AnsweredAssumed Answered

Filtering a false positive from an ESA alert

Question asked by Jeremy Kerwin on Nov 21, 2017
Latest reply on Nov 26, 2017 by Jeremy Kerwin


I've setup an ESA alert to trigger when a meta in 'alert' is generated and matches a certain string.

I'd like to be able to filter false positives based on a ip.dst value.

I thought I had it figured out by adding another condition that states if ip.dst is not a certain value, but it still seems to be triggering.

Updated ESA rule has been deployed.


Any hints on where to look?