Hello,
we installed and configured Proofpoint on Demand Email Security App V2 on our multi-tenanted Qradar deployment (we're on 7.5.0 up3).
This app does not support multitenancy, so we're unable to create an instance linked to a specific tenant (the one from which we want to pull Proofpoint TAP events).
The main issue is we get events in the Default Domain and not in the domain associated to our Qradar tenant: we tried to force the event collector associated to our domain\tenant in the log source configuration (a Proofpoint TAP log source is automatically created) rather than console but it does not solve issue.
Has someone already managed this issue or there is not any mean to get the Proofpoint events associated to a specific domain in QRadar?
Best Regards
Davide
------------------------------
Davide Salardi
------------------------------