Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-13-2018 05:54 AM
Is there a proper guide to filter wrtiting and nesting????
Trying as hard as I can but the Palo does nto seem to like basic logic for searching
Basicaly the below should alert if the following
Medium or higher,
threat 40031 except if the destiantion is 192.168.10.140.
Not for threat 30664
Not for threat 37610
(severity geq medium) and
(
((addr.dst notin 192.168.10.140) and (threatid eq 40031))
or
(threatid neq 30664)
or
(threatid neq 37610)
)
I have tried all manaer of different groupings to try and get it to work but it simply does nto seem to understand.. Getting very frustrated with it!
03-14-2018 03:15 PM
Just a "like" for @BPry's post is not enough. I thought I need to write it here: this answer is simply great!
03-14-2018 02:22 AM
Anyone?
Or does nobody look at their threats?
Cheers
Rob
03-14-2018 01:04 PM
"or does nobody look at their threats".
I'm sorry, I didn't realize that a bunch of people who volunteer their time had a requirement to answer your question in less than 24 hours.
I'll give you a hint; your going about setting up the query wrong, and if properly formated it's pretty easy to get it filtered to what you're looking for.
03-14-2018 03:15 PM
Just a "like" for @BPry's post is not enough. I thought I need to write it here: this answer is simply great!
03-15-2018 02:48 AM
Sorry about the comment but there seems to be little or no documentation to creating filters and common logic does not seem to work. I am a forum contributor [mostly answering questions] on a wide number of forums for many different subjects and a moderator on 3 automotive forums so I do offer my time freely to people also.
But nobody seems to have ever had a problem, searched high and low, which leads me to wonder if people bother?
It's counter productive being alerted to a bunch of stuff that we want to ignore, can't see the wood from the trees.
Thanks
Rob
07-22-2020 02:22 PM
Landed on this thread looking for this same solution, the proper syntax to build a nested filter similar to the example by the OP. This thread is marked as solved, but no solution is posted. Am I missing something?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
