6 Replies Latest reply on Mar 2, 2016 3:57 PM by sssyyy

    Filter Query for ESM 9.5

    umbra

      Good Morning,

       

      I am trying to get a filter to work.

      I wish for the events in the SIEM to still reach the ELM yet do not want the events to be parsed in the ESM.

       

      Have tried to follow the SIEM Foundations: Filter Out Low-Value Events guide but getting stuck on the Content String.

       

      Essentially I want to filter out all events generated by one IP that match an event name for example. I do not wish to see any VMWare VMX Status has been set alerts from 12.12.12.12 but still want to see the same alert for all other IP addresses.

       

      Have tried some regex but just cannot seem to get the filter working for this. Does anyone have any advise ?

       

      Thanks