Re: AND NOT logic (exclusions) in custom ESM rules
As I learn is that orange blocks inside AND block are not applied to single event. 1 orange block = 1 event in sequence, so my previous filter dont work because it wait for 3 different events in sequence.
So if we want to realize alert if
(SigID = 123 AND SourceGeoId != Europe)
AND NOT (SourceIP=184.108.40.206 and SourceUser = 'ExternalUser1')
AND NOT (SourceGeoId=Asia and SourceUser = 'ExternalUser2')
We should to transform it to:
(SigID = 123 AND SourceGeoId != Europe AND SourceUser != ['ExternalUser1', 'ExternalUser2'])
OR (SigID = 123 AND SourceUser = 'ExternalUser1' AND SourceGeoId != Europe AND SourceIP=220.127.116.11 )
OR (SigID = 123 AND SourceUser = 'ExternalUser2' AND SourceGeoId != [Europe, Asia])
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.