Hi,
I've setup an ESA alert to trigger when a meta in 'alert' is generated and matches a certain string.
I'd like to be able to filter false positives based on a ip.dst value.
I thought I had it figured out by adding another condition that states if ip.dst is not a certain value, but it still seems to be triggering.
Updated ESA rule has been deployed.
Any hints on where to look?
Thanks,
You should try:
ip_dst NOT IN ('1.2.3.4','1.2.3.5')