What Changed
Modified Proofpoint On-Demand (POD) Email Security CCF connector polling configuration to remove startTime and endTime query parameters, enabling proper WebSocket-based live streaming.
Security Impact (Visibility & Fidelity)
Deployments using Proofpoint POD connector experienced significant data quality issues:
Duplicate Data Problem:
- The POD API rounds time parameters to the nearest hour, creating overlapping time frames
- Previous 5-minute polling intervals with startTime/endTime caused systematic data duplication
- SOC teams received multiple alerts for the same email security events
- Investigation workflows were impacted by inflated event counts and false positives
Root Cause:
- POD uses WebSocket architecture designed for persistent live connections
- Time-based polling contradicts the intended streaming API design
- Historical data retrieval mode was inappropriately used for live monitoring
This fix eliminates duplicate ingestion and restores proper email security event fidelity for threat detection and incident response.
Affected Files
Solutions/Proofpoint On demand(POD) Email Security/Data Connectors/ProofPointEmailSecurity_CCP/ProofpointPOD_PollingConfig.json
(bulk CI/packaging updates across multiple solutions)