Showing results for 
Search instead for 
Did you mean: 

Standard DEM rule supression

We have a standard rule that shows an event when the SELECT query is run against a SQL and Oracle databases.  The problem is we have automated scripts and mirroring that run every 10 mins so we are seeing millions of these events per day.

Am I able to exclude specific hosts from this rule?  I was thinking of a correlation rule that combines the filters by the signature ID then by IP address to remove them but im not sure if this would work, or if it would just double up on the events we are seeing.