Splunk Enterprise Security
Highlighted

Has anyone scrubbed proofpoint's TAP sourcetype for alerting?

New Member

Has anyone scrubbed Proofpoint's TAP sourcetype for alerting? Any common use rules or which conditions and fields would be best to generate the "malicious URL rewrite" clicks and "malicious attachment downloads" alerts?

0 Karma
Highlighted

Re: Has anyone scrubbed proofpoint's TAP sourcetype for alerting?

Path Finder

You would want to base then on eventType

The two I would alert on are: clicksPermitted or messagesDelivered

0 Karma