This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Log filters nested and/or problems.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Log filters nested and/or problems.

Go to solution
RobinClayton
L4 Transporter

‎03-13-2018 05:54 AM

Is there a proper guide to filter wrtiting and nesting????

 

Trying as hard as I can but the Palo does nto seem to like basic logic for searching

 

Basicaly the below should alert if the following

 

Medium or higher, 

threat 40031 except if the destiantion is 192.168.10.140.

Not for threat 30664

Not for threat 37610

 

 

 

(severity geq medium) and 

(

     ((addr.dst notin 192.168.10.140) and (threatid eq 40031)) 

  or

    (threatid neq 30664)

  or

    (threatid neq 37610)

 )

 

 

I have tried all manaer of different groupings to try and get it to work but it simply does nto seem to understand.. Getting very frustrated with it!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Remo
L7 Applicator
In response to BPry

‎03-14-2018 03:15 PM

Just a "like" for @BPry's post is not enough. I thought I need to write it here: this answer is simply great!

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
RobinClayton
L4 Transporter

‎03-14-2018 02:22 AM

Anyone?

 

Or does nobody look at their threats?

 

Cheers

 

Rob

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to RobinClayton

‎03-14-2018 01:04 PM

@RobinClayton

"or does nobody look at their threats".

I'm sorry, I didn't realize that a bunch of people who volunteer their time had a requirement to answer your question in less than 24 hours.

I'll give you a hint; your going about setting up the query wrong, and if properly formated it's pretty easy to get it filtered to what you're looking for. 

Go to solution
Remo
L7 Applicator
In response to BPry

‎03-14-2018 03:15 PM

Just a "like" for @BPry's post is not enough. I thought I need to write it here: this answer is simply great!

0 Likes Likes

Go to solution
RobinClayton
L4 Transporter
In response to Remo

‎03-15-2018 02:48 AM

Sorry about the comment but there seems to be little or no documentation to creating filters and common logic does not seem to work. I am a forum contributor [mostly answering questions] on a wide number of forums for many different subjects and a moderator on 3 automotive forums so I do offer my time freely to people also.

 

But nobody seems to have ever had a problem, searched high and low,  which leads me to wonder if people bother?

 

It's counter productive being alerted to a bunch of stuff that we want to ignore, can't see the wood from the trees.

 

Thanks

 

Rob

 

 

 

 

0 Likes Likes

Go to solution
eventcore
L0 Member
In response to RobinClayton

‎07-22-2020 02:22 PM

Landed on this thread looking for this same solution, the proper syntax to build a nested filter similar to the example by the OP. This thread is marked as solved, but no solution is posted. Am I missing something?

0 Likes Likes
  • 1 accepted solution
  • 3787 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks