AnsweredAssumed Answered

Custom / Array filter in IM Aggregation Rules

Question asked by Stephen Holmes on Nov 29, 2016

In Security Analytics > Incident Management > Aggregation Rules, is there a way to filter via custom meta without using an advanced query and/or filter via an array? Lastly can a reference to a list in the reporting module be used as a reference for the query.

 

For example:

  1. Source IP is not in 5.5.5.5, 2.2.2.2, 3.3.3.3

  2. Source IP is not in IP whitelist

 

 

If not can you provide a few examples of mongo queries used here.

Outcomes