Threat Protection Analyst PPAN01 Passing Score

An incident response tabletop (A) is a structured scenario-based exercise where analysts practice decision-making, communications, evidence handling, and coordinated response under realistic constraints. In Proofpoint-focused IR, tabletops are particularly valuable because email-led incidents require cross-team handoffs: SOC triage (TAP), mail admin actions (policy changes, Smart Search validation), post-delivery remediation (TRAP quarantine/pull), identity containment (password resets, token revocation, MFA), and business escalation (finance verification for BEC). Tabletop drills validate that playbooks are executable, escalation contacts are correct, and the team can meet response SLAs (time-to-triage, time-to-contain). They also expose tooling gaps (missing mailbox audit logs, insufficient retention, lack of automation for retroactive search/pull). Updating SOPs is important but is documentation work, not a training exercise by itself. Vulnerability scanning and port scanning are security assessment activities and can support overall security posture, but they do not train analysts on the incident response lifecycle behaviors (triage, containment coordination, post-incident lessons learned) that drive effective real-world response.

Compromise likelihood increases sharply when users both (1) received a threat that remained accessible and (2) successfully interacted with it. “Exposure > Permitted Clicks” (A) directly indicates that a user clicked a rewritten/protected URL and the click was permitted (not blocked), which is one of the strongest leading indicators for credential theft or malware execution pathways. “Exposure > Delivered with Accessible Threat” (C) indicates delivery of a message that still contained an accessible malicious component at the time of access (e.g., URL remained reachable/uncleared), raising the chance of interaction leading to compromise. In Proofpoint IR, these two filters are used to rapidly build a “likely compromised” watchlist for immediate follow-up: validate click details, check for credential submission, correlate with suspicious logins, review mailbox rules/forwarding, and trigger post-delivery remediation (quarantine/pull) if copies remain. “Users > VIP” is important for business impact, but VIP status alone doesn’t indicate compromise. “False Positives Only” reduces compromise likelihood by definition, and location filtering is contextual—not a direct compromise signal.

In Proofpoint Threat Response / post-delivery remediation workflows, a quarantine action depends on the message still existing in the target mailbox (Inbox or other folders where the connector searches). A status of “unavailable” commonly indicates the system could not locate the message to apply the action—most often because it was deleted or otherwise removed before quarantine occurred (A). This can happen if the user manually deletes it, an automated mailbox rule moves it to Deleted Items and empties it, retention policies purge it, or another remediation tool removes it first. From an IR containment perspective, “unavailable” is important because it changes the response plan: if the message cannot be pulled, you must pivot to containment through other controls (blocklist URLs/domains, disable sender delivery, enforce URL Defense blocking, reset credentials if interaction occurred) and expand scoping (search for duplicates in other mailboxes). Best practice is to correlate “unavailable” with click telemetry (Impacted users), authentication results, and mailbox audit logs to confirm whether exposure occurred and whether compensating actions are required to prevent recurrence.

The header contains X-Proofpoint-Spam-Details: rule=spam policy=default ... spamscore=89 ... reason=mlx, which is the Proofpoint spam engine verdict (MLX classifier) and indicates quarantine was driven by the spam policy evaluation, not by anti-virus or a user block list. In Proofpoint PPS/PoD, quarantine decisions frequently include an “X-Proofpoint-*Details” header that records the policy, rule family, and scoring components used to reach the final disposition. Here, the high spamscore=89 is decisive, and there is also an MLX log score entry supporting the ML-based spam classification. Antivirus-related quarantines typically show explicit malware/virus condemnation outcomes (e.g., malware score, “virus” rule, or attachment verdicts), while personal block list actions would be reflected as user-specific allow/block triggers, not the spam classifier rule. For IR triage, this header is the fastest way to validate why a message was quarantined and whether a false positive should be addressed by tuning spam thresholds, allow lists, or MLX-related settings rather than malware policies.