0 Replies Latest reply on Mar 24, 2016 2:35 AM by beans90

    Standard DEM rule supression


      We have a standard rule that shows an event when the SELECT query is run against a SQL and Oracle databases.  The problem is we have automated scripts and mirroring that run every 10 mins so we are seeing millions of these events per day.


      Am I able to exclude specific hosts from this rule?  I was thinking of a correlation rule that combines the filters by the signature ID then by IP address to remove them but im not sure if this would work, or if it would just double up on the events we are seeing.