": "12365",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "spam",
+                            "threat": "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                            "threat_id": "ABCD1234-1234-5678-ABEF-80123456789D",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T06:47:26.915Z",
+                            "threat_type": "attachment"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                    "7d793037a0760186574b0282f2f435e7",
+                    "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                    "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7",
+                    "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                ],
+                "ip": [
+                    "1.128.0.1"
+                ],
+                "user": [
+                    "john@example.com",
+                    "test@example.org",
+                    "alex@example.org",
+                    "bob@example.org"
+                ]
+            },
+            "rule": {
+                "name": "spam"
+            },
+            "source": {
+                "ip": "1.128.0.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e"
+                    ]
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-11-19T16:45:05Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_blocked",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "attachments": [
+                    {
+                        "file": {
+                            "hash": {
+                                "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                                "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                            },
+                            "mime_type": "application/octet-stream",
+                            "name": "demo_146987645346416845132.docx.lrf"
+                        }
+                    }
+                ],
+                "from": {
+                    "address": [
+                        "john@example.com"
+                    ]
+                },
+                "message_id": "20251118064504.GA125698@m1234567.ppops.net",
+                "sender": {
+                    "address": "support@example.org"
+                },
+                "subject": "attachment threat",
+                "to": {
+                    "address": [
+                        "alex@example.org",
+                        "bob@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "denied",
+                "category": [
+                    "email"
+                ],
+                "id": "PE10US317634483018F4D6V464S6V46S5Iuh6KWTOOjEJV01",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_blocked\",\"GUID\":\"PE10US317634483018F4D6V464S6V46S5Iuh6KWTOOjEJV01\",\"completelyRewritten\":\"na\",\"customerEid\":\"1234567\",\"customerName\":\"Plan ABC\",\"fromAddress\":\"john@example.com\",\"headerFrom\":\"alice@example.com\",\"impostorScore\":70,\"malwareScore\":80,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdvdfdfbdfbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg\",\"messageID\":\"<20251118064504.GA125698@m1234567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"7d793037a0760186574b0282f2f435e7\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7\"},{\"contentType\":\"application/octet-stream\",\"disposition\":\"attached\",\"filename\":\"demo_146987645346416845132.docx.lrf\",\"md5\":\"5eb63bbbe01eeed093cb22bb8f5acdc3\",\"oContentType\":\"application/vnd.openxmlformats-officedocument.wordprocessingml.document\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9\"}],\"messageSize\":52944,\"messageTime\":\"2025-11-19T16:45:05.000000Z\",\"parentEid\":\"12365\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"PHish Detection\",\"recipient\":[\"alex@example.org\"],\"replyToAddress\":\"\",\"sender\":\"support@example.org\",\"senderIP\":\"1.128.0.1\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"attachment threat\",\"threatsInfoMap\":[{\"classification\":\"spam\",\"threat\":\"ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e\",\"threatId\":\"ABCD1234-1234-5678-ABEF-80123456789D\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T06:47:26.915Z\",\"threatType\":\"attachment\"}],\"toAddresses\":[\"bob@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=jsdvdfdfbdfbivugjkaegklmfa5dhta79hrg6dsab6nydtfjgn4ryt46sgdfvwetsr4dgf6earsg64qhea64rg64wv6s4hf65bsr68td4hfb68rts4dfh654brs6zd5s4dg6ba5z41r6hs5a4zd165dtu4h1j65nr1bgdf6g6s8d6fhg",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "na",
+                    "customer_eid": "1234567",
+                    "customer_name": "Plan ABC",
+                    "event_type": "messages_blocked",
+                    "guid": "PE10US317634483018F4D6V464S6V46S5Iuh6KWTOOjEJV01",
+                    "header_from": "alice@example.com",
+                    "impostor_score": 70,
+                    "malware_score": 80,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "7d793037a0760186574b0282f2f435e7",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7"
+                        },
+                        {
+                            "content_type": "application/octet-stream",
+                            "disposition": "attached",
+                            "filename": "demo_146987645346416845132.docx.lrf",
+                            "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                            "o_content_type": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+                            "sandbox_status": "notrequested",
+                            "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                        }
+                    ],
+                    "message_size": 52944,
+                    "message_time": "2025-11-19T16:45:05.000Z",
+                    "parent_eid": "12365",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "spam",
+                            "threat": "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                            "threat_id": "ABCD1234-1234-5678-ABEF-80123456789D",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T06:47:26.915Z",
+                            "threat_type": "attachment"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e",
+                    "7d793037a0760186574b0282f2f435e7",
+                    "5eb63bbbe01eeed093cb22bb8f5acdc3",
+                    "486ea46224d1bb4fb680f34f7c9ad96a8f24ec88be73ea8e5a6c65260e9cb8a7",
+                    "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+                ],
+                "ip": [
+                    "1.128.0.1"
+                ],
+                "user": [
+                    "john@example.com",
+                    "support@example.org",
+                    "alex@example.org",
+                    "bob@example.org"
+                ]
+            },
+            "rule": {
+                "name": "PHish Detection"
+            },
+            "source": {
+                "ip": "1.128.0.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "ab4a368d0a65467ad6177ec6ae407f83d8e046ef34113fd89a2c7dd182e57c8e"
+                    ]
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-11-18T07:37:18.000Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_delivered",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "not_a_badguy@example.com"
+                    ]
+                },
+                "message_id": "20251118073503.GA12345@m1234567.ppops.net",
+                "sender": {
+                    "address": "www-data@example.com"
+                },
+                "subject": "URL threat",
+                "to": {
+                    "address": [
+                        "qa@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "GBCJHVbvfdjHIVBDBbliuvsvoehfb64V9SFgvuvhVUYVbi-abcd",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_delivered\",\"GUID\":\"GBCJHVbvfdjHIVBDBbliuvsvoehfb64V9SFgvuvhVUYVbi-abcd\",\"completelyRewritten\":\"true\",\"customerEid\":\"1234567\",\"customerName\":\"Customer 1\",\"fromAddress\":\"not_a_badguy@example.com\",\"headerFrom\":\"not_a_badguy@example.com\",\"impostorScore\":0,\"malwareScore\":0,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=4i7f2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6\",\"messageID\":\"<20251118073503.GA12345@m1234567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"5d41402abc4b2a76b9719d911017c592\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\"}],\"messageSize\":2319,\"messageTime\":\"2025-11-18T07:35:04.000000Z\",\"parentEid\":\"56890\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"N/A\",\"recipient\":[\"qa@example.org\"],\"replyToAddress\":\"\",\"sender\":\"www-data@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"URL threat\",\"threatsInfoMap\":[{\"classification\":\"malware\",\"threat\":\"https://example.com/files/demo_1234567890.docx\",\"threatId\":\"6abcdef4-1234-5678-9012-dabcdef12314\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T07:37:18Z\",\"threatType\":\"URL\"}],\"toAddresses\":[\"qa@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1234567&k=k1&payload=4i7f2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "true",
+                    "customer_eid": "1234567",
+                    "customer_name": "Customer 1",
+                    "event_type": "messages_delivered",
+                    "guid": "GBCJHVbvfdjHIVBDBbliuvsvoehfb64V9SFgvuvhVUYVbi-abcd",
+                    "header_from": "not_a_badguy@example.com",
+                    "impostor_score": 0,
+                    "malware_score": 0,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "5d41402abc4b2a76b9719d911017c592",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                        }
+                    ],
+                    "message_size": 2319,
+                    "message_time": "2025-11-18T07:35:04.000Z",
+                    "parent_eid": "56890",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "malware",
+                            "threat": "https://example.com/files/demo_1234567890.docx",
+                            "threat_id": "6abcdef4-1234-5678-9012-dabcdef12314",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T07:37:18.000Z",
+                            "threat_type": "URL"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "5d41402abc4b2a76b9719d911017c592",
+                    "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                ],
+                "ip": [
+                    "175.16.199.1"
+                ],
+                "user": [
+                    "not_a_badguy@example.com",
+                    "www-data@example.com",
+                    "qa@example.org"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Changchun",
+                    "continent_name": "Asia",
+                    "country_iso_code": "CN",
+                    "country_name": "China",
+                    "location": {
+                        "lat": 43.88,
+                        "lon": 125.3228
+                    },
+                    "region_iso_code": "CN-22",
+                    "region_name": "Jilin Sheng"
+                },
+                "ip": "175.16.199.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "https://example.com/files/demo_1234567890.docx"
+                    ],
+                    "type": [
+                        "url"
+                    ],
+                    "url": {
+                        "original": [
+                            "https://example.com/files/demo_1234567890.docx"
+                        ]
+                    }
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-11-19T09:35:04Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_delivered",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "devil@example.com"
+                    ]
+                },
+                "message_id": "20251118073503.GA12345@m1235567.ppops.net",
+                "sender": {
+                    "address": "www-data@example.com"
+                },
+                "subject": "URL threat",
+                "to": {
+                    "address": [
+                        "support@example.com",
+                        "qa@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "GBCJHVbvfdjHIVsvoehfb64V9SFgvuvhVUYVbi-abcd",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_delivered\",\"GUID\":\"GBCJHVbvfdjHIVsvoehfb64V9SFgvuvhVUYVbi-abcd\",\"completelyRewritten\":\"true\",\"customerEid\":\"1235567\",\"customerName\":\"Customer 4\",\"fromAddress\":\"devil@example.com\",\"headerFrom\":\"not_a_badguy@example.com\",\"impostorScore\":30,\"malwareScore\":40,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7dfvfdvf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6\",\"messageID\":\"<20251118073503.GA12345@m1235567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"5d41402abc4b2a76b9719d911017c592\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\"}],\"messageSize\":2319,\"messageTime\":\"2025-11-19T09:35:04.000000Z\",\"parentEid\":\"56890\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"N/A\",\"recipient\":[\"support@example.com\"],\"replyToAddress\":\"\",\"sender\":\"www-data@example.com\",\"senderIP\":\"1.128.0.2\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"URL threat\",\"threatsInfoMap\":[{\"classification\":\"toad\",\"threat\":\"https://example.com/files/demo_1234567890.docx\",\"threatId\":\"6abcdef4-1234-5678-9012-dabcdef12314\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T07:37:18Z\",\"threatType\":\"URL\"}],\"toAddresses\":[\"qa@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7dfvfdvf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "true",
+                    "customer_eid": "1235567",
+                    "customer_name": "Customer 4",
+                    "event_type": "messages_delivered",
+                    "guid": "GBCJHVbvfdjHIVsvoehfb64V9SFgvuvhVUYVbi-abcd",
+                    "header_from": "not_a_badguy@example.com",
+                    "impostor_score": 30,
+                    "malware_score": 40,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "5d41402abc4b2a76b9719d911017c592",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                        }
+                    ],
+                    "message_size": 2319,
+                    "message_time": "2025-11-19T09:35:04.000Z",
+                    "parent_eid": "56890",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "toad",
+                            "threat": "https://example.com/files/demo_1234567890.docx",
+                            "threat_id": "6abcdef4-1234-5678-9012-dabcdef12314",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T07:37:18.000Z",
+                            "threat_type": "URL"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "5d41402abc4b2a76b9719d911017c592",
+                    "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                ],
+                "ip": [
+                    "1.128.0.2"
+                ],
+                "user": [
+                    "devil@example.com",
+                    "www-data@example.com",
+                    "support@example.com",
+                    "qa@example.org"
+                ]
+            },
+            "source": {
+                "ip": "1.128.0.2"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "https://example.com/files/demo_1234567890.docx"
+                    ],
+                    "type": [
+                        "url"
+                    ],
+                    "url": {
+                        "original": [
+                            "https://example.com/files/demo_1234567890.docx"
+                        ]
+                    }
+                }
+            }
+        },
+        {
+            "@timestamp": "2025-11-18T09:35:04Z",
+            "data_stream": {
+                "dataset": "proofpoint_essentials.message_delivered",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "from": {
+                    "address": [
+                        "devil@example.com"
+                    ]
+                },
+                "message_id": "20251118073503.GA12345@m1235567.ppops.net",
+                "sender": {
+                    "address": "www-data@example.com"
+                },
+                "subject": "URL threat",
+                "to": {
+                    "address": [
+                        "test@example.org",
+                        "qa@example.org"
+                    ]
+                }
+            },
+            "event": {
+                "action": "allowed",
+                "category": [
+                    "email"
+                ],
+                "id": "GBCJHVbvfdjHIVBDBbliuvsvojsdvnlaehfb64V9SFgvuvhVUYVbi-abcd",
+                "kind": "event",
+                "original": "{\"event_type\":\"messages_delivered\",\"GUID\":\"GBCJHVbvfdjHIVBDBbliuvsvojsdvnlaehfb64V9SFgvuvhVUYVbi-abcd\",\"completelyRewritten\":\"true\",\"customerEid\":\"1235567\",\"customerName\":\"Customer 4\",\"fromAddress\":\"devil@example.com\",\"headerFrom\":\"not_a_badguy@example.com\",\"impostorScore\":20,\"malwareScore\":30,\"messageDetailsUrl\":\"https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7ffvdf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6\",\"messageID\":\"<20251118073503.GA12345@m1235567.ppops.net>\",\"messageParts\":[{\"contentType\":\"text/html\",\"disposition\":\"inline\",\"filename\":\"text.html\",\"md5\":\"5d41402abc4b2a76b9719d911017c592\",\"oContentType\":\"text/html\",\"sandboxStatus\":\"notrequested\",\"sha256\":\"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\"}],\"messageSize\":2319,\"messageTime\":\"2025-11-18T09:35:04.000000Z\",\"parentEid\":\"56890\",\"parentName\":\"QA Test Account - example.net\",\"phishScore\":0,\"quarantineRule\":\"N/A\",\"recipient\":[\"test@example.org\"],\"replyToAddress\":\"\",\"sender\":\"www-data@example.com\",\"senderIP\":\"175.16.199.1\",\"spamScore\":0,\"stackName\":\"us3\",\"subject\":\"URL threat\",\"threatsInfoMap\":[{\"classification\":\"phish\",\"threat\":\"https://example.com/files/demo_1234567890.docx\",\"threatId\":\"6abcdef4-1234-5678-9012-dabcdef12314\",\"threatStatus\":\"active\",\"threatTime\":\"2025-11-18T07:37:18Z\",\"threatType\":\"URL\"}],\"toAddresses\":[\"qa@example.org\"],\"xmailer\":\"\"}",
+                "reference": "https://us3.proofpointessentials.com/index01.php?mod_id=13&mod_option=logitem&type=message_details&e_id=1235567&k=k1&payload=4i7ffvdf2b8466a51c60523eef35e6295c91e9bhvdsdvabvadhv14684fbdf654b6dfba31g68t4h15badf65g4a4fd86b4trs65h1b6a53s4gde8a7sthgbaf6dg4v6aer8d7g46v5adr4fgv86aw4zs9f68b4y6j84nuy64ko6iu54kyjghf6ga54s6rzhxjtuf45jhn1b6svd5s4gh68mu5yf4ihj86h45srbd6g6",
+                "type": [
+                    "info"
+                ]
+            },
+            "observer": {
+                "product": "Proofpoint Essentials",
+                "vendor": "Proofpoint"
+            },
+            "proofpoint_essentials": {
+                "threat": {
+                    "completely_rewritten": "true",
+                    "customer_eid": "1235567",
+                    "customer_name": "Customer 4",
+                    "event_type": "messages_delivered",
+                    "guid": "GBCJHVbvfdjHIVBDBbliuvsvojsdvnlaehfb64V9SFgvuvhVUYVbi-abcd",
+                    "header_from": "not_a_badguy@example.com",
+                    "impostor_score": 20,
+                    "malware_score": 30,
+                    "message_parts": [
+                        {
+                            "content_type": "text/html",
+                            "disposition": "inline",
+                            "filename": "text.html",
+                            "md5": "5d41402abc4b2a76b9719d911017c592",
+                            "o_content_type": "text/html",
+                            "sandbox_status": "notrequested",
+                            "sha256": "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                        }
+                    ],
+                    "message_size": 2319,
+                    "message_time": "2025-11-18T09:35:04.000Z",
+                    "parent_eid": "56890",
+                    "parent_name": "QA Test Account - example.net",
+                    "phish_score": 0,
+                    "spam_score": 0,
+                    "stack_name": "us3",
+                    "threats_info_map": [
+                        {
+                            "classification": "phish",
+                            "threat": "https://example.com/files/demo_1234567890.docx",
+                            "threat_id": "6abcdef4-1234-5678-9012-dabcdef12314",
+                            "threat_status": "active",
+                            "threat_time": "2025-11-18T07:37:18.000Z",
+                            "threat_type": "URL"
+                        }
+                    ]
+                }
+            },
+            "related": {
+                "hash": [
+                    "5d41402abc4b2a76b9719d911017c592",
+                    "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824"
+                ],
+                "ip": [
+                    "175.16.199.1"
+                ],
+                "user": [
+                    "devil@example.com",
+                    "www-data@example.com",
+                    "test@example.org",
+                    "qa@example.org"
+                ]
+            },
+            "source": {
+                "geo": {
+                    "city_name": "Changchun",
+                    "continent_name": "Asia",
+                    "country_iso_code": "CN",
+                    "country_name": "China",
+                    "location": {
+                        "lat": 43.88,
+                        "lon": 125.3228
+                    },
+                    "region_iso_code": "CN-22",
+                    "region_name": "Jilin Sheng"
+                },
+                "ip": "175.16.199.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "threat": {
+                "indicator": {
+                    "name": [
+                        "https://example.com/files/demo_1234567890.docx"
+                    ],
+                    "type": [
+                        "url"
+                    ],
+                    "url": {
+                        "original": [
+                            "https://example.com/files/demo_1234567890.docx"
+                        ]
+                    }
+                }
+            }
+        }
+    ]
+}
diff --git a/packages/proofpoint_essentials/data_stream/threat/agent/stream/cel.yml.hbs b/packages/proofpoint_essentials/data_stream/threat/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..21651cb0d19
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/agent/stream/cel.yml.hbs
@@ -0,0 +1,126 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+  enabled: {{enable_request_tracer}}
+  filename: "../../logs/cel/http-request-trace-*.ndjson"
+  maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if resource_rate_limit_limit}}
+resource.rate_limit.limit: {{resource_rate_limit_limit}}
+{{/if}}
+{{#if resource_rate_limit_burst}}
+resource.rate_limit.burst: {{resource_rate_limit_burst}}
+{{/if}}
+
+resource.url: {{url}}
+state:
+  api_key: {{api_key}}
+  api_key_secret: {{api_key_secret}}
+  initial_interval: {{initial_interval}}
+  customer_data: {{collect_customer_data}}
+  own_data: {{collect_own_data}}
+redact:
+  fields:
+    - api_key
+    - api_key_secret
+program: |
+  state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)).as(start_time,
+    (timestamp((int(now)/60)*60) - timestamp(start_time)).as(time_diff,
+      time_diff >= duration("30s") ?
+        (
+          time_diff >= duration("1h") ?
+            // if time_diff is greater than 1 hour, fetch data for that hour, as the time period exceeds the maximum interval of 1 hour.
+            {
+              "end_time": (timestamp(start_time) + duration("1h")).format(time_layout.RFC3339),
+              "start_time": start_time,
+            }
+          :
+            // if time_diff is less than 1 hour, fetch data for that time period.
+            {
+              "end_time": timestamp((int(now)/60)*60).format(time_layout.RFC3339),
+              "start_time": start_time,
+            }
+        )
+      :
+        // if time_diff is less than 30 seconds, return the evaluation, as time period is below the minimum interval of 30 seconds.
+        state.with({
+          "events": [{"message": "interval is below the minimum value"}],
+          "want_more": false,
+          "cursor": {
+            "last_timestamp": start_time
+          }
+        })
+    )
+  ).as(time_range,
+    has(time_range.events) ? time_range : // exit if interval is below the minimum value, no data to fetch.
+      state.with(
+        request(
+          "GET",
+          state.url.trim_right("/") + "/v2/siem/all?" + {
+            "interval": [time_range.start_time + "/" + time_range.end_time],
+            "ownData": [string(state.own_data)],
+            "customerData": [string(state.customer_data)],
+          }.format_query()
+        ).basic_authentication(state.api_key, state.api_key_secret).do_request().as(resp, resp.StatusCode == 200 ?
+          resp.Body.decode_json().as(body, {
+            "events": (
+              body.clicksBlocked.map(e, e.with({"event_type": "clicks_blocked"})) +
+              body.clicksPermitted.map(e, e.with({"event_type": "clicks_permitted"})) +
+              body.messagesBlocked.map(e, e.with({"event_type": "messages_blocked"})) +
+              body.messagesDelivered.map(e, e.with({"event_type": "messages_delivered"}))
+            ).as(events, events.map(e, {
+              "message": e.encode_json(),
+            })),
+            "want_more": (timestamp((int(now)/60)*60) - body.queryEndTime.parse_time("2006-01-02 15:04:05 -0700 MST")).as(time_diff, time_diff >= duration("30s")),
+            "cursor": {
+              "last_timestamp": body.queryEndTime.parse_time("2006-01-02 15:04:05 -0700 MST").format(time_layout.RFC3339),
+            }
+          })
+        :
+          {
+            "events": {
+              "error": {
+                "code": string(resp.StatusCode),
+                "id": string(resp.Status),
+                "message": "GET " + state.url.trim_right("/") + "/v2/siem/all: " + (
+                  size(resp.Body) != 0 ?
+                    string(resp.Body)
+                  :
+                    string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+                ),
+              },
+            },
+            "want_more": false,
+          }
+        )
+      )
+  )
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- drop_event:
+    when:
+      equals:
+        message: "interval is below the minimum value"
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/proofpoint_essentials/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/proofpoint_essentials/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..2ea640aa889
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,676 @@
+---
+description: Pipeline for processing threat logs.
+processors:
+  - set:
+      field: ecs.version
+      tag: set_ecs_version
+      value: 9.2.0
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata, as they can collide with ECS fields.
+  - terminate:
+      tag: data_collection_error
+      if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+      description: error message set and no data to process.
+
+  # parse the event JSON
+  - rename:
+      field: message
+      tag: rename_message_to_event_original
+      target_field: event.original
+      ignore_missing: true
+      description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+      if: ctx.event?.original == null
+  - remove:
+      field: message
+      tag: remove_message
+      ignore_missing: true
+      description: The `message` field is no longer required if the document has an `event.original` field.
+      if: ctx.event?.original != null
+  - json:
+      field: event.original
+      tag: json_event_original
+      target_field: json
+
+  # rename to snake case
+  - script:
+      tag: script_convert_camelcase_to_snake_case
+      lang: painless
+      description: Convert camelCase to snake_case.
+      source: |
+        // Helper function to convert camelCase to snake_case
+        String camelToSnake(String str) {
+          def result = "";
+          def lastCharWasUpperCase = false;
+          for (int i = 0; i < str.length(); i++) {
+            char c = str.charAt(i);
+            if (Character.isUpperCase(c)) {
+              if (i > 0 && !lastCharWasUpperCase) {
+                result += "_";
+              }
+              result += Character.toLowerCase(c);
+              lastCharWasUpperCase = true;
+            } else {
+              result += c;
+              lastCharWasUpperCase = false;
+            }
+          }
+          return result;
+        }
+
+        // Recursive function to handle nested fields
+        def convertToSnakeCase(def obj) {
+          if (obj instanceof Map) {
+            // Convert each key in the map
+            def newObj = [:];
+            for (entry in obj.entrySet()) {
+              // Skip fields that contain '@' in their name
+              if (!entry.getKey().contains("@")) {
+                String newKey = camelToSnake(entry.getKey());
+                newObj[newKey] = convertToSnakeCase(entry.getValue());
+              }
+            }
+            return newObj;
+          } else if (obj instanceof List) {
+            // If it's a list, process each item recursively
+            def newList = [];
+            for (item in obj) {
+              newList.add(convertToSnakeCase(item));
+            }
+            return newList;
+          } else {
+            return obj;
+          }
+        }
+
+        // Apply the conversion
+        ctx.proofpoint_essentials = ctx.proofpoint_essentials ?: [:];
+        if (ctx.json != null) {
+          ctx.proofpoint_essentials.threat = convertToSnakeCase(ctx.json);
+        }
+
+  # convert values
+  - fingerprint:
+      fields:
+        - event.original
+      target_field: _id
+      ignore_missing: true
+  - convert:
+      field: proofpoint_essentials.threat.click_ip
+      tag: convert_click_ip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.proofpoint_essentials?.threat?.click_ip != ''
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.click_ip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: proofpoint_essentials.threat.click_time
+      tag: date_click_time
+      target_field: proofpoint_essentials.threat.click_time
+      formats:
+        - ISO8601
+      if: ctx.proofpoint_essentials?.threat?.click_time != null && ctx.proofpoint_essentials.threat.click_time != ''
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.click_time
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.impostor_score
+      tag: convert_impostor_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.impostor_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.malware_score
+      tag: convert_malware_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.malware_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.message_size
+      tag: convert_message_size_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.message_size
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: proofpoint_essentials.threat.message_time
+      tag: date_message_time
+      target_field: proofpoint_essentials.threat.message_time
+      formats:
+        - ISO8601
+      if: ctx.proofpoint_essentials?.threat?.message_time != null && ctx.proofpoint_essentials.threat.message_time != ''
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.message_time
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.phish_score
+      tag: convert_phish_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.phish_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.sender_ip
+      tag: convert_sender_ip_to_ip
+      type: ip
+      ignore_missing: true
+      if: ctx.proofpoint_essentials?.threat?.sender_ip != ''
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.sender_ip
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - convert:
+      field: proofpoint_essentials.threat.spam_score
+      tag: convert_spam_score_to_long
+      type: long
+      ignore_missing: true
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.spam_score
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - date:
+      field: proofpoint_essentials.threat.threat_time
+      tag: date_threat_time
+      target_field: proofpoint_essentials.threat.threat_time
+      formats:
+        - ISO8601
+      if: ctx.proofpoint_essentials?.threat?.threat_time != null && ctx.proofpoint_essentials.threat.threat_time != ''
+      on_failure:
+        - remove:
+            field: proofpoint_essentials.threat.threat_time
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - foreach:
+      field: proofpoint_essentials.threat.threats_info_map
+      if: ctx.proofpoint_essentials?.threat?.threats_info_map instanceof List
+      processor:
+        date:
+          field: _ingest._value.threat_time
+          tag: date_threats_info_map_threat_time
+          target_field: _ingest._value.threat_time
+          formats:
+            - ISO8601
+          on_failure:
+            - remove:
+                field: _ingest._value.threat_time
+  - gsub:
+      field: proofpoint_essentials.threat.message_id
+      pattern: '<|>'
+      replacement: ''
+      ignore_missing: true
+
+  # populate ECS fields
+
+  - set:
+      field: '@timestamp'
+      tag: set_@timestamp_from_click_time
+      copy_from: proofpoint_essentials.threat.click_time
+      ignore_empty_value: true
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'clicks_permitted'
+  - set:
+      field: '@timestamp'
+      tag: set_@timestamp_from_message_time
+      copy_from: proofpoint_essentials.threat.message_time
+      ignore_empty_value: true
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'messages_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'messages_delivered'
+  - script:
+      lang: painless
+      description: Set the @timestamp to the maximum of message_time/click_time and threat_time.
+      tag: timestamp-is-maximum
+      if: ctx['@timestamp'] != null
+      source: |
+        def ts = Instant.parse(ctx['@timestamp']);
+        if (ctx.proofpoint_essentials?.threat?.event_type == 'messages_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'messages_delivered') {
+          if (ctx.proofpoint_essentials.threat.threats_info_map instanceof List) {
+            for (item in ctx.proofpoint_essentials.threat.threats_info_map) {
+              if (item?.threat_time instanceof String && Instant.parse(item.threat_time).isAfter(ts)) {
+                ts = item.threat_time;
+              }
+            }
+          }
+        }
+        if (ctx.proofpoint_essentials?.threat?.event_type == 'clicks_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'clicks_permitted') {
+          if (ctx.proofpoint_essentials.threat.threat_time instanceof String && Instant.parse(ctx.proofpoint_essentials.threat.threat_time).isAfter(ts)) {
+            ts = ctx.proofpoint_essentials.threat.threat_time;
+          }
+        }
+        ctx['@timestamp'] = ts.toString();
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+  # event.*
+  - set:
+      field: event.kind
+      tag: set_event_kind
+      value: event
+  - append:
+      field: event.category
+      tag: append_email_into_event_category
+      value: email
+  - append:
+      field: event.type
+      tag: append_info_into_event_type
+      value: info
+  - set:
+      field: event.action
+      tag: set_event_action_to_denied
+      value: denied
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'messages_blocked'
+  - set:
+      field: event.action
+      tag: set_event_action_to_allowed
+      value: allowed
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_permitted' || ctx.proofpoint_essentials?.threat?.event_type == 'messages_delivered'
+  - set:
+      field: event.id
+      tag: set_event_id_from_id
+      copy_from: proofpoint_essentials.threat.id
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'clicks_permitted'
+  - set:
+      field: event.id
+      tag: set_event_id_from_guid
+      copy_from: proofpoint_essentials.threat.guid
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'messages_blocked' || ctx.proofpoint_essentials?.threat?.event_type == 'messages_delivered'
+  - set:
+      field: event.reference
+      tag: set_event_reference_from_message_details_url
+      copy_from: proofpoint_essentials.threat.message_details_url
+      ignore_empty_value: true
+
+  # observer.*
+  - set:
+      field: observer.vendor
+      tag: set_observer_vendor
+      value: Proofpoint
+  - set:
+      field: observer.product
+      tag: set_observer_product
+      value: Proofpoint Essentials
+  
+  # destination.*
+  - set:
+      field: destination.ip
+      tag: set_destination_ip_from_click_ip
+      copy_from: proofpoint_essentials.threat.click_ip
+      ignore_empty_value: true
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      tag: geoip_destination_ip
+      ignore_missing: true
+
+  # email.*
+  - set:
+      field: email.cc.address
+      tag: set_email_cc_address_from_cc_addresses
+      copy_from: proofpoint_essentials.threat.cc_addresses
+      ignore_empty_value: true
+  - append:
+      field: email.from.address
+      tag: append_from_address_into_email_from_address
+      value: '{{{proofpoint_essentials.threat.from_address}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.from_address != null
+  - append:
+      field: email.from.address
+      tag: append_sender_into_email_from_address
+      value: '{{{proofpoint_essentials.threat.sender}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.sender != null && ctx.email?.from?.address == null
+  - set:
+      field: email.message_id
+      tag: set_email_message_id_from_message_id
+      copy_from: proofpoint_essentials.threat.message_id
+      ignore_empty_value: true
+  - foreach:
+      field: proofpoint_essentials.threat.recipient
+      if: ctx.proofpoint_essentials?.threat?.recipient instanceof List
+      processor:
+        append:
+          field: email.to.address
+          tag: append_recipient_to_email_to_address
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false
+  - append:
+      field: email.to.address
+      tag: append_recipient_into_email_to_address_1
+      value: '{{{proofpoint_essentials.threat.recipient}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.recipient instanceof String
+  - set:
+      field: email.reply_to.address
+      tag: set_email_reply_to_address_from_reply_to_address
+      copy_from: proofpoint_essentials.threat.reply_to_address
+      ignore_empty_value: true
+  - set:
+      field: email.sender.address
+      tag: set_email_sender_address_from_sender
+      copy_from: proofpoint_essentials.threat.sender
+      ignore_empty_value: true
+  - set:
+      field: email.subject
+      tag: set_email_subject_from_subject
+      copy_from: proofpoint_essentials.threat.subject
+      ignore_empty_value: true
+  - set:
+      field: email.x_mailer
+      tag: set_email_x_mailer_from_xmailer
+      copy_from: proofpoint_essentials.threat.xmailer
+      ignore_empty_value: true
+  - foreach:
+      field: proofpoint_essentials.threat.to_addresses
+      if: ctx.proofpoint_essentials?.threat?.to_addresses instanceof List
+      processor:
+        append:
+          field: email.to.address
+          tag: append_to_addresses_to_email_to_address
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false
+  - script:
+      lang: painless
+      description: Map email.attachments from message_parts.
+      tag: script_map_email_attachments
+      if: ctx.proofpoint_essentials?.threat?.message_parts instanceof List
+      source: |
+        ctx.email = ctx.email ?: [:];
+        ctx.email.attachments = ctx.email.attachments ?: [];
+        for (attachment in ctx.proofpoint_essentials.threat.message_parts) {
+          if (attachment.disposition == 'attached') {
+            def o = [:];
+            o.file = [:];
+            o.file.hash = [:];
+            o.file.hash.md5 = attachment.md5;
+            o.file.hash.sha256 = attachment.sha256;
+            o.file.name = attachment.filename;
+            o.file.mime_type = attachment.content_type;
+            ctx.email.attachments.add(o);
+          }
+        }
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  
+  # rule.*
+  - set:
+      field: rule.name
+      tag: set_rule_name_from_quarantine_rule
+      copy_from: proofpoint_essentials.threat.quarantine_rule
+      ignore_empty_value: true
+  
+  # source.*
+  - set:
+      field: source.ip
+      tag: set_source_ip_from_sender_ip
+      copy_from: proofpoint_essentials.threat.sender_ip
+      ignore_empty_value: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      tag: geoip_source_ip
+      ignore_missing: true
+  
+  # threat.*
+  - set:
+      field: threat.indicator.url.original
+      tag: set_threat_indicator_url_original_from_url
+      copy_from: proofpoint_essentials.threat.url
+      ignore_empty_value: true
+  - set:
+      field: threat.indicator.name
+      tag: set_threat_indicator_name_from_url
+      copy_from: proofpoint_essentials.threat.url
+      ignore_empty_value: true
+  - set:
+      field: threat.indicator.type
+      tag: set_threat_indicator_type_to_url
+      value: url
+      if: ctx.threat?.indicator?.url?.original != null
+  - set:
+      field: threat.indicator.last_seen
+      tag: set_threat_indicator_last_seen_from_threat_time
+      copy_from: proofpoint_essentials.threat.threat_time
+      ignore_empty_value: true
+  - script:
+      description: Map threat.indicator.* from threats_info_map field.
+      lang: painless
+      tag: script_map_threat_indicator
+      if: ctx.proofpoint_essentials?.threat?.threats_info_map instanceof List
+      source: |
+        ctx.threat = ctx.threat ?: [:];
+        ctx.threat.indicator = ctx.threat.indicator ?: [:];
+        ctx.threat.indicator.name = ctx.threat.indicator.name ?: [];
+        ctx.threat.indicator.type = ctx.threat.indicator.type ?: [];
+        ctx.threat.indicator.email = ctx.threat.indicator.email ?: [:];
+        ctx.threat.indicator.email.address = ctx.threat.indicator.email.address ?: [];
+        ctx.threat.indicator.url = ctx.threat.indicator.url ?: [:];
+        ctx.threat.indicator.url.original = ctx.threat.indicator.url.original ?: [];
+        ctx.related = ctx.related ?: [:];
+        ctx.related.hash = ctx.related.hash ?: [];
+        ctx.related.user = ctx.related.user ?: [];
+        for (artifact in ctx.proofpoint_essentials.threat.threats_info_map) {
+          if (artifact.threat != null) {
+
+            // if artifact is hash of the attachment threat
+            if (artifact.threat.length() == 64) {
+              def str = artifact.threat.toLowerCase();
+              def hash_pattern = /^[0-9a-f]{64}$/;
+              if (hash_pattern.matcher(str).matches() && !ctx.related.hash.contains(str)) {
+                ctx.related.hash.add(str);
+              }
+            }
+
+            // if artifact is email address of the impostor sender
+            def email_pattern = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/;
+            if (email_pattern.matcher(artifact.threat).matches() && !ctx.related.user.contains(artifact.threat)) {
+              ctx.threat.indicator.email.address.add(artifact.threat);
+              ctx.threat.indicator.type.add('email-addr');
+              ctx.related.user.add(artifact.threat);
+            }
+
+            // else artifact is malicious url
+            if (artifact.threat_type != null && artifact.threat_type == 'URL') {
+              ctx.threat.indicator.url.original.add(artifact.threat);
+              ctx.threat.indicator.type.add('url'); 
+            }
+
+            ctx.threat.indicator.name.add(artifact.threat);
+          }
+        }
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+  # user_agent.*
+  - user_agent:
+      field: proofpoint_essentials.threat.user_agent
+      tag: user_agent_threat_user_agent
+      ignore_missing: true
+  
+  # related.*
+  - append:
+      field: related.user
+      tag: append_from_address_to_related_user
+      value: '{{{proofpoint_essentials.threat.from_address}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.from_address != null
+  - append:
+      field: related.user
+      tag: append_sender_to_related_user
+      value: '{{{proofpoint_essentials.threat.sender}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.sender != null
+  - foreach:
+      field: proofpoint_essentials.threat.message_parts
+      if: ctx.proofpoint_essentials?.threat?.message_parts instanceof List
+      processor:
+        append:
+          field: related.hash
+          tag: append_message_parts_md5_to_related_hash
+          value: '{{{_ingest._value.md5}}}'
+          allow_duplicates: false
+  - foreach:
+      field: proofpoint_essentials.threat.message_parts
+      if: ctx.proofpoint_essentials?.threat?.message_parts instanceof List
+      processor:
+        append:
+          field: related.hash
+          tag: append_message_parts_sha256_to_related_hash
+          value: '{{{_ingest._value.sha256}}}'
+          allow_duplicates: false
+  - foreach:
+      field: proofpoint_essentials.threat.recipient
+      if: ctx.proofpoint_essentials?.threat?.recipient instanceof List
+      processor:
+        append:
+          field: related.user
+          tag: append_recipient_to_related_user
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false  
+  - append:
+      field: related.user
+      tag: append_reply_to_address_to_related_user
+      value: '{{{proofpoint_essentials.threat.reply_to_address}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.reply_to_address != null
+  - append:
+      field: related.ip
+      tag: append_sender_ip_to_related_ip
+      value: '{{{proofpoint_essentials.threat.sender_ip}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.sender_ip != null
+  - foreach:
+      field: proofpoint_essentials.threat.to_addresses
+      if: ctx.proofpoint_essentials?.threat?.to_addresses instanceof List
+      processor:
+        append:
+          field: related.user
+          tag: append_to_addresses_to_related_user
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false
+  - append:
+      field: related.ip
+      tag: append_click_ip_to_related_ip
+      value: '{{{proofpoint_essentials.threat.click_ip}}}'
+      allow_duplicates: false
+      if: ctx.proofpoint_essentials?.threat?.click_ip != null
+
+  # Cleanup
+  - remove:
+      field:
+        - json
+      tag: remove_json_field
+      ignore_missing: true
+  - remove:
+      field:
+        - proofpoint_essentials.threat.message_details_url
+        - proofpoint_essentials.threat.click_ip
+        - proofpoint_essentials.threat.cc_addresses
+        - proofpoint_essentials.threat.from_address
+        - proofpoint_essentials.threat.message_id
+        - proofpoint_essentials.threat.recipient
+        - proofpoint_essentials.threat.reply_to_address
+        - proofpoint_essentials.threat.sender
+        - proofpoint_essentials.threat.sender_ip
+        - proofpoint_essentials.threat.subject
+        - proofpoint_essentials.threat.xmailer
+        - proofpoint_essentials.threat.to_addresses
+        - proofpoint_essentials.threat.quarantine_rule
+        - proofpoint_essentials.threat.url
+      tag: remove_duplicate_custom_fields
+      ignore_missing: true
+      if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
+  - script:
+      tag: script_to_drop_null_values
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |-
+        void handleMap(Map map) {
+          map.values().removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || v == 'N/A' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        void handleList(List list) {
+          list.removeIf(v -> {
+            if (v instanceof Map) {
+              handleMap(v);
+            } else if (v instanceof List) {
+              handleList(v);
+            }
+            return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+          });
+        }
+        handleMap(ctx);
+  - set:
+      field: event.kind
+      tag: set_pipeline_error_into_event_kind
+      value: pipeline_error
+      if: ctx.error?.message != null
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
+      if: ctx.error?.message != null
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+        Processor '{{{ _ingest.on_failure_processor_type }}}'
+        {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
+        {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - set:
+      field: event.kind
+      tag: set_pipeline_error_to_event_kind
+      value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/proofpoint_essentials/data_stream/threat/fields/base-fields.yml b/packages/proofpoint_essentials/data_stream/threat/fields/base-fields.yml
new file mode 100644
index 00000000000..a8d5ad01645
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.type
+  external: ecs
+- name: data_stream.dataset
+  external: ecs
+- name: data_stream.namespace
+  external: ecs
+- name: event.module
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials
+- name: event.dataset
+  external: ecs
+  type: constant_keyword
+  value: proofpoint_essentials.threat
+- name: '@timestamp'
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/threat/fields/beats.yml b/packages/proofpoint_essentials/data_stream/threat/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.
diff --git a/packages/proofpoint_essentials/data_stream/threat/fields/ecs.yml b/packages/proofpoint_essentials/data_stream/threat/fields/ecs.yml
new file mode 100644
index 00000000000..e9f4f003382
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/fields/ecs.yml
@@ -0,0 +1,4 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+  external: ecs
diff --git a/packages/proofpoint_essentials/data_stream/threat/fields/fields.yml b/packages/proofpoint_essentials/data_stream/threat/fields/fields.yml
new file mode 100644
index 00000000000..326b5e6551f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/fields/fields.yml
@@ -0,0 +1,166 @@
+- name: proofpoint_essentials
+  type: group
+  fields:
+    - name: threat
+      type: group
+      fields:
+        - name: cc_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the CC: header, excluding friendly names.'
+        - name: classification
+          type: keyword
+          description: The threat category of the malicious URL.
+        - name: click_ip
+          type: ip
+          description: The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown.
+        - name: click_time
+          type: date
+          description: The time the user clicked on the URL.
+        - name: completely_rewritten
+          type: keyword
+          description: The rewrite status of the message.
+        - name: customer_eid
+          type: keyword
+          description: The customer's entity ID.
+        - name: customer_name
+          type: keyword
+          description: The customer's name, as configured in Essentials.
+        - name: event_type
+          type: keyword
+        - name: from_address
+          type: keyword
+          description: 'The email address contained in the From: header, excluding friendly name.'
+        - name: guid
+          type: keyword
+          description: The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique.
+        - name: header_from
+          type: keyword
+          description: 'The full content of the From: header, including any friendly name.'
+        - name: header_reply_to
+          type: keyword
+          description: 'If present, the full content of the Reply-To: header, including any friendly names.'
+        - name: id
+          type: keyword
+          description: The unique id of the click.
+        - name: impostor_score
+          type: long
+          description: The impostor score of the message. Higher scores indicate higher certainty.
+        - name: malware_score
+          type: long
+          description: The malware score of the message. Higher scores indicate higher certainty.
+        - name: message_details_url
+          type: keyword
+          description: A permalink to the messages' details page.
+        - name: message_id
+          type: keyword
+          description: Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique.
+        - name: message_parts
+          type: group
+          fields:
+            - name: content_type
+              type: keyword
+              description: The true, detected Content-Type of the message_part. This may differ from the o_content_type value.
+            - name: disposition
+              type: keyword
+              description: If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment.
+            - name: filename
+              type: keyword
+              description: The filename of the message_part.
+            - name: md5
+              type: keyword
+              description: The MD5 hash of the message_part contents.
+            - name: o_content_type
+              type: keyword
+              description: The declared Content-Type of the message_part.
+            - name: sandbox_status
+              type: keyword
+              description: The verdict returned by the sandbox during the scanning process.
+            - name: sha256
+              type: keyword
+              description: The SHA256 hash of the message_part contents.
+        - name: message_size
+          type: long
+          description: The size in bytes of the message, including headers and attachments.
+        - name: message_time
+          type: date
+          description: When the message was delivered to the user or quarantined by PPS.
+        - name: parent_eid
+          type: keyword
+          description: The parent's EID.
+        - name: parent_name
+          type: keyword
+          description: The parent's name, as configured in Essentials.
+        - name: phish_score
+          type: long
+          description: The phish score of the message. Higher scores indicate higher certainty.
+        - name: quarantine_rule
+          type: keyword
+          description: The name of the rule which quarantined the message. This appears only for messages_blocked events.
+        - name: recipient
+          type: keyword
+          description: An array containing the email addresses of the SMTP (envelope) recipients.
+        - name: reply_to_address
+          type: keyword
+          description: 'The email address contained in the Reply-To: header, excluding friendly name.'
+        - name: sender
+          type: keyword
+          description: The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext.
+        - name: sender_ip
+          type: ip
+          description: The IP address of the sender.
+        - name: spam_score
+          type: long
+          description: The spam score of the message. Higher scores indicate higher certainty.
+        - name: stack_name
+          type: keyword
+          description: The name of the Essentials stack which processed the message.
+        - name: subject
+          type: keyword
+          description: The subject line of the message, if available.
+        - name: threat_id
+          type: keyword
+          description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+        - name: threat_time
+          type: date
+          description: Proofpoint identified the URL as a threat at this time.
+        - name: threat_status
+          type: keyword
+          description: The current state of the threat.
+        - name: threats_info_map
+          type: group
+          fields:
+            - name: actors
+              type: nested
+              description: An array of structures which contain details about the actors associated with a threat.
+            - name: classification
+              type: keyword
+              description: The category of threat found in the message.
+            - name: detection_type
+              type: keyword
+            - name: threat
+              type: keyword
+              description: The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender.
+            - name: threat_id
+              type: keyword
+              description: The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints.
+            - name: threat_status
+              type: keyword
+              description: The current state of the threat.
+            - name: threat_time
+              type: date
+              description: Proofpoint assigned the threat_status at this time.
+            - name: threat_type
+              type: keyword
+              description: Whether the threat was an attachment, URL, or message type.
+        - name: to_addresses
+          type: keyword
+          description: 'A list of email addresses contained within the To: header, excluding friendly names.'
+        - name: url
+          type: keyword
+          description: The malicious URL which was clicked.
+        - name: user_agent
+          type: keyword
+          description: The User-Agent header from the clicker's HTTP request.
+        - name: xmailer
+          type: keyword
+          description: 'The content of the X-Mailer: header, if present.'
diff --git a/packages/proofpoint_essentials/data_stream/threat/manifest.yml b/packages/proofpoint_essentials/data_stream/threat/manifest.yml
new file mode 100644
index 00000000000..6182e866f8f
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/manifest.yml
@@ -0,0 +1,114 @@
+title: Threat
+type: logs
+dataset: proofpoint_essentials.threat
+streams:
+  - input: cel
+    title: Threat
+    description: Collect Proofpoint Essential Threat logs.
+    template_path: cel.yml.hbs
+    vars:
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 24h
+        description: How far back to pull the threats from Essentials Threat API. Supported units for this parameter are h/m/s. A maximum of 72 hours of data can be fetched.
+      - name: interval
+        type: text
+        title: Interval
+        description: Duration between requests to the Essentials Threat API. Supported units for this parameter are h/m/s.
+        multi: false
+        required: true
+        show_user: true
+        default: 1h
+      - name: collect_customer_data
+        type: bool
+        title: Collect Customer Data
+        description: Specify whether customer threat data is returned. All customers underneath the partner will be included. Either `Collect Customer Data` or `Collect Own Data` MUST be enabled.
+        multi: false
+        required: true
+        show_user: false
+        default: false
+      - name: collect_own_data
+        type: bool
+        title: Collect Own Data
+        description: Specify whether the organization's own threat is returned. Either `Collect Customer Data` or `Collect Own Data` MUST be enabled.
+        multi: false
+        required: true
+        show_user: false
+        default: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+        multi: false
+        required: true
+        show_user: false
+        default: 30s
+      - name: resource_rate_limit_limit
+        type: text
+        title: Resource Rate Limit
+        description: The value of the response that specifies the maximum overall resource request rate. This controls the polling frequency.
+        show_user: false
+        multi: false
+        required: false
+      - name: resource_rate_limit_burst
+        type: integer
+        title: Resource Rate Limit Burst
+        description: The maximum burst size. Burst is the maximum number of resource requests that can be made above the overall rate limit.
+        show_user: false
+        multi: false
+        required: false
+      - name: enable_request_tracer
+        type: bool
+        title: Enable request tracing
+        default: false
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+          Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+          tracer will delete any stored traces.
+          See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+          for details.
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - proofpoint_essentials-threat
+      - name: preserve_original_event
+        required: false
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: preserve_duplicate_custom_fields
+        required: false
+        show_user: false
+        title: Preserve duplicate custom fields
+        description: Preserve proofpoint_essentials.threat fields that were copied to Elastic Common Schema (ECS) fields.
+        type: bool
+        multi: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true
+  index_template:
+    mappings:
+      dynamic: true
diff --git a/packages/proofpoint_essentials/data_stream/threat/routing_rules.yml b/packages/proofpoint_essentials/data_stream/threat/routing_rules.yml
new file mode 100644
index 00000000000..498d733b681
--- /dev/null
+++ b/packages/proofpoint_essentials/data_stream/threat/routing_rules.yml
@@ -0,0 +1,22 @@
+- source_dataset: proofpoint_essentials.threat
+  rules:
+    - target_dataset: proofpoint_essentials.clicks_blocked
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_blocked'
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default
+    - target_dataset: proofpoint_essentials.clicks_permitted
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'clicks_permitted'
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default
+    - target_dataset: proofpoint_essentials.message_blocked
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'messages_blocked'
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default
+    - target_dataset: proofpoint_essentials.message_delivered
+      if: ctx.proofpoint_essentials?.threat?.event_type == 'messages_delivered'
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default
diff --git a/packages/proofpoint_essentials/docs/README.md b/packages/proofpoint_essentials/docs/README.md
new file mode 100644
index 00000000000..87e4792a6d8
--- /dev/null
+++ b/packages/proofpoint_essentials/docs/README.md
@@ -0,0 +1,390 @@
+# Proofpoint Essentials Integration for Elastic
+
+## Overview
+The Proofpoint Essentials integration with Elastic enables the collection of threats for monitoring and analysis. This valuable data can be leveraged within Elastic to analyze potential threat signals, including spam, phishing, business email compromise (BEC), imposter emails, ransomware, and malware.
+
+This integration utilizes the [Proofpoint Essentials Threat API](https://help.proofpoint.com/Essentials/Additional_Resources/API_Documentation/Essentials_Threat_API) to collect threat events.
+
+### Compatibility
+
+The Proofpoint Essentials integration uses the REST API. It uses the `/v2/siem/all` to collect threat events.
+
+### How it works
+
+The **threat** data stream uses the `/v2/siem/all` endpoint to gather all threats starting from the configured initial interval. Subsequently, it fetches the recent threats available at each specified interval.
+
+The gathered threat data is subsequently routed into individual data streams, each corresponding to a specific threat type.
+
+## What data does this integration collect?
+
+The Proofpoint Essentials integration collects threat events of the following types:
+
+- `clicks_blocked`: events for clicks on malicious URLs blocked by URL Defense.
+- `clicks_permitted`: events for clicks on malicious URLs permitted by URL Defense.
+- `message_blocked`: events for blocked messages that contain threats recognized by URL Defense or Attachment Defense.
+- `message_delivered`: events for delivered messages that contain threats recognized by URL Defense or Attachment Defense.
+
+### Supported use cases
+Integrating Proofpoint Essentials with Elastic SIEM enriches your security operations with targeted email threat intelligence. It enables the detection, investigation, and analysis of phishing, malware, and other email-based threats by leveraging detailed data on clicks and message events.
+
+## What do I need to use this integration?
+
+### From Proofpoint Essentials
+
+#### Collecting data from Essentials Threat API
+
+1. Navigate to 
+  - Go to **Account Management > Integrations**, then select the **Integration Keys** tab.
+2. Add a New Key
+  - Click **Add Integration Key** in the upper right-hand corner.
+3. Enter Key Details
+  - Provide a **description** to help identify the purpose of the key.
+  - In the **Access Type** dropdown, select **SIEM Threat Events**
+4. Set Scope
+  - If you are part of an **organisation**, the **Scope** field will be locked to **My Organisation Only**.
+  - If you are a **partner**, you can choose between:
+    - **My Organisation Only**
+    - **My Organisation and All Child Organisations**
+5. Create and Save Credentials
+  - After clicking **Create**, you’ll receive **API Key** and **API Key Secret**.
+6. Activation Time
+  - The key may take up to **30 minutes** to become active.
+
+For more details, check [Documentation](https://help.proofpoint.com/Essentials/Product_Documentation/Account_Management/Integrations/Integration_Keys).
+
+## How do I deploy this integration?
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) 
+
+### Onboard / configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Proofpoint Essentials**.
+3. Select the **Proofpoint Essentials** integration from the search results.
+4. Select **Add Proofpoint Essentials** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect Proofpoint Essentials logs via API**, you'll need to:
+
+        - Configure **URL**, **API Key**, and **API Key Secret**.
+        - Adjust the integration configuration parameters if required, including the Interval, Collect Customer Data, Collect Own Data, Preserve original event etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboards populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Proofpoint Essentials**.
+3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### ECS field reference
+
+#### Clicks Blocked
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| proofpoint_essentials.threat.cc_addresses | A list of email addresses contained within the CC: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.classification | The threat category of the malicious URL. | keyword |
+| proofpoint_essentials.threat.click_ip | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. | ip |
+| proofpoint_essentials.threat.click_time | The time the user clicked on the URL. | date |
+| proofpoint_essentials.threat.completely_rewritten | The rewrite status of the message. | keyword |
+| proofpoint_essentials.threat.customer_eid | The customer's entity ID. | keyword |
+| proofpoint_essentials.threat.customer_name | The customer's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.event_type |  | keyword |
+| proofpoint_essentials.threat.from_address | The email address contained in the From: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword |
+| proofpoint_essentials.threat.header_from | The full content of the From: header, including any friendly name. | keyword |
+| proofpoint_essentials.threat.header_reply_to | If present, the full content of the Reply-To: header, including any friendly names. | keyword |
+| proofpoint_essentials.threat.id | The unique id of the click. | keyword |
+| proofpoint_essentials.threat.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.message_details_url | A permalink to the messages' details page. | keyword |
+| proofpoint_essentials.threat.message_id | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. | keyword |
+| proofpoint_essentials.threat.message_parts.content_type | The true, detected Content-Type of the message_part. This may differ from the o_content_type value. | keyword |
+| proofpoint_essentials.threat.message_parts.disposition | If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment. | keyword |
+| proofpoint_essentials.threat.message_parts.filename | The filename of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.md5 | The MD5 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_parts.o_content_type | The declared Content-Type of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. | keyword |
+| proofpoint_essentials.threat.message_parts.sha256 | The SHA256 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_size | The size in bytes of the message, including headers and attachments. | long |
+| proofpoint_essentials.threat.message_time | When the message was delivered to the user or quarantined by PPS. | date |
+| proofpoint_essentials.threat.parent_eid | The parent's EID. | keyword |
+| proofpoint_essentials.threat.parent_name | The parent's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.quarantine_rule | The name of the rule which quarantined the message. This appears only for messages_blocked events. | keyword |
+| proofpoint_essentials.threat.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword |
+| proofpoint_essentials.threat.reply_to_address | The email address contained in the Reply-To: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.sender | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. | keyword |
+| proofpoint_essentials.threat.sender_ip | The IP address of the sender. | ip |
+| proofpoint_essentials.threat.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.stack_name | The name of the Essentials stack which processed the message. | keyword |
+| proofpoint_essentials.threat.subject | The subject line of the message, if available. | keyword |
+| proofpoint_essentials.threat.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threat_time | Proofpoint identified the URL as a threat at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.actors | An array of structures which contain details about the actors associated with a threat. | nested |
+| proofpoint_essentials.threat.threats_info_map.classification | The category of threat found in the message. | keyword |
+| proofpoint_essentials.threat.threats_info_map.detection_type |  | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_time | Proofpoint assigned the threat_status at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.threat_type | Whether the threat was an attachment, URL, or message type. | keyword |
+| proofpoint_essentials.threat.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.url | The malicious URL which was clicked. | keyword |
+| proofpoint_essentials.threat.user_agent | The User-Agent header from the clicker's HTTP request. | keyword |
+| proofpoint_essentials.threat.xmailer | The content of the X-Mailer: header, if present. | keyword |
+
+
+#### Clicks Permitted
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| proofpoint_essentials.threat.cc_addresses | A list of email addresses contained within the CC: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.classification | The threat category of the malicious URL. | keyword |
+| proofpoint_essentials.threat.click_ip | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. | ip |
+| proofpoint_essentials.threat.click_time | The time the user clicked on the URL. | date |
+| proofpoint_essentials.threat.completely_rewritten | The rewrite status of the message. | keyword |
+| proofpoint_essentials.threat.customer_eid | The customer's entity ID. | keyword |
+| proofpoint_essentials.threat.customer_name | The customer's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.event_type |  | keyword |
+| proofpoint_essentials.threat.from_address | The email address contained in the From: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword |
+| proofpoint_essentials.threat.header_from | The full content of the From: header, including any friendly name. | keyword |
+| proofpoint_essentials.threat.header_reply_to | If present, the full content of the Reply-To: header, including any friendly names. | keyword |
+| proofpoint_essentials.threat.id | The unique id of the click. | keyword |
+| proofpoint_essentials.threat.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.message_details_url | A permalink to the messages' details page. | keyword |
+| proofpoint_essentials.threat.message_id | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. | keyword |
+| proofpoint_essentials.threat.message_parts.content_type | The true, detected Content-Type of the message_part. This may differ from the o_content_type value. | keyword |
+| proofpoint_essentials.threat.message_parts.disposition | If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment. | keyword |
+| proofpoint_essentials.threat.message_parts.filename | The filename of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.md5 | The MD5 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_parts.o_content_type | The declared Content-Type of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. | keyword |
+| proofpoint_essentials.threat.message_parts.sha256 | The SHA256 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_size | The size in bytes of the message, including headers and attachments. | long |
+| proofpoint_essentials.threat.message_time | When the message was delivered to the user or quarantined by PPS. | date |
+| proofpoint_essentials.threat.parent_eid | The parent's EID. | keyword |
+| proofpoint_essentials.threat.parent_name | The parent's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.quarantine_rule | The name of the rule which quarantined the message. This appears only for messages_blocked events. | keyword |
+| proofpoint_essentials.threat.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword |
+| proofpoint_essentials.threat.reply_to_address | The email address contained in the Reply-To: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.sender | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. | keyword |
+| proofpoint_essentials.threat.sender_ip | The IP address of the sender. | ip |
+| proofpoint_essentials.threat.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.stack_name | The name of the Essentials stack which processed the message. | keyword |
+| proofpoint_essentials.threat.subject | The subject line of the message, if available. | keyword |
+| proofpoint_essentials.threat.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threat_time | Proofpoint identified the URL as a threat at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.actors | An array of structures which contain details about the actors associated with a threat. | nested |
+| proofpoint_essentials.threat.threats_info_map.classification | The category of threat found in the message. | keyword |
+| proofpoint_essentials.threat.threats_info_map.detection_type |  | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_time | Proofpoint assigned the threat_status at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.threat_type | Whether the threat was an attachment, URL, or message type. | keyword |
+| proofpoint_essentials.threat.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.url | The malicious URL which was clicked. | keyword |
+| proofpoint_essentials.threat.user_agent | The User-Agent header from the clicker's HTTP request. | keyword |
+| proofpoint_essentials.threat.xmailer | The content of the X-Mailer: header, if present. | keyword |
+
+
+#### Messages Blocked
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| proofpoint_essentials.threat.cc_addresses | A list of email addresses contained within the CC: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.classification | The threat category of the malicious URL. | keyword |
+| proofpoint_essentials.threat.click_ip | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. | ip |
+| proofpoint_essentials.threat.click_time | The time the user clicked on the URL. | date |
+| proofpoint_essentials.threat.completely_rewritten | The rewrite status of the message. | keyword |
+| proofpoint_essentials.threat.customer_eid | The customer's entity ID. | keyword |
+| proofpoint_essentials.threat.customer_name | The customer's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.event_type |  | keyword |
+| proofpoint_essentials.threat.from_address | The email address contained in the From: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword |
+| proofpoint_essentials.threat.header_from | The full content of the From: header, including any friendly name. | keyword |
+| proofpoint_essentials.threat.header_reply_to | If present, the full content of the Reply-To: header, including any friendly names. | keyword |
+| proofpoint_essentials.threat.id | The unique id of the click. | keyword |
+| proofpoint_essentials.threat.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.message_details_url | A permalink to the messages' details page. | keyword |
+| proofpoint_essentials.threat.message_id | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. | keyword |
+| proofpoint_essentials.threat.message_parts.content_type | The true, detected Content-Type of the message_part. This may differ from the o_content_type value. | keyword |
+| proofpoint_essentials.threat.message_parts.disposition | If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment. | keyword |
+| proofpoint_essentials.threat.message_parts.filename | The filename of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.md5 | The MD5 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_parts.o_content_type | The declared Content-Type of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. | keyword |
+| proofpoint_essentials.threat.message_parts.sha256 | The SHA256 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_size | The size in bytes of the message, including headers and attachments. | long |
+| proofpoint_essentials.threat.message_time | When the message was delivered to the user or quarantined by PPS. | date |
+| proofpoint_essentials.threat.parent_eid | The parent's EID. | keyword |
+| proofpoint_essentials.threat.parent_name | The parent's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.quarantine_rule | The name of the rule which quarantined the message. This appears only for messages_blocked events. | keyword |
+| proofpoint_essentials.threat.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword |
+| proofpoint_essentials.threat.reply_to_address | The email address contained in the Reply-To: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.sender | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. | keyword |
+| proofpoint_essentials.threat.sender_ip | The IP address of the sender. | ip |
+| proofpoint_essentials.threat.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.stack_name | The name of the Essentials stack which processed the message. | keyword |
+| proofpoint_essentials.threat.subject | The subject line of the message, if available. | keyword |
+| proofpoint_essentials.threat.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threat_time | Proofpoint identified the URL as a threat at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.actors | An array of structures which contain details about the actors associated with a threat. | nested |
+| proofpoint_essentials.threat.threats_info_map.classification | The category of threat found in the message. | keyword |
+| proofpoint_essentials.threat.threats_info_map.detection_type |  | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_time | Proofpoint assigned the threat_status at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.threat_type | Whether the threat was an attachment, URL, or message type. | keyword |
+| proofpoint_essentials.threat.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.url | The malicious URL which was clicked. | keyword |
+| proofpoint_essentials.threat.user_agent | The User-Agent header from the clicker's HTTP request. | keyword |
+| proofpoint_essentials.threat.xmailer | The content of the X-Mailer: header, if present. | keyword |
+
+
+#### Messages Delivered
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions:   \* Must not contain `-`   \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+| proofpoint_essentials.threat.cc_addresses | A list of email addresses contained within the CC: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.classification | The threat category of the malicious URL. | keyword |
+| proofpoint_essentials.threat.click_ip | The external IP address of the user who clicked on the link. If the user is behind a firewall performing network address translation, the IP address of the firewall will be shown. | ip |
+| proofpoint_essentials.threat.click_time | The time the user clicked on the URL. | date |
+| proofpoint_essentials.threat.completely_rewritten | The rewrite status of the message. | keyword |
+| proofpoint_essentials.threat.customer_eid | The customer's entity ID. | keyword |
+| proofpoint_essentials.threat.customer_name | The customer's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.event_type |  | keyword |
+| proofpoint_essentials.threat.from_address | The email address contained in the From: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.guid | The ID of the message within PPS. It can be used to identify the message in PPS and is guaranteed to be unique. | keyword |
+| proofpoint_essentials.threat.header_from | The full content of the From: header, including any friendly name. | keyword |
+| proofpoint_essentials.threat.header_reply_to | If present, the full content of the Reply-To: header, including any friendly names. | keyword |
+| proofpoint_essentials.threat.id | The unique id of the click. | keyword |
+| proofpoint_essentials.threat.impostor_score | The impostor score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.malware_score | The malware score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.message_details_url | A permalink to the messages' details page. | keyword |
+| proofpoint_essentials.threat.message_id | Message-ID extracted from the headers of the email message. It can be used to look up the associated message in PPS and is not unique. | keyword |
+| proofpoint_essentials.threat.message_parts.content_type | The true, detected Content-Type of the message_part. This may differ from the o_content_type value. | keyword |
+| proofpoint_essentials.threat.message_parts.disposition | If the value is "inline", the message_part is a message body. If the value is "attached", the message_part is an attachment. | keyword |
+| proofpoint_essentials.threat.message_parts.filename | The filename of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.md5 | The MD5 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_parts.o_content_type | The declared Content-Type of the message_part. | keyword |
+| proofpoint_essentials.threat.message_parts.sandbox_status | The verdict returned by the sandbox during the scanning process. | keyword |
+| proofpoint_essentials.threat.message_parts.sha256 | The SHA256 hash of the message_part contents. | keyword |
+| proofpoint_essentials.threat.message_size | The size in bytes of the message, including headers and attachments. | long |
+| proofpoint_essentials.threat.message_time | When the message was delivered to the user or quarantined by PPS. | date |
+| proofpoint_essentials.threat.parent_eid | The parent's EID. | keyword |
+| proofpoint_essentials.threat.parent_name | The parent's name, as configured in Essentials. | keyword |
+| proofpoint_essentials.threat.phish_score | The phish score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.quarantine_rule | The name of the rule which quarantined the message. This appears only for messages_blocked events. | keyword |
+| proofpoint_essentials.threat.recipient | An array containing the email addresses of the SMTP (envelope) recipients. | keyword |
+| proofpoint_essentials.threat.reply_to_address | The email address contained in the Reply-To: header, excluding friendly name. | keyword |
+| proofpoint_essentials.threat.sender | The email address of the SMTP (envelope) sender. The user-part is hashed. The domain-part is cleartext. | keyword |
+| proofpoint_essentials.threat.sender_ip | The IP address of the sender. | ip |
+| proofpoint_essentials.threat.spam_score | The spam score of the message. Higher scores indicate higher certainty. | long |
+| proofpoint_essentials.threat.stack_name | The name of the Essentials stack which processed the message. | keyword |
+| proofpoint_essentials.threat.subject | The subject line of the message, if available. | keyword |
+| proofpoint_essentials.threat.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threat_time | Proofpoint identified the URL as a threat at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.actors | An array of structures which contain details about the actors associated with a threat. | nested |
+| proofpoint_essentials.threat.threats_info_map.classification | The category of threat found in the message. | keyword |
+| proofpoint_essentials.threat.threats_info_map.detection_type |  | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat | The artifact which was condemned by Proofpoint. The malicious URL, hash of the attachment threat, or email address of the impostor sender. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_id | The unique identifier associated with this threat. It can be used to query the forensics and campaign endpoints. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_status | The current state of the threat. | keyword |
+| proofpoint_essentials.threat.threats_info_map.threat_time | Proofpoint assigned the threat_status at this time. | date |
+| proofpoint_essentials.threat.threats_info_map.threat_type | Whether the threat was an attachment, URL, or message type. | keyword |
+| proofpoint_essentials.threat.to_addresses | A list of email addresses contained within the To: header, excluding friendly names. | keyword |
+| proofpoint_essentials.threat.url | The malicious URL which was clicked. | keyword |
+| proofpoint_essentials.threat.user_agent | The User-Agent header from the clicker's HTTP request. | keyword |
+| proofpoint_essentials.threat.xmailer | The content of the X-Mailer: header, if present. | keyword |
+
+
+### Inputs used
+
+These inputs are used in this integration:
+
+- [cel](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel)
+
+### API usage
+
+This integration uses the following APIs:
+
+- [Proofpoint Essentials Threat API](https://help.proofpoint.com/Essentials/Additional_Resources/API_Documentation/Essentials_Threat_API).
diff --git a/packages/proofpoint_essentials/img/proofpoint-logo.svg b/packages/proofpoint_essentials/img/proofpoint-logo.svg
new file mode 100644
index 00000000000..9a147bc4795
--- /dev/null
+++ b/packages/proofpoint_essentials/img/proofpoint-logo.svg
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 19.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="layer" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 652 652" style="enable-background:new 0 0 652 652;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#231F20;}
+</style>
+<g id="Layer_2">
+	<g id="Layer_1-2">
+		<path class="st0" d="M597.7,352.5v-12.8h-4.4c-4.8,0-5.9-0.7-5.9-4.1v-35.2h10.4v-11.9h-10.4v-17.3h-17.8v17.3h-8.9v11.9h8.9v34.3
+			c0,13.3,3.2,18.1,18,18.1C589.4,352.9,592.8,352.6,597.7,352.5"/>
+		<path class="st0" d="M495.5,352.1h18v-37.7c0-8.4,5.4-13.4,13.8-13.4c7.7,0,10.4,4.1,10.4,12.7v38.4h18v-43.3
+			c0-14.6-7.3-21.9-22.1-21.9c-8.5,0-15.3,3.1-20.4,9.2v-7.5h-17.6V352.1z"/>
+		<rect x="466.5" y="266.1" class="st0" width="18" height="15.4"/>
+		<rect x="466.5" y="288.5" class="st0" width="18" height="63.5"/>
+		<path class="st0" d="M409.7,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
+			S409.7,332.9,409.7,320.2 M391.5,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34c0-21.2-12.9-34-34-34S391.5,299,391.5,320.2"/>
+		<path class="st0" d="M367.9,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7
+			C362.4,301,367.9,307.8,367.9,320.7 M320.8,377.5h17.5v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2
+			c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8v-8.6h-17.1V377.5z"/>
+		<path class="st0" d="M284.3,352.1h17.6v-51.6H313v-11.9h-11.3v-4.4c0-4.1,1.6-4.8,6.6-4.8h4.7v-13.5c-3.2-0.2-5.9-0.4-8.6-0.4
+			c-13.8,0-20.1,5.3-20.1,17.2v5.9h-9.6v11.9h9.6L284.3,352.1z"/>
+		<path class="st0" d="M223.8,320.2c0-12.7,5.8-19.6,15.8-19.6c10,0,15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
+			C229.6,340,223.8,332.9,223.8,320.2 M205.6,320.2c0,21.2,12.9,34,34,34c21.1,0,34-12.8,34-34c0-21.2-12.9-34-34-34
+			C218.4,286.3,205.5,299.1,205.6,320.2"/>
+		<path class="st0" d="M151.6,320.2c0-12.7,5.8-19.6,15.8-19.6s15.7,6.9,15.7,19.6c0,12.7-5.7,19.7-15.7,19.7
+			S151.6,332.9,151.6,320.2 M133.4,320.2c0,21.2,12.9,34,34,34s34-12.8,34-34s-12.9-34-34-34S133.4,299.1,133.4,320.2"/>
+		<path class="st0" d="M92.7,352.1h18v-33.6c0-9.6,5.1-14.4,14.8-14.4h5.9v-17.2c-0.9-0.1-1.8-0.1-2.7-0.1
+			c-8.6,0-14.7,3.9-19.4,12.7v-10.9H92.7V352.1z"/>
+		<path class="st0" d="M67.6,320.7c0,11.8-5.7,18.8-14.5,18.8c-9.5,0-15-6.7-15-18.8c0-13,5.2-19.7,14.7-19.7S67.7,307.8,67.6,320.7
+			 M20.6,377.5H38v-33.4c4.4,6.6,11.3,10,19.9,10c15.7,0,27.6-13.3,27.6-34.2c0-20.3-11.6-33.6-27.8-33.6c-8.7,0-14.8,3.4-20,10.8
+			v-8.6H20.6V377.5z"/>
+		<path class="st0" d="M620.6,346.8c0.1,3.9-2.9,7.1-6.8,7.2c-3.9,0.1-7.1-2.9-7.2-6.8c-0.1-3.9,2.9-7.1,6.8-7.2c0.1,0,0.2,0,0.3,0
+			C617.4,339.9,620.5,343,620.6,346.8C620.6,346.8,620.6,346.8,620.6,346.8z M608.3,346.8c-0.1,2.9,2.2,5.4,5.1,5.5
+			c0.1,0,0.1,0,0.2,0c2.9,0,5.2-2.4,5.2-5.2c0-0.1,0-0.1,0-0.2c0.1-2.9-2.1-5.4-5-5.5c-2.9-0.1-5.4,2.1-5.5,5
+			C608.3,346.5,608.3,346.7,608.3,346.8L608.3,346.8z M612.5,350.4h-1.6v-6.8c0.9-0.2,1.7-0.2,2.6-0.2c0.8-0.1,1.6,0.1,2.4,0.5
+			c0.4,0.4,0.7,0.9,0.7,1.5c-0.1,0.8-0.6,1.4-1.4,1.6v0.1c0.7,0.3,1.2,0.9,1.2,1.6c0.1,0.6,0.2,1.2,0.5,1.7h-1.7
+			c-0.3-0.5-0.4-1.1-0.5-1.7c-0.1-0.8-0.5-1.1-1.4-1.1h-0.8L612.5,350.4z M612.5,346.5h0.8c0.9,0,1.6-0.3,1.6-1s-0.5-1-1.5-1
+			c-0.3,0-0.6,0-0.9,0.1V346.5z"/>
+	</g>
+</g>
+</svg>
diff --git a/packages/proofpoint_essentials/img/proofpoint_essentials-clicks-dashboard.png b/packages/proofpoint_essentials/img/proofpoint_essentials-clicks-dashboard.png
new file mode 100644
index 00000000000..f06eeb83b8d
Binary files /dev/null and b/packages/proofpoint_essentials/img/proofpoint_essentials-clicks-dashboard.png differ
diff --git a/packages/proofpoint_essentials/img/proofpoint_essentials-messages-dashboard.png b/packages/proofpoint_essentials/img/proofpoint_essentials-messages-dashboard.png
new file mode 100644
index 00000000000..6cac20f2d8f
Binary files /dev/null and b/packages/proofpoint_essentials/img/proofpoint_essentials-messages-dashboard.png differ
diff --git a/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163.json b/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163.json
new file mode 100644
index 00000000000..6fdddab5e69
--- /dev/null
+++ b/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163.json
@@ -0,0 +1,1934 @@
+{
+    "attributes": {
+        "controlGroupInput": {
+            "chainingSystem": "HIERARCHICAL",
+            "controlStyle": "oneLine",
+            "ignoreParentSettingsJSON": {
+                "ignoreFilters": false,
+                "ignoreQuery": false,
+                "ignoreTimerange": false,
+                "ignoreValidations": false
+            },
+            "panelsJSON": {
+                "cd1d8d4e-d7c9-4312-affc-66c86040627a": {
+                    "explicitInput": {
+                        "dataViewId": "logs-*",
+                        "fieldName": "proofpoint_essentials.threat.threat_status",
+                        "searchTechnique": "prefix",
+                        "selectedOptions": [],
+                        "sort": {
+                            "by": "_count",
+                            "direction": "desc"
+                        },
+                        "title": "Threat Status"
+                    },
+                    "grow": true,
+                    "order": 1,
+                    "type": "optionsListControl",
+                    "width": "medium"
+                },
+                "ff9ace27-6fe3-43ca-9870-dea294280218": {
+                    "explicitInput": {
+                        "dataViewId": "logs-*",
+                        "fieldName": "proofpoint_essentials.threat.classification",
+                        "searchTechnique": "prefix",
+                        "selectedOptions": [],
+                        "sort": {
+                            "by": "_count",
+                            "direction": "desc"
+                        },
+                        "title": "Classification"
+                    },
+                    "grow": true,
+                    "order": 0,
+                    "type": "optionsListControl",
+                    "width": "medium"
+                }
+            },
+            "showApplySelections": false
+        },
+        "description": "This dashboard provides an overview of the blocked and permitted click logs collected by the Proofpoint Essentials integration.",
+        "kibanaSavedObjectMeta": {
+            "searchSourceJSON": {
+                "filter": [],
+                "query": {
+                    "language": "kuery",
+                    "query": ""
+                }
+            }
+        },
+        "optionsJSON": {
+            "hidePanelTitles": false,
+            "syncColors": false,
+            "syncCursor": true,
+            "syncTooltips": false,
+            "useMargins": true
+        },
+        "panelsJSON": [
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "82cadcbb-5e2a-4a32-b1c4-cbdd0e434ef8",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "6ac72b12-03d5-4253-a91d-c3078dffb2b0": {
+                                            "columnOrder": [
+                                                "53cdd6e1-faf7-493f-917d-995fda3a3984",
+                                                "c008f01c-2a34-4adb-84bd-7876a1d65444"
+                                            ],
+                                            "columns": {
+                                                "53cdd6e1-faf7-493f-917d-995fda3a3984": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Sender",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "c008f01c-2a34-4adb-84bd-7876a1d65444",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "email.from.address"
+                                                },
+                                                "c008f01c-2a34-4adb-84bd-7876a1d65444": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "82cadcbb-5e2a-4a32-b1c4-cbdd0e434ef8",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "c008f01c-2a34-4adb-84bd-7876a1d65444",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "53cdd6e1-faf7-493f-917d-995fda3a3984",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "4bad8a4e-3480-4066-9869-c94d11d832d9",
+                    "w": 24,
+                    "x": 0,
+                    "y": 21
+                },
+                "panelIndex": "4bad8a4e-3480-4066-9869-c94d11d832d9",
+                "title": "Top Senders",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-995c3632-58bc-4271-be48-1a90f733986b",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "9bf2ff43-c39c-47ba-b144-d73b0b7d847e",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "995c3632-58bc-4271-be48-1a90f733986b": {
+                                            "columnOrder": [
+                                                "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd",
+                                                "0ab2c506-ef77-425f-87bc-3acac1d79ecb"
+                                            ],
+                                            "columns": {
+                                                "0ab2c506-ef77-425f-87bc-3acac1d79ecb": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Status",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "0ab2c506-ef77-425f-87bc-3acac1d79ecb",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "secondaryFields": [],
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "proofpoint_essentials.threat.threat_status"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "9bf2ff43-c39c-47ba-b144-d73b0b7d847e",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "995c3632-58bc-4271-be48-1a90f733986b",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "0ab2c506-ef77-425f-87bc-3acac1d79ecb"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd"
+                                        ],
+                                        "truncateLegend": false
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "cdf104f8-8f43-49dd-b20e-654df7cc8ea2",
+                    "w": 24,
+                    "x": 0,
+                    "y": 36
+                },
+                "panelIndex": "cdf104f8-8f43-49dd-b20e-654df7cc8ea2",
+                "title": "Clicks by Threat Status",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "layout": "vertical",
+                        "links": [
+                            {
+                                "destinationRefName": "link_17b734ee-0e80-4363-9d58-1fe70fa2c4ab_dashboard",
+                                "id": "17b734ee-0e80-4363-9d58-1fe70fa2c4ab",
+                                "label": "Messages Overview",
+                                "options": {
+                                    "openInNewTab": true,
+                                    "useCurrentDateRange": false,
+                                    "useCurrentFilters": false
+                                },
+                                "order": 0,
+                                "type": "dashboardLink"
+                            },
+                            {
+                                "destinationRefName": "link_b921efb4-7a8a-43e4-a323-2e7a533a5854_dashboard",
+                                "id": "b921efb4-7a8a-43e4-a323-2e7a533a5854",
+                                "label": "Clicks Overview",
+                                "options": {
+                                    "openInNewTab": false,
+                                    "useCurrentDateRange": false,
+                                    "useCurrentFilters": false
+                                },
+                                "order": 1,
+                                "type": "dashboardLink"
+                            }
+                        ]
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 5,
+                    "i": "4a4d152e-74ac-4603-b03e-d6a75503b043",
+                    "w": 12,
+                    "x": 0,
+                    "y": 0
+                },
+                "panelIndex": "4a4d152e-74ac-4603-b03e-d6a75503b043",
+                "title": "Navigation",
+                "type": "links"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-0cc5d185-5f85-4492-a28f-d5839dc114cf",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "4a9d5d43-9c8b-41f1-b374-b838d781d000",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "31cc39bc-6335-4ee8-b526-52463bc909fb",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "0cc5d185-5f85-4492-a28f-d5839dc114cf": {
+                                            "columnOrder": [
+                                                "7aa7f5a8-6a20-44e9-a51c-433b895367de"
+                                            ],
+                                            "columns": {
+                                                "7aa7f5a8-6a20-44e9-a51c-433b895367de": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Clicks Blocked",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "4a9d5d43-9c8b-41f1-b374-b838d781d000",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "clicks_blocked"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "clicks_blocked"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "31cc39bc-6335-4ee8-b526-52463bc909fb",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "color": "#E7664C",
+                                "layerId": "0cc5d185-5f85-4492-a28f-d5839dc114cf",
+                                "layerType": "data",
+                                "metricAccessor": "7aa7f5a8-6a20-44e9-a51c-433b895367de"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsMetric"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "clicks_blocked"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "clicks_blocked"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "hidePanelTitles": true,
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 6,
+                    "i": "1644bccd-187b-4fd9-922b-e13741fac9ae",
+                    "w": 18,
+                    "x": 12,
+                    "y": 0
+                },
+                "panelIndex": "1644bccd-187b-4fd9-922b-e13741fac9ae",
+                "title": "Clicks Blocked",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-0cc5d185-5f85-4492-a28f-d5839dc114cf",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "7e6426d3-490d-4490-b292-4d2f82593b0d",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "394a607d-8a91-4564-bfa6-208da37dba03",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "0cc5d185-5f85-4492-a28f-d5839dc114cf": {
+                                            "columnOrder": [
+                                                "7aa7f5a8-6a20-44e9-a51c-433b895367de"
+                                            ],
+                                            "columns": {
+                                                "7aa7f5a8-6a20-44e9-a51c-433b895367de": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Clicks Permitted",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "7e6426d3-490d-4490-b292-4d2f82593b0d",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "clicks_permitted"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "clicks_permitted"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "394a607d-8a91-4564-bfa6-208da37dba03",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "color": "#54B399",
+                                "layerId": "0cc5d185-5f85-4492-a28f-d5839dc114cf",
+                                "layerType": "data",
+                                "metricAccessor": "7aa7f5a8-6a20-44e9-a51c-433b895367de"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsMetric"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "clicks_permitted"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "clicks_permitted"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "hidePanelTitles": true,
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 6,
+                    "i": "9bd019f3-4ded-4231-b890-070bdcec1c74",
+                    "w": 18,
+                    "x": 30,
+                    "y": 0
+                },
+                "panelIndex": "9bd019f3-4ded-4231-b890-070bdcec1c74",
+                "title": "Clicks Permitted",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "savedVis": {
+                        "data": {
+                            "aggs": [],
+                            "searchSource": {
+                                "filter": [],
+                                "query": {
+                                    "language": "kuery",
+                                    "query": ""
+                                }
+                            }
+                        },
+                        "description": "",
+                        "id": "",
+                        "params": {
+                            "fontSize": 12,
+                            "markdown": "This dashboard provides an overview of the blocked and permitted click logs collected by the Proofpoint Essentials integration.\n\nThe dashboard highlights trends in blocked versus permitted clicks over time and displays counts of both blocked and permitted clicks. It also features table charts that show the top senders and recipients of emails, as well as pie charts to break down by threat status and classification.\n\nSelect a suitable time range to avoid seeing partial results.\n\n[**Integration Page**](/app/integrations/detail/proofpoint_essentials/overview)",
+                            "openLinksInNewTab": false
+                        },
+                        "title": "",
+                        "type": "markdown",
+                        "uiState": {}
+                    }
+                },
+                "gridData": {
+                    "h": 16,
+                    "i": "dd555b76-6e39-48ba-b7f6-055c9468729e",
+                    "w": 12,
+                    "x": 0,
+                    "y": 5
+                },
+                "panelIndex": "dd555b76-6e39-48ba-b7f6-055c9468729e",
+                "title": "Overview",
+                "type": "visualization"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "d2d24a48-2e3b-40c0-b9b7-95f66a9ea516",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "6ac72b12-03d5-4253-a91d-c3078dffb2b0": {
+                                            "columnOrder": [
+                                                "53cdd6e1-faf7-493f-917d-995fda3a3984",
+                                                "c008f01c-2a34-4adb-84bd-7876a1d65444"
+                                            ],
+                                            "columns": {
+                                                "53cdd6e1-faf7-493f-917d-995fda3a3984": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Recipient",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "c008f01c-2a34-4adb-84bd-7876a1d65444",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "secondaryFields": [],
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "email.to.address"
+                                                },
+                                                "c008f01c-2a34-4adb-84bd-7876a1d65444": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "d2d24a48-2e3b-40c0-b9b7-95f66a9ea516",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "c008f01c-2a34-4adb-84bd-7876a1d65444",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "53cdd6e1-faf7-493f-917d-995fda3a3984",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "0d3c23f6-7310-4693-b604-57b13727732c",
+                    "w": 24,
+                    "x": 24,
+                    "y": 21
+                },
+                "panelIndex": "0d3c23f6-7310-4693-b604-57b13727732c",
+                "title": "Top Recipients",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-2ce45db9-30e8-4bcd-9fa2-236e89357654",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "ac968a04-359f-465c-84b9-0f08c209aa1f",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "2ce45db9-30e8-4bcd-9fa2-236e89357654": {
+                                            "columnOrder": [
+                                                "7705635a-97c5-497e-99e3-b62f345ff4cb",
+                                                "9be00844-e0eb-4694-a1c7-2593717f0efc",
+                                                "89ce81cb-aac3-408b-ba98-87b1cc7cd07f"
+                                            ],
+                                            "columns": {
+                                                "7705635a-97c5-497e-99e3-b62f345ff4cb": {
+                                                    "customLabel": true,
+                                                    "dataType": "date",
+                                                    "isBucketed": true,
+                                                    "label": "Click Time",
+                                                    "operationType": "date_histogram",
+                                                    "params": {
+                                                        "dropPartials": false,
+                                                        "includeEmptyRows": true,
+                                                        "interval": "auto"
+                                                    },
+                                                    "scale": "interval",
+                                                    "sourceField": "proofpoint_essentials.threat.click_time"
+                                                },
+                                                "89ce81cb-aac3-408b-ba98-87b1cc7cd07f": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "filter": {
+                                                        "language": "kuery",
+                                                        "query": "proofpoint_essentials.threat.event_type : \"clicks_permitted\" "
+                                                    },
+                                                    "isBucketed": false,
+                                                    "label": "Permitted",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "9be00844-e0eb-4694-a1c7-2593717f0efc": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "filter": {
+                                                        "language": "kuery",
+                                                        "query": "proofpoint_essentials.threat.event_type : \"clicks_blocked\" "
+                                                    },
+                                                    "isBucketed": false,
+                                                    "label": "Blocked",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "ac968a04-359f-465c-84b9-0f08c209aa1f",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "axisTitlesVisibilitySettings": {
+                                    "x": true,
+                                    "yLeft": true,
+                                    "yRight": true
+                                },
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "9be00844-e0eb-4694-a1c7-2593717f0efc",
+                                            "89ce81cb-aac3-408b-ba98-87b1cc7cd07f"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "2ce45db9-30e8-4bcd-9fa2-236e89357654",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "line",
+                                        "showGridlines": false,
+                                        "xAccessor": "7705635a-97c5-497e-99e3-b62f345ff4cb",
+                                        "yConfig": [
+                                            {
+                                                "color": "#e7664c",
+                                                "forAccessor": "9be00844-e0eb-4694-a1c7-2593717f0efc"
+                                            },
+                                            {
+                                                "color": "#54b399",
+                                                "forAccessor": "89ce81cb-aac3-408b-ba98-87b1cc7cd07f"
+                                            }
+                                        ]
+                                    }
+                                ],
+                                "legend": {
+                                    "isInside": true,
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "shouldTruncate": false,
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "line",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide",
+                                "yTitle": "Clicks"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "a58a9bd4-0f3d-47f0-ae43-5a03a5443c67",
+                    "w": 36,
+                    "x": 12,
+                    "y": 6
+                },
+                "panelIndex": "a58a9bd4-0f3d-47f0-ae43-5a03a5443c67",
+                "title": "Clicks Blocked vs Permitted Over Time",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-995c3632-58bc-4271-be48-1a90f733986b",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "ac1b3087-b9fe-440a-9b6e-8223941ec72a",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "995c3632-58bc-4271-be48-1a90f733986b": {
+                                            "columnOrder": [
+                                                "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd",
+                                                "0ab2c506-ef77-425f-87bc-3acac1d79ecb"
+                                            ],
+                                            "columns": {
+                                                "0ab2c506-ef77-425f-87bc-3acac1d79ecb": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Classification",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "0ab2c506-ef77-425f-87bc-3acac1d79ecb",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "proofpoint_essentials.threat.classification"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "ac1b3087-b9fe-440a-9b6e-8223941ec72a",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.clicks_blocked",
+                                            "proofpoint_essentials.clicks_permitted"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "995c3632-58bc-4271-be48-1a90f733986b",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "0ab2c506-ef77-425f-87bc-3acac1d79ecb"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "c1b6ecbe-95a7-4123-84bc-ba1d3bdc00fd"
+                                        ],
+                                        "truncateLegend": false
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.clicks_blocked",
+                                    "proofpoint_essentials.clicks_permitted"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "448b272d-cbd7-455c-a161-ad219a7015d3",
+                    "w": 24,
+                    "x": 24,
+                    "y": 36
+                },
+                "panelIndex": "448b272d-cbd7-455c-a161-ad219a7015d3",
+                "title": "Clicks by Threat Classification",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "description": "",
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    }
+                },
+                "gridData": {
+                    "h": 14,
+                    "i": "7df3b41d-47ea-4cc5-bdd5-bd943f6816b6",
+                    "w": 48,
+                    "x": 0,
+                    "y": 51
+                },
+                "panelIndex": "7df3b41d-47ea-4cc5-bdd5-bd943f6816b6",
+                "panelRefName": "panel_7df3b41d-47ea-4cc5-bdd5-bd943f6816b6",
+                "title": "[Logs Proofpoint Essentials] Click Events",
+                "type": "search"
+            }
+        ],
+        "timeRestore": false,
+        "title": "[Logs Proofpoint Essentials] Clicks Overview",
+        "version": 3
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-11-25T06:17:56.503Z",
+    "id": "proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163",
+    "references": [
+        {
+            "id": "proofpoint_essentials-2d587f18-b917-41d1-9ea8-cb0b113b795a",
+            "name": "7df3b41d-47ea-4cc5-bdd5-bd943f6816b6:panel_7df3b41d-47ea-4cc5-bdd5-bd943f6816b6",
+            "type": "search"
+        },
+        {
+            "id": "logs-*",
+            "name": "4bad8a4e-3480-4066-9869-c94d11d832d9:indexpattern-datasource-layer-6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "4bad8a4e-3480-4066-9869-c94d11d832d9:82cadcbb-5e2a-4a32-b1c4-cbdd0e434ef8",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "cdf104f8-8f43-49dd-b20e-654df7cc8ea2:indexpattern-datasource-layer-995c3632-58bc-4271-be48-1a90f733986b",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "cdf104f8-8f43-49dd-b20e-654df7cc8ea2:9bf2ff43-c39c-47ba-b144-d73b0b7d847e",
+            "type": "index-pattern"
+        },
+        {
+            "id": "proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2",
+            "name": "4a4d152e-74ac-4603-b03e-d6a75503b043:link_17b734ee-0e80-4363-9d58-1fe70fa2c4ab_dashboard",
+            "type": "dashboard"
+        },
+        {
+            "id": "proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163",
+            "name": "4a4d152e-74ac-4603-b03e-d6a75503b043:link_b921efb4-7a8a-43e4-a323-2e7a533a5854_dashboard",
+            "type": "dashboard"
+        },
+        {
+            "id": "logs-*",
+            "name": "1644bccd-187b-4fd9-922b-e13741fac9ae:indexpattern-datasource-layer-0cc5d185-5f85-4492-a28f-d5839dc114cf",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "1644bccd-187b-4fd9-922b-e13741fac9ae:4a9d5d43-9c8b-41f1-b374-b838d781d000",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "1644bccd-187b-4fd9-922b-e13741fac9ae:31cc39bc-6335-4ee8-b526-52463bc909fb",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "9bd019f3-4ded-4231-b890-070bdcec1c74:indexpattern-datasource-layer-0cc5d185-5f85-4492-a28f-d5839dc114cf",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "9bd019f3-4ded-4231-b890-070bdcec1c74:7e6426d3-490d-4490-b292-4d2f82593b0d",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "9bd019f3-4ded-4231-b890-070bdcec1c74:394a607d-8a91-4564-bfa6-208da37dba03",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "0d3c23f6-7310-4693-b604-57b13727732c:indexpattern-datasource-layer-6ac72b12-03d5-4253-a91d-c3078dffb2b0",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "0d3c23f6-7310-4693-b604-57b13727732c:d2d24a48-2e3b-40c0-b9b7-95f66a9ea516",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a58a9bd4-0f3d-47f0-ae43-5a03a5443c67:indexpattern-datasource-layer-2ce45db9-30e8-4bcd-9fa2-236e89357654",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a58a9bd4-0f3d-47f0-ae43-5a03a5443c67:ac968a04-359f-465c-84b9-0f08c209aa1f",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "448b272d-cbd7-455c-a161-ad219a7015d3:indexpattern-datasource-layer-995c3632-58bc-4271-be48-1a90f733986b",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "448b272d-cbd7-455c-a161-ad219a7015d3:ac1b3087-b9fe-440a-9b6e-8223941ec72a",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "controlGroup_ff9ace27-6fe3-43ca-9870-dea294280218:optionsListDataView",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "controlGroup_cd1d8d4e-d7c9-4312-affc-66c86040627a:optionsListDataView",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "dashboard",
+    "typeMigrationVersion": "10.2.0"
+}
\ No newline at end of file
diff --git a/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2.json b/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2.json
new file mode 100644
index 00000000000..bb5ede487f9
--- /dev/null
+++ b/packages/proofpoint_essentials/kibana/dashboard/proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2.json
@@ -0,0 +1,2340 @@
+{
+    "attributes": {
+        "controlGroupInput": {
+            "chainingSystem": "HIERARCHICAL",
+            "controlStyle": "oneLine",
+            "ignoreParentSettingsJSON": {
+                "ignoreFilters": false,
+                "ignoreQuery": false,
+                "ignoreTimerange": false,
+                "ignoreValidations": false
+            },
+            "panelsJSON": {
+                "628b95c3-c032-4970-bbbd-a7ae0057ce9c": {
+                    "explicitInput": {
+                        "dataViewId": "logs-*",
+                        "exclude": null,
+                        "existsSelected": null,
+                        "fieldName": "proofpoint_essentials.threat.parent_name",
+                        "hideActionBar": null,
+                        "hideExclude": null,
+                        "hideExists": null,
+                        "hideSort": null,
+                        "placeholder": null,
+                        "runPastTimeout": null,
+                        "searchTechnique": "prefix",
+                        "selectedOptions": [],
+                        "singleSelect": null,
+                        "sort": {
+                            "by": "_count",
+                            "direction": "desc"
+                        },
+                        "title": "Parent Name"
+                    },
+                    "grow": true,
+                    "order": 2,
+                    "type": "optionsListControl",
+                    "width": "medium"
+                },
+                "6fb01dd2-3b4b-4c2a-948a-9de41c957497": {
+                    "explicitInput": {
+                        "dataViewId": "logs-*",
+                        "exclude": null,
+                        "existsSelected": null,
+                        "fieldName": "proofpoint_essentials.threat.customer_name",
+                        "hideActionBar": null,
+                        "hideExclude": null,
+                        "hideExists": null,
+                        "hideSort": null,
+                        "placeholder": null,
+                        "runPastTimeout": null,
+                        "searchTechnique": "prefix",
+                        "selectedOptions": [],
+                        "singleSelect": null,
+                        "sort": {
+                            "by": "_count",
+                            "direction": "desc"
+                        },
+                        "title": "Customer Name"
+                    },
+                    "grow": true,
+                    "order": 1,
+                    "type": "optionsListControl",
+                    "width": "medium"
+                },
+                "9478cc44-4d8e-4188-aa37-742d32df93e2": {
+                    "explicitInput": {
+                        "dataViewId": "logs-*",
+                        "exclude": null,
+                        "existsSelected": null,
+                        "fieldName": "proofpoint_essentials.threat.stack_name",
+                        "hideActionBar": null,
+                        "hideExclude": null,
+                        "hideExists": null,
+                        "hideSort": null,
+                        "placeholder": null,
+                        "runPastTimeout": null,
+                        "searchTechnique": "prefix",
+                        "selectedOptions": [],
+                        "singleSelect": null,
+                        "sort": {
+                            "by": "_count",
+                            "direction": "desc"
+                        },
+                        "title": "Stack"
+                    },
+                    "grow": true,
+                    "order": 0,
+                    "type": "optionsListControl",
+                    "width": "medium"
+                }
+            },
+            "showApplySelections": false
+        },
+        "description": "This dashboard provides an overview of the blocked and delivered message logs collected by the Proofpoint Essentials integration.",
+        "kibanaSavedObjectMeta": {
+            "searchSourceJSON": {
+                "filter": [],
+                "query": {
+                    "language": "kuery",
+                    "query": ""
+                }
+            }
+        },
+        "optionsJSON": {
+            "hidePanelTitles": false,
+            "syncColors": false,
+            "syncCursor": true,
+            "syncTooltips": false,
+            "useMargins": true
+        },
+        "panelsJSON": [
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-4f947b5b-a131-440d-844f-849fe1fcebc3",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "d8e1c8ae-9026-47cb-92be-6f49da9f372f",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "75473b5a-be24-4f66-8ce0-a3fc5f5b79b3",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "4f947b5b-a131-440d-844f-849fe1fcebc3": {
+                                            "columnOrder": [
+                                                "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14",
+                                                "318d80c6-9f6a-4aa0-b469-bac2baaadefc"
+                                            ],
+                                            "columns": {
+                                                "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Type",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "318d80c6-9f6a-4aa0-b469-bac2baaadefc",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "proofpoint_essentials.threat.threats_info_map.threat_type"
+                                                },
+                                                "318d80c6-9f6a-4aa0-b469-bac2baaadefc": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "d8e1c8ae-9026-47cb-92be-6f49da9f372f",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "messages_blocked"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "75473b5a-be24-4f66-8ce0-a3fc5f5b79b3",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "4f947b5b-a131-440d-844f-849fe1fcebc3",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "318d80c6-9f6a-4aa0-b469-bac2baaadefc"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14"
+                                        ],
+                                        "truncateLegend": false
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "messages_blocked"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "bbd04cf0-3c1f-46cd-8230-8bd6629ad977",
+                    "w": 24,
+                    "x": 24,
+                    "y": 24
+                },
+                "panelIndex": "bbd04cf0-3c1f-46cd-8230-8bd6629ad977",
+                "title": "Threat Types in Blocked Messages",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-4f947b5b-a131-440d-844f-849fe1fcebc3",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "93f21b9d-6122-4e3e-a0f5-84c2038174a5",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "561d7aef-c680-4873-bc09-e0d3775ac0b4",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "4f947b5b-a131-440d-844f-849fe1fcebc3": {
+                                            "columnOrder": [
+                                                "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14",
+                                                "318d80c6-9f6a-4aa0-b469-bac2baaadefc"
+                                            ],
+                                            "columns": {
+                                                "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Classification",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "318d80c6-9f6a-4aa0-b469-bac2baaadefc",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "secondaryFields": [],
+                                                        "size": 5
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "proofpoint_essentials.threat.threats_info_map.classification"
+                                                },
+                                                "318d80c6-9f6a-4aa0-b469-bac2baaadefc": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "93f21b9d-6122-4e3e-a0f5-84c2038174a5",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "messages_blocked"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "561d7aef-c680-4873-bc09-e0d3775ac0b4",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "categoryDisplay": "default",
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "4f947b5b-a131-440d-844f-849fe1fcebc3",
+                                        "layerType": "data",
+                                        "legendDisplay": "show",
+                                        "metrics": [
+                                            "318d80c6-9f6a-4aa0-b469-bac2baaadefc"
+                                        ],
+                                        "nestedLegend": false,
+                                        "numberDisplay": "percent",
+                                        "primaryGroups": [
+                                            "0cb0d9fb-49a6-4728-91c8-6338d3fc1b14"
+                                        ],
+                                        "truncateLegend": false
+                                    }
+                                ],
+                                "shape": "pie"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsPie"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "messages_blocked"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "a2abb281-44e6-4583-9ebb-a08d5a5efe5b",
+                    "w": 24,
+                    "x": 0,
+                    "y": 24
+                },
+                "panelIndex": "a2abb281-44e6-4583-9ebb-a08d5a5efe5b",
+                "title": "Threat Classification in Blocked Messages",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-e02a5a2c-eae9-4153-b4f4-8820027c639c",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "a705b612-f822-47fa-a96b-0fa6d176ebc3",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "e02a5a2c-eae9-4153-b4f4-8820027c639c": {
+                                            "columnOrder": [
+                                                "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e",
+                                                "84ab7067-6e2f-4cd8-aad0-6216d363ccc1"
+                                            ],
+                                            "columns": {
+                                                "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Recipient",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "84ab7067-6e2f-4cd8-aad0-6216d363ccc1",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "email.to.address"
+                                                },
+                                                "84ab7067-6e2f-4cd8-aad0-6216d363ccc1": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "a705b612-f822-47fa-a96b-0fa6d176ebc3",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "84ab7067-6e2f-4cd8-aad0-6216d363ccc1",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "e02a5a2c-eae9-4153-b4f4-8820027c639c",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "bf8cb51d-f505-4b42-8b9e-9c2e9f0cee8f",
+                    "w": 24,
+                    "x": 24,
+                    "y": 39
+                },
+                "panelIndex": "bf8cb51d-f505-4b42-8b9e-9c2e9f0cee8f",
+                "title": "Top Recipients",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-e02a5a2c-eae9-4153-b4f4-8820027c639c",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "99ade1d3-0315-41d2-9cec-901542197136",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "e02a5a2c-eae9-4153-b4f4-8820027c639c": {
+                                            "columnOrder": [
+                                                "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e",
+                                                "84ab7067-6e2f-4cd8-aad0-6216d363ccc1"
+                                            ],
+                                            "columns": {
+                                                "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Sender",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "84ab7067-6e2f-4cd8-aad0-6216d363ccc1",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": false,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "secondaryFields": [],
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "email.from.address"
+                                                },
+                                                "84ab7067-6e2f-4cd8-aad0-6216d363ccc1": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "99ade1d3-0315-41d2-9cec-901542197136",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "columns": [
+                                    {
+                                        "columnId": "84ab7067-6e2f-4cd8-aad0-6216d363ccc1",
+                                        "isMetric": true,
+                                        "isTransposed": false
+                                    },
+                                    {
+                                        "columnId": "58f2bce6-59c6-4bd3-84f9-5fbd1652a05e",
+                                        "isMetric": false,
+                                        "isTransposed": false
+                                    }
+                                ],
+                                "layerId": "e02a5a2c-eae9-4153-b4f4-8820027c639c",
+                                "layerType": "data"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsDatatable"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 15,
+                    "i": "4ba03966-e3a8-4120-9fe8-845bd7c72217",
+                    "w": 24,
+                    "x": 0,
+                    "y": 39
+                },
+                "panelIndex": "4ba03966-e3a8-4120-9fe8-845bd7c72217",
+                "title": "Top Senders",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-927f0b71-a454-4c64-952e-1f63aa4aace9",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "28a27a9d-7439-4e1c-a5b1-d77e08f8f528",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "952934f3-8743-402a-a9a8-818ea08d7a5e",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "927f0b71-a454-4c64-952e-1f63aa4aace9": {
+                                            "columnOrder": [
+                                                "43224451-7cc2-4f19-aa5f-925df6915de1"
+                                            ],
+                                            "columns": {
+                                                "43224451-7cc2-4f19-aa5f-925df6915de1": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Messages Delivered",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "28a27a9d-7439-4e1c-a5b1-d77e08f8f528",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "messages_delivered"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "messages_delivered"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "952934f3-8743-402a-a9a8-818ea08d7a5e",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "color": "#54B399",
+                                "layerId": "927f0b71-a454-4c64-952e-1f63aa4aace9",
+                                "layerType": "data",
+                                "metricAccessor": "43224451-7cc2-4f19-aa5f-925df6915de1"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsMetric"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "messages_delivered"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "messages_delivered"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "hidePanelTitles": true,
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 6,
+                    "i": "ecb02f31-248e-4db0-8917-afbcdff308a9",
+                    "w": 18,
+                    "x": 30,
+                    "y": 0
+                },
+                "panelIndex": "ecb02f31-248e-4db0-8917-afbcdff308a9",
+                "title": "Messages Delivered",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-927f0b71-a454-4c64-952e-1f63aa4aace9",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "8973a4ca-369f-4f2e-99a6-8b279afcba56",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "3631473b-1be2-4126-9978-1468e8422b49",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "927f0b71-a454-4c64-952e-1f63aa4aace9": {
+                                            "columnOrder": [
+                                                "43224451-7cc2-4f19-aa5f-925df6915de1"
+                                            ],
+                                            "columns": {
+                                                "43224451-7cc2-4f19-aa5f-925df6915de1": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Messages Blocked",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "proofpoint_essentials.threat.event_type",
+                                        "index": "8973a4ca-369f-4f2e-99a6-8b279afcba56",
+                                        "key": "proofpoint_essentials.threat.event_type",
+                                        "negate": false,
+                                        "params": {
+                                            "query": "messages_blocked"
+                                        },
+                                        "type": "phrase"
+                                    },
+                                    "query": {
+                                        "match_phrase": {
+                                            "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                        }
+                                    }
+                                },
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "3631473b-1be2-4126-9978-1468e8422b49",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "color": "#E7664C",
+                                "layerId": "927f0b71-a454-4c64-952e-1f63aa4aace9",
+                                "layerType": "data",
+                                "metricAccessor": "43224451-7cc2-4f19-aa5f-925df6915de1"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsMetric"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "proofpoint_essentials.threat.event_type",
+                                "index": "logs-*",
+                                "key": "proofpoint_essentials.threat.event_type",
+                                "negate": false,
+                                "params": {
+                                    "query": "messages_blocked"
+                                },
+                                "type": "phrase"
+                            },
+                            "query": {
+                                "match_phrase": {
+                                    "proofpoint_essentials.threat.event_type": "messages_blocked"
+                                }
+                            }
+                        },
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "hidePanelTitles": true,
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 6,
+                    "i": "a1b85fe2-1fba-4c10-8bf2-253bb7397609",
+                    "w": 18,
+                    "x": 12,
+                    "y": 0
+                },
+                "panelIndex": "a1b85fe2-1fba-4c10-8bf2-253bb7397609",
+                "title": "Messages Blocked",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "savedVis": {
+                        "data": {
+                            "aggs": [],
+                            "searchSource": {
+                                "filter": [],
+                                "query": {
+                                    "language": "kuery",
+                                    "query": ""
+                                }
+                            }
+                        },
+                        "description": "",
+                        "id": "",
+                        "params": {
+                            "fontSize": 12,
+                            "markdown": "This dashboard provides an overview of the blocked and delivered message logs collected by the Proofpoint Essentials integration.\n\nThe dashboard highlights trends in blocked versus delivered messages over time and displays counts of both blocked and delivered messages. It also features table charts that show the top senders and recipients of emails, as well as pie charts to break down blocked messages by threat type and classification. Additionally, it includes a bar chart showing the message breakdown by quarantine rule names.\n\nSelect a suitable time range to avoid seeing partial results.\n\n[**Integration Page**](/app/integrations/detail/proofpoint_essentials/overview)",
+                            "openLinksInNewTab": false
+                        },
+                        "title": "",
+                        "type": "markdown",
+                        "uiState": {}
+                    }
+                },
+                "gridData": {
+                    "h": 19,
+                    "i": "7c124575-e91a-4dd8-9b1b-35578bf620f8",
+                    "w": 12,
+                    "x": 0,
+                    "y": 5
+                },
+                "panelIndex": "7c124575-e91a-4dd8-9b1b-35578bf620f8",
+                "title": "Overview",
+                "type": "visualization"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-0a60393d-0f03-494b-ae47-e9646ed721f3",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "26c3a9cb-655b-4fee-ba8d-3cede7087f95",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "0a60393d-0f03-494b-ae47-e9646ed721f3": {
+                                            "columnOrder": [
+                                                "deadab9d-c832-4b99-a263-e6b589ee4623",
+                                                "79811cc2-bd31-4931-9d7f-657ad8a922ab",
+                                                "f906e592-6221-4710-ab13-e6df5fcc3331"
+                                            ],
+                                            "columns": {
+                                                "79811cc2-bd31-4931-9d7f-657ad8a922ab": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "filter": {
+                                                        "language": "kuery",
+                                                        "query": "proofpoint_essentials.threat.event_type : \"messages_delivered\" "
+                                                    },
+                                                    "isBucketed": false,
+                                                    "label": "Delivered",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "deadab9d-c832-4b99-a263-e6b589ee4623": {
+                                                    "customLabel": true,
+                                                    "dataType": "date",
+                                                    "isBucketed": true,
+                                                    "label": "Message Time",
+                                                    "operationType": "date_histogram",
+                                                    "params": {
+                                                        "dropPartials": false,
+                                                        "includeEmptyRows": true,
+                                                        "interval": "auto"
+                                                    },
+                                                    "scale": "interval",
+                                                    "sourceField": "proofpoint_essentials.threat.message_time"
+                                                },
+                                                "f906e592-6221-4710-ab13-e6df5fcc3331": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "filter": {
+                                                        "language": "kuery",
+                                                        "query": "proofpoint_essentials.threat.event_type : \"messages_blocked\" "
+                                                    },
+                                                    "isBucketed": false,
+                                                    "label": "Blocked",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": false,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "26c3a9cb-655b-4fee-ba8d-3cede7087f95",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "axisTitlesVisibilitySettings": {
+                                    "x": true,
+                                    "yLeft": true,
+                                    "yRight": true
+                                },
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "79811cc2-bd31-4931-9d7f-657ad8a922ab",
+                                            "f906e592-6221-4710-ab13-e6df5fcc3331"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "0a60393d-0f03-494b-ae47-e9646ed721f3",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "line",
+                                        "showGridlines": false,
+                                        "xAccessor": "deadab9d-c832-4b99-a263-e6b589ee4623",
+                                        "yConfig": [
+                                            {
+                                                "color": "#e7664c",
+                                                "forAccessor": "f906e592-6221-4710-ab13-e6df5fcc3331"
+                                            }
+                                        ]
+                                    }
+                                ],
+                                "legend": {
+                                    "isInside": true,
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "shouldTruncate": false,
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "line",
+                                "title": "Empty XY chart",
+                                "valueLabels": "hide",
+                                "yTitle": "Messages"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 18,
+                    "i": "87e21d70-6286-4c53-95d3-64280903c9ab",
+                    "w": 35,
+                    "x": 12,
+                    "y": 6
+                },
+                "panelIndex": "87e21d70-6286-4c53-95d3-64280903c9ab",
+                "title": "Messages Blocked vs Delivered Over Time",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "references": [
+                            {
+                                "id": "logs-*",
+                                "name": "indexpattern-datasource-layer-40f0efb5-4db2-40a3-9610-01694e5499f2",
+                                "type": "index-pattern"
+                            },
+                            {
+                                "id": "logs-*",
+                                "name": "2924b924-9e94-4ec0-b086-afa5c8f9045d",
+                                "type": "index-pattern"
+                            }
+                        ],
+                        "state": {
+                            "adHocDataViews": {},
+                            "datasourceStates": {
+                                "formBased": {
+                                    "layers": {
+                                        "40f0efb5-4db2-40a3-9610-01694e5499f2": {
+                                            "columnOrder": [
+                                                "f4b32ab2-bf20-4344-bca4-c0b4e5389c4a",
+                                                "76bcfdca-557a-4785-931f-cde0da1a1d5f"
+                                            ],
+                                            "columns": {
+                                                "76bcfdca-557a-4785-931f-cde0da1a1d5f": {
+                                                    "customLabel": true,
+                                                    "dataType": "number",
+                                                    "isBucketed": false,
+                                                    "label": "Count",
+                                                    "operationType": "count",
+                                                    "params": {
+                                                        "emptyAsNull": true,
+                                                        "format": {
+                                                            "id": "number",
+                                                            "params": {
+                                                                "decimals": 0
+                                                            }
+                                                        }
+                                                    },
+                                                    "scale": "ratio",
+                                                    "sourceField": "___records___"
+                                                },
+                                                "f4b32ab2-bf20-4344-bca4-c0b4e5389c4a": {
+                                                    "customLabel": true,
+                                                    "dataType": "string",
+                                                    "isBucketed": true,
+                                                    "label": "Quarantine Rule",
+                                                    "operationType": "terms",
+                                                    "params": {
+                                                        "exclude": [],
+                                                        "excludeIsRegex": false,
+                                                        "include": [],
+                                                        "includeIsRegex": false,
+                                                        "missingBucket": false,
+                                                        "orderBy": {
+                                                            "columnId": "76bcfdca-557a-4785-931f-cde0da1a1d5f",
+                                                            "type": "column"
+                                                        },
+                                                        "orderDirection": "desc",
+                                                        "otherBucket": true,
+                                                        "parentFormat": {
+                                                            "id": "terms"
+                                                        },
+                                                        "size": 10
+                                                    },
+                                                    "scale": "ordinal",
+                                                    "sourceField": "rule.name"
+                                                }
+                                            },
+                                            "ignoreGlobalFilters": false,
+                                            "incompleteColumns": {},
+                                            "sampling": 1
+                                        }
+                                    }
+                                },
+                                "indexpattern": {
+                                    "layers": {}
+                                },
+                                "textBased": {
+                                    "layers": {}
+                                }
+                            },
+                            "filters": [
+                                {
+                                    "$state": {
+                                        "store": "appState"
+                                    },
+                                    "meta": {
+                                        "alias": null,
+                                        "disabled": false,
+                                        "field": "data_stream.dataset",
+                                        "index": "2924b924-9e94-4ec0-b086-afa5c8f9045d",
+                                        "key": "data_stream.dataset",
+                                        "negate": false,
+                                        "params": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ],
+                                        "type": "phrases",
+                                        "value": [
+                                            "proofpoint_essentials.message_blocked",
+                                            "proofpoint_essentials.message_delivered"
+                                        ]
+                                    },
+                                    "query": {
+                                        "bool": {
+                                            "minimum_should_match": 1,
+                                            "should": [
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                                    }
+                                                },
+                                                {
+                                                    "match_phrase": {
+                                                        "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    }
+                                }
+                            ],
+                            "internalReferences": [],
+                            "query": {
+                                "language": "kuery",
+                                "query": ""
+                            },
+                            "visualization": {
+                                "layers": [
+                                    {
+                                        "accessors": [
+                                            "76bcfdca-557a-4785-931f-cde0da1a1d5f"
+                                        ],
+                                        "colorMapping": {
+                                            "assignments": [],
+                                            "colorMode": {
+                                                "type": "categorical"
+                                            },
+                                            "paletteId": "eui_amsterdam_color_blind",
+                                            "specialAssignments": [
+                                                {
+                                                    "color": {
+                                                        "type": "loop"
+                                                    },
+                                                    "rule": {
+                                                        "type": "other"
+                                                    },
+                                                    "touched": false
+                                                }
+                                            ]
+                                        },
+                                        "layerId": "40f0efb5-4db2-40a3-9610-01694e5499f2",
+                                        "layerType": "data",
+                                        "position": "top",
+                                        "seriesType": "bar_horizontal_stacked",
+                                        "showGridlines": false,
+                                        "xAccessor": "f4b32ab2-bf20-4344-bca4-c0b4e5389c4a"
+                                    }
+                                ],
+                                "legend": {
+                                    "isInside": true,
+                                    "isVisible": true,
+                                    "position": "right",
+                                    "shouldTruncate": false,
+                                    "showSingleSeries": true
+                                },
+                                "preferredSeriesType": "bar_stacked",
+                                "title": "Empty XY chart",
+                                "valueLabels": "show"
+                            }
+                        },
+                        "title": "",
+                        "type": "lens",
+                        "visualizationType": "lnsXY"
+                    },
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    },
+                    "filters": [
+                        {
+                            "$state": {
+                                "store": "appState"
+                            },
+                            "meta": {
+                                "alias": null,
+                                "disabled": false,
+                                "field": "data_stream.dataset",
+                                "index": "logs-*",
+                                "key": "data_stream.dataset",
+                                "negate": false,
+                                "params": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ],
+                                "type": "phrases",
+                                "value": [
+                                    "proofpoint_essentials.message_blocked",
+                                    "proofpoint_essentials.message_delivered"
+                                ]
+                            },
+                            "query": {
+                                "bool": {
+                                    "minimum_should_match": 1,
+                                    "should": [
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                            }
+                                        },
+                                        {
+                                            "match_phrase": {
+                                                "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                            }
+                                        }
+                                    ]
+                                }
+                            }
+                        }
+                    ],
+                    "query": {
+                        "language": "kuery",
+                        "query": ""
+                    },
+                    "syncColors": false,
+                    "syncCursor": true,
+                    "syncTooltips": false
+                },
+                "gridData": {
+                    "h": 14,
+                    "i": "bcb352a4-e848-4dae-85d6-b25d5b866a34",
+                    "w": 48,
+                    "x": 0,
+                    "y": 54
+                },
+                "panelIndex": "bcb352a4-e848-4dae-85d6-b25d5b866a34",
+                "title": "Messages by Quarantine Rule",
+                "type": "lens"
+            },
+            {
+                "embeddableConfig": {
+                    "attributes": {
+                        "layout": "vertical",
+                        "links": [
+                            {
+                                "destinationRefName": "link_dc2b0252-d2a7-44e3-9c47-f3c0d5e8a581_dashboard",
+                                "id": "dc2b0252-d2a7-44e3-9c47-f3c0d5e8a581",
+                                "label": "Messages Overview",
+                                "options": {
+                                    "openInNewTab": false,
+                                    "useCurrentDateRange": false,
+                                    "useCurrentFilters": false
+                                },
+                                "order": 0,
+                                "type": "dashboardLink"
+                            },
+                            {
+                                "destinationRefName": "link_e6108834-e56a-4cc4-ab65-b8326c23e691_dashboard",
+                                "id": "e6108834-e56a-4cc4-ab65-b8326c23e691",
+                                "label": "Clicks Overview",
+                                "options": {
+                                    "openInNewTab": true,
+                                    "useCurrentDateRange": false,
+                                    "useCurrentFilters": false
+                                },
+                                "order": 1,
+                                "type": "dashboardLink"
+                            }
+                        ]
+                    },
+                    "enhancements": {}
+                },
+                "gridData": {
+                    "h": 5,
+                    "i": "3efaa26d-56d4-4571-8490-e8d4f388dfd6",
+                    "w": 12,
+                    "x": 0,
+                    "y": 0
+                },
+                "panelIndex": "3efaa26d-56d4-4571-8490-e8d4f388dfd6",
+                "title": "Navigation",
+                "type": "links"
+            },
+            {
+                "embeddableConfig": {
+                    "description": "",
+                    "enhancements": {
+                        "dynamicActions": {
+                            "events": []
+                        }
+                    }
+                },
+                "gridData": {
+                    "h": 14,
+                    "i": "0ff8d43d-6fe5-411a-93d7-d10eea2460e9",
+                    "w": 48,
+                    "x": 0,
+                    "y": 68
+                },
+                "panelIndex": "0ff8d43d-6fe5-411a-93d7-d10eea2460e9",
+                "panelRefName": "panel_0ff8d43d-6fe5-411a-93d7-d10eea2460e9",
+                "title": "[Logs Proofpoint Essentials] Message Events",
+                "type": "search"
+            }
+        ],
+        "timeRestore": false,
+        "title": "[Logs Proofpoint Essentials] Messages Overview",
+        "version": 3
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-11-25T06:17:57.096Z",
+    "id": "proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2",
+    "references": [
+        {
+            "id": "proofpoint_essentials-70b19365-00b1-4652-afe2-cc4f8807151e",
+            "name": "0ff8d43d-6fe5-411a-93d7-d10eea2460e9:panel_0ff8d43d-6fe5-411a-93d7-d10eea2460e9",
+            "type": "search"
+        },
+        {
+            "id": "logs-*",
+            "name": "bbd04cf0-3c1f-46cd-8230-8bd6629ad977:indexpattern-datasource-layer-4f947b5b-a131-440d-844f-849fe1fcebc3",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bbd04cf0-3c1f-46cd-8230-8bd6629ad977:d8e1c8ae-9026-47cb-92be-6f49da9f372f",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bbd04cf0-3c1f-46cd-8230-8bd6629ad977:75473b5a-be24-4f66-8ce0-a3fc5f5b79b3",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a2abb281-44e6-4583-9ebb-a08d5a5efe5b:indexpattern-datasource-layer-4f947b5b-a131-440d-844f-849fe1fcebc3",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a2abb281-44e6-4583-9ebb-a08d5a5efe5b:93f21b9d-6122-4e3e-a0f5-84c2038174a5",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a2abb281-44e6-4583-9ebb-a08d5a5efe5b:561d7aef-c680-4873-bc09-e0d3775ac0b4",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bf8cb51d-f505-4b42-8b9e-9c2e9f0cee8f:indexpattern-datasource-layer-e02a5a2c-eae9-4153-b4f4-8820027c639c",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bf8cb51d-f505-4b42-8b9e-9c2e9f0cee8f:a705b612-f822-47fa-a96b-0fa6d176ebc3",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "4ba03966-e3a8-4120-9fe8-845bd7c72217:indexpattern-datasource-layer-e02a5a2c-eae9-4153-b4f4-8820027c639c",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "4ba03966-e3a8-4120-9fe8-845bd7c72217:99ade1d3-0315-41d2-9cec-901542197136",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ecb02f31-248e-4db0-8917-afbcdff308a9:indexpattern-datasource-layer-927f0b71-a454-4c64-952e-1f63aa4aace9",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ecb02f31-248e-4db0-8917-afbcdff308a9:28a27a9d-7439-4e1c-a5b1-d77e08f8f528",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "ecb02f31-248e-4db0-8917-afbcdff308a9:952934f3-8743-402a-a9a8-818ea08d7a5e",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a1b85fe2-1fba-4c10-8bf2-253bb7397609:indexpattern-datasource-layer-927f0b71-a454-4c64-952e-1f63aa4aace9",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a1b85fe2-1fba-4c10-8bf2-253bb7397609:8973a4ca-369f-4f2e-99a6-8b279afcba56",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "a1b85fe2-1fba-4c10-8bf2-253bb7397609:3631473b-1be2-4126-9978-1468e8422b49",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "87e21d70-6286-4c53-95d3-64280903c9ab:indexpattern-datasource-layer-0a60393d-0f03-494b-ae47-e9646ed721f3",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "87e21d70-6286-4c53-95d3-64280903c9ab:26c3a9cb-655b-4fee-ba8d-3cede7087f95",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bcb352a4-e848-4dae-85d6-b25d5b866a34:indexpattern-datasource-layer-40f0efb5-4db2-40a3-9610-01694e5499f2",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "bcb352a4-e848-4dae-85d6-b25d5b866a34:2924b924-9e94-4ec0-b086-afa5c8f9045d",
+            "type": "index-pattern"
+        },
+        {
+            "id": "proofpoint_essentials-d44fa085-b1b7-4f05-9a6c-9777dbe737e2",
+            "name": "3efaa26d-56d4-4571-8490-e8d4f388dfd6:link_dc2b0252-d2a7-44e3-9c47-f3c0d5e8a581_dashboard",
+            "type": "dashboard"
+        },
+        {
+            "id": "proofpoint_essentials-6ce9c1fd-381f-4757-9747-b8fdabdde163",
+            "name": "3efaa26d-56d4-4571-8490-e8d4f388dfd6:link_e6108834-e56a-4cc4-ab65-b8326c23e691_dashboard",
+            "type": "dashboard"
+        },
+        {
+            "id": "logs-*",
+            "name": "controlGroup_9478cc44-4d8e-4188-aa37-742d32df93e2:optionsListDataView",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "controlGroup_6fb01dd2-3b4b-4c2a-948a-9de41c957497:optionsListDataView",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "controlGroup_628b95c3-c032-4970-bbbd-a7ae0057ce9c:optionsListDataView",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "dashboard",
+    "typeMigrationVersion": "10.2.0"
+}
\ No newline at end of file
diff --git a/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-2d587f18-b917-41d1-9ea8-cb0b113b795a.json b/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-2d587f18-b917-41d1-9ea8-cb0b113b795a.json
new file mode 100644
index 00000000000..aaff61db3d4
--- /dev/null
+++ b/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-2d587f18-b917-41d1-9ea8-cb0b113b795a.json
@@ -0,0 +1,91 @@
+{
+    "attributes": {
+        "columns": [
+            "email.from.address",
+            "email.to.address",
+            "threat.indicator.url.original",
+            "proofpoint_essentials.threat.threat_status",
+            "proofpoint_essentials.threat.classification",
+            "destination.ip"
+        ],
+        "description": "",
+        "grid": {},
+        "hideChart": false,
+        "isTextBasedQuery": false,
+        "kibanaSavedObjectMeta": {
+            "searchSourceJSON": {
+                "filter": [
+                    {
+                        "$state": {
+                            "store": "appState"
+                        },
+                        "meta": {
+                            "alias": null,
+                            "disabled": false,
+                            "field": "data_stream.dataset",
+                            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+                            "key": "data_stream.dataset",
+                            "negate": false,
+                            "params": [
+                                "proofpoint_essentials.clicks_blocked",
+                                "proofpoint_essentials.clicks_permitted"
+                            ],
+                            "type": "phrases",
+                            "value": [
+                                "proofpoint_essentials.clicks_blocked",
+                                "proofpoint_essentials.clicks_permitted"
+                            ]
+                        },
+                        "query": {
+                            "bool": {
+                                "minimum_should_match": 1,
+                                "should": [
+                                    {
+                                        "match_phrase": {
+                                            "data_stream.dataset": "proofpoint_essentials.clicks_blocked"
+                                        }
+                                    },
+                                    {
+                                        "match_phrase": {
+                                            "data_stream.dataset": "proofpoint_essentials.clicks_permitted"
+                                        }
+                                    }
+                                ]
+                            }
+                        }
+                    }
+                ],
+                "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+                "query": {
+                    "language": "kuery",
+                    "query": ""
+                }
+            }
+        },
+        "sort": [
+            [
+                "@timestamp",
+                "desc"
+            ]
+        ],
+        "timeRestore": false,
+        "title": "[Logs Proofpoint Essentials] Click Events"
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-11-25T05:54:10.601Z",
+    "id": "proofpoint_essentials-2d587f18-b917-41d1-9ea8-cb0b113b795a",
+    "references": [
+        {
+            "id": "logs-*",
+            "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "search",
+    "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-70b19365-00b1-4652-afe2-cc4f8807151e.json b/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-70b19365-00b1-4652-afe2-cc4f8807151e.json
new file mode 100644
index 00000000000..58705af6573
--- /dev/null
+++ b/packages/proofpoint_essentials/kibana/search/proofpoint_essentials-70b19365-00b1-4652-afe2-cc4f8807151e.json
@@ -0,0 +1,91 @@
+{
+    "attributes": {
+        "columns": [
+            "email.from.address",
+            "email.to.address",
+            "email.subject",
+            "proofpoint_essentials.threat.threats_info_map.threat_id",
+            "proofpoint_essentials.threat.threats_info_map.threat_status",
+            "proofpoint_essentials.threat.threats_info_map.threat_type"
+        ],
+        "description": "",
+        "grid": {},
+        "hideChart": false,
+        "isTextBasedQuery": false,
+        "kibanaSavedObjectMeta": {
+            "searchSourceJSON": {
+                "filter": [
+                    {
+                        "$state": {
+                            "store": "appState"
+                        },
+                        "meta": {
+                            "alias": null,
+                            "disabled": false,
+                            "field": "data_stream.dataset",
+                            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+                            "key": "data_stream.dataset",
+                            "negate": false,
+                            "params": [
+                                "proofpoint_essentials.message_blocked",
+                                "proofpoint_essentials.message_delivered"
+                            ],
+                            "type": "phrases",
+                            "value": [
+                                "proofpoint_essentials.message_blocked",
+                                "proofpoint_essentials.message_delivered"
+                            ]
+                        },
+                        "query": {
+                            "bool": {
+                                "minimum_should_match": 1,
+                                "should": [
+                                    {
+                                        "match_phrase": {
+                                            "data_stream.dataset": "proofpoint_essentials.message_blocked"
+                                        }
+                                    },
+                                    {
+                                        "match_phrase": {
+                                            "data_stream.dataset": "proofpoint_essentials.message_delivered"
+                                        }
+                                    }
+                                ]
+                            }
+                        }
+                    }
+                ],
+                "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+                "query": {
+                    "language": "kuery",
+                    "query": ""
+                }
+            }
+        },
+        "sort": [
+            [
+                "@timestamp",
+                "desc"
+            ]
+        ],
+        "timeRestore": false,
+        "title": "[Logs Proofpoint Essentials] Message Events"
+    },
+    "coreMigrationVersion": "8.8.0",
+    "created_at": "2025-11-25T05:54:10.601Z",
+    "id": "proofpoint_essentials-70b19365-00b1-4652-afe2-cc4f8807151e",
+    "references": [
+        {
+            "id": "logs-*",
+            "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+            "type": "index-pattern"
+        },
+        {
+            "id": "logs-*",
+            "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+            "type": "index-pattern"
+        }
+    ],
+    "type": "search",
+    "typeMigrationVersion": "10.5.0"
+}
\ No newline at end of file
diff --git a/packages/proofpoint_essentials/manifest.yml b/packages/proofpoint_essentials/manifest.yml
new file mode 100644
index 00000000000..52740438df4
--- /dev/null
+++ b/packages/proofpoint_essentials/manifest.yml
@@ -0,0 +1,106 @@
+format_version: 3.3.2
+name: proofpoint_essentials
+title: Proofpoint Essentials
+version: 0.1.0
+description: Collect logs from Proofpoint Essentials with Elastic Agent.
+type: integration
+categories:
+  - security
+conditions:
+  kibana:
+    version: '^8.18.0 || ^9.0.0'
+  elastic:
+    subscription: basic
+icons:
+  - src: /img/proofpoint-logo.svg
+    title: Proofpoint logo
+    size: 32x32
+    type: image/svg+xml
+screenshots:
+  - src: /img/proofpoint_essentials-messages-dashboard.png
+    title: Proofpoint Essentials Messages Overview Dashboard Screenshot
+    size: 600x600
+    type: image/png
+  - src: /img/proofpoint_essentials-clicks-dashboard.png
+    title: Proofpoint Essentials Clicks Overview Dashboard Screenshot
+    size: 600x600
+    type: image/png
+policy_templates:
+  - name: proofpoint_essentials
+    title: Proofpoint Essentials logs
+    description: Collect Proofpoint Essentials logs.
+    deployment_modes:
+      default:
+        enabled: true
+      agentless:
+        enabled: true
+        organization: security
+        division: engineering
+        team: security-service-integrations
+    inputs:
+      - type: cel
+        title: Collect Proofpoint Essentials logs via API
+        description: Collecting Proofpoint Essentials logs via API.
+        vars:
+          - name: url
+            type: url
+            title: URL
+            description: URL for the Essentials Threat API. it will be in the format of `https://<region>-siem.proofpointessentials.com`.
+            multi: false
+            required: true
+            show_user: true
+          - name: api_key
+            type: password
+            title: API Key
+            description: The API Key used to authenticate with the Essentials Threat API.
+            multi: false
+            required: true
+            show_user: true
+            secret: true
+          - name: api_key_secret
+            type: password
+            title: API Key Secret
+            description: The API Key Secret used to authenticate with the Essentials Threat API.
+            multi: false
+            required: true
+            show_user: true
+            secret: true
+          - name: proxy_url
+            type: text
+            title: Proxy URL
+            multi: false
+            required: false
+            show_user: false
+            description: URL to proxy connections in the form of http[s]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.
+          - name: ssl
+            type: yaml
+            title: SSL Configuration
+            description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+            multi: false
+            required: false
+            show_user: false
+            default: |
+              #certificate_authorities:
+              #  - |
+              #    -----BEGIN CERTIFICATE-----
+              #    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+              #    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+              #    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+              #    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+              #    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+              #    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+              #    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+              #    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+              #    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+              #    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+              #    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+              #    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+              #    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+              #    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+              #    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+              #    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+              #    sxSmbIUfc2SGJGCJD4I=
+              #    -----END CERTIFICATE-----
+owner:
+  github: elastic/security-service-integrations
+  type: elastic
diff --git a/packages/proofpoint_essentials/validation.yml b/packages/proofpoint_essentials/validation.yml
new file mode 100644
index 00000000000..1189aa63c89
--- /dev/null
+++ b/packages/proofpoint_essentials/validation.yml
@@ -0,0 +1,3 @@
+errors:
+  exclude_checks:
+    - SVR00004 # References in dashboards.