Hi @ferdydek - It's been a while since you posted. I'm a Product Manager at Proofpoint and can help you get this solved. Are you still seeing this issue when using the Proofpoint TAP modular input?
... View more
To set debugging go to Tenable Add-On->Configuration->Logging. All of the Add-On logs are stored in the _internal index within splunk:
index="_internal" source="ta_tenable"
... View more
I think you want "objects that are computers AND (are in group1 OR are in group2)"
(&(objectClass=computer)(|(memberOf="CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com") (memberOf="CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com")))
Hope this helps
... View more
The configs you posted won't do what you want. I know you said you could not edit them, but when you say "I pretty confident this is how it should be" it is kind of confusing - what do you mean by 'this'?
I updated my answer to remove the first nullQueue stanza and changed to indexQueue to nullQueue for the events you want to drop.
... View more