Hello Jeremy
1. Make sure you have the latest ProofPoint log parser file installed on your NetWitness Log Decoders.
Latest available version on RSA Live is, Proofpoint Email Security - proofpoint, Parser Version: 32, Event Source Update: 122, last updated 2018-09-12
Check the deployed version of the proofpoint parser file on your Log Decoder appliance with the command,
egrep "xml=|revision=" /etc/netwitness/ng/envision/etc/devices/proofpoint/proofpointmsg.xml
In the output make sure you have at least the values,
xml="32"
revision="122"
2. Check that you have a version of ProofPoint that is supported by NetWitness, currently 6.3, 7.2, 7.5, 8.x.
Reference: https://community.rsa.com/community/products/netwitness/parser-network/event-sources#P
3. If the ProofPoint logs are been parsed as another device type, then consider adding a mapping in the Parser Mappings tab to force the parser to use the proofpoint parser.
Reference: Decoder: Services Config View - Parser Mappings Tab - https://community.rsa.com/docs/DOC-80185
4. If you are still finding the logs from ProofPoint are not been fully parsed of all the useful data, then export a sample of these logs from NetWitness, and open a case with RSA Customer Support.
Identify in the new case which fields of data are not getting parsed in the log messages. A request for a future enhancement (RFE) can be made to the RSA Content Team for their consideration.
