https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205601#M60346 <P>Sorry about the comment but there seems to be little or no documentation to creating filters and common logic does not seem to work. I am a forum contributor [mostly answering questions] on a wide number of forums for many different subjects and a&nbsp;moderator on 3 automotive forums so I do offer my time freely to people also.</P><P>&nbsp;</P><P>But nobody seems to have ever had a problem, searched high and low, &nbsp;which leads me to wonder if people bother?</P><P>&nbsp;</P><P>It's counter productive being alerted to a bunch of stuff that we want to ignore, can't see the wood from the trees.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Mar 2018 09:48:49 GMT RobinClayton 2018-03-15T09:48:49Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205085#M60245 <P>Is there a proper guide to filter wrtiting and nesting????</P><P>&nbsp;</P><P>Trying as hard as I can but the Palo does nto seem to like basic logic for searching</P><P>&nbsp;</P><P>Basicaly the below should alert if the following</P><P>&nbsp;</P><P>Medium or higher,&nbsp;</P><P>threat 40031 except if the destiantion is&nbsp;192.168.10.140.</P><P>Not for threat 30664</P><P>Not for threat 37610</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>(severity geq medium) and&nbsp;</P><P>(</P><P>&nbsp;&nbsp;&nbsp;&nbsp; ((addr.dst notin 192.168.10.140) and (threatid eq 40031))&nbsp;</P><P>&nbsp; or</P><P>&nbsp;&nbsp;&nbsp;&nbsp;(threatid neq 30664)</P><P>&nbsp; or</P><P>&nbsp;&nbsp;&nbsp; (threatid neq 37610)</P><P>&nbsp;)</P><P>&nbsp;</P><P>&nbsp;</P><P>I have tried all manaer of different groupings to try and get it to work but it simply does nto seem to understand.. Getting very frustrated with it!</P> Tue, 13 Mar 2018 12:54:45 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205085#M60245 RobinClayton 2018-03-13T12:54:45Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205351#M60296 <P>Anyone?</P><P>&nbsp;</P><P>Or does nobody look at their threats?</P><P>&nbsp;</P><P>Cheers</P><P>&nbsp;</P><P>Rob</P> Wed, 14 Mar 2018 09:22:48 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205351#M60296 RobinClayton 2018-03-14T09:22:48Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205460#M60321 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71756">@RobinClayton</a><BR /><BR /></P><P>"or does nobody look at their threats".</P><P>I'm sorry,&nbsp;I didn't realize that a bunch of people who volunteer&nbsp;their time had a requirement to answer your question in less than 24 hours.</P><P>I'll give you a hint; your going about setting up the query wrong, and if properly formated it's pretty easy to get it filtered to what you're looking for.&nbsp;</P> Wed, 14 Mar 2018 20:04:01 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205460#M60321 BPry 2018-03-14T20:04:01Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205498#M60336 <P>Just a "like" for <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>'s post is not enough. I thought I need to write it here: this answer is simply great!</P> Wed, 14 Mar 2018 22:15:51 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205498#M60336 Remo 2018-03-14T22:15:51Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205601#M60346 <P>Sorry about the comment but there seems to be little or no documentation to creating filters and common logic does not seem to work. I am a forum contributor [mostly answering questions] on a wide number of forums for many different subjects and a&nbsp;moderator on 3 automotive forums so I do offer my time freely to people also.</P><P>&nbsp;</P><P>But nobody seems to have ever had a problem, searched high and low, &nbsp;which leads me to wonder if people bother?</P><P>&nbsp;</P><P>It's counter productive being alerted to a bunch of stuff that we want to ignore, can't see the wood from the trees.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Rob</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Mar 2018 09:48:49 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/205601#M60346 RobinClayton 2018-03-15T09:48:49Z https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/340177#M85390 <P>Landed on this thread looking for this same solution, the proper syntax to build a nested filter similar to the example by the OP. This thread is marked as solved, but no solution is posted. Am I missing something?</P> Wed, 22 Jul 2020 21:22:59 GMT https://live.paloaltonetworks.com/t5/general-topics/log-filters-nested-and-or-problems/m-p/340177#M85390 eventcore 2020-07-22T21:22:59Z