If I wanted to filter all events for a certain datasource, unless they contain a specific string of text, how would I do that? I have the filter in place to parse and create an event but everything else is still coming in, I am assuming this is because there is not a filter to stop events not containing those strings?
I know of two ways to accomplish this in the SIEM.
1. Filter at the data source parser level of the policy.
Steps: Highlight the Data source in the navigation pane of the flash console and click on the policy icon. Once opened, select 'Enabled' in the 'Action' field under 'Advanced' filtering options and remove the ID value in the Device ID field then refresh. If your custom rule is the only rule as enabled, it is possible your regex is not specific to the event you are attempting to collect. If other rules are displayed, highlight them all and 'Disabled' in the 'Action' column.
2. Filter before parsing using the 'Filters' option in the policy.
Steps: You may have to create two filters depending on the complexity of the content for the event you are attempting to collect. The first filter (if needed) should match the event you are attempting to collect with all forwarding options selected which will send the events to the parser. The second filter should be underneath the first filter and should be a generic match on all events coming from this data source. If only using the 2nd filter, ensure it does not match the specific events you are attempting to collect.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.