Splunk Enterprise Security

Has anyone scrubbed proofpoint's TAP sourcetype for alerting?

New Member

Has anyone scrubbed Proofpoint's TAP sourcetype for alerting? Any common use rules or which conditions and fields would be best to generate the "malicious URL rewrite" clicks and "malicious attachment downloads" alerts?

0 Karma

Path Finder

You would want to base then on eventType

The two I would alert on are: clicksPermitted or messagesDelivered

0 Karma