Is there a proper guide to filter wrtiting and nesting????
Trying as hard as I can but the Palo does nto seem to like basic logic for searching
Basicaly the below should alert if the following
Medium or higher,
threat 40031 except if the destiantion is 192.168.10.140.
Not for threat 30664
Not for threat 37610
(severity geq medium) and
((addr.dst notin 192.168.10.140) and (threatid eq 40031))
(threatid neq 30664)
(threatid neq 37610)
I have tried all manaer of different groupings to try and get it to work but it simply does nto seem to understand.. Getting very frustrated with it!
Solved! Go to Solution.
"or does nobody look at their threats".
I'm sorry, I didn't realize that a bunch of people who volunteer their time had a requirement to answer your question in less than 24 hours.
I'll give you a hint; your going about setting up the query wrong, and if properly formated it's pretty easy to get it filtered to what you're looking for.
Sorry about the comment but there seems to be little or no documentation to creating filters and common logic does not seem to work. I am a forum contributor [mostly answering questions] on a wide number of forums for many different subjects and a moderator on 3 automotive forums so I do offer my time freely to people also.
But nobody seems to have ever had a problem, searched high and low, which leads me to wonder if people bother?
It's counter productive being alerted to a bunch of stuff that we want to ignore, can't see the wood from the trees.
Landed on this thread looking for this same solution, the proper syntax to build a nested filter similar to the example by the OP. This thread is marked as solved, but no solution is posted. Am I missing something?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!