Showing results for 
Search instead for 
Did you mean: 
Level 10

Watchlists as filters a logical fault?!

Ladies and Gents,

i was working with Watchlists to filter out some events from the ACE so that I can reduce noise as a whole with out having to tune some of the noisier rules individually.

All was great while I was using the SigID field and Source IP field.

All hell broke loose when created a Source User filter.

Almost all correlated events stopped.

After a few days of soul searching I was able to work out the logical fault that ESM imposes on us.

If I filter for a field even as a negation with an empty (VAR or Watchlist), any event that does not have that field will automatically be excluded.

Has any one came across this or found a way around this.

it is driving me up a wall.



0 Kudos
2 Replies
Level 11

Re: Watchlists as filters a logical fault?!

Just use an OR gate like this:

Rule 1 (SigID + Source IP + Source User)


Rule 2 (SigID + Source IP)

0 Kudos
Level 10

Re: Watchlists as filters a logical fault?!


Thank You, this would work if I had a finite list of SigIDs.

Unfortunately we are dealing with a very high volume environment and more than one Signature will often trigger on one Field.

However, I did find a work around last week.

In my case I added a Normalization filter Authentication for the rule that filter out users.

and Not Authentication for all else.

this effectively made sure that only SigIDs with username fields are filtered against that rule. A bit hacky but it works

Good luck

0 Kudos