AnsweredAssumed Answered

Advanced ESA Rule help, filter out ip_dst

Question asked by Jeremy Kerwin on Jan 30, 2020
Latest reply on Feb 7, 2020 by Josh Randall

Hi All,

 

I have the following ESA rule.

 

SELECT * FROM Event((alert IS NOT NULL AND ((asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%') OR (asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%spider%'))))

 

I want to be able to not trigger when an ip_dst is set.

 

eg. IF ALERT is like bear and ip_dst is not 128.0.0.1 

 

I'm having a brain block on how to write the syntax.

 

Thanks.

Outcomes