AnsweredAssumed Answered

Advanced ESA Rule help, filter out ip_dst

Question asked by Jeremy Kerwin on Jan 30, 2020
Latest reply on Feb 7, 2020 by Josh Randall

Hi All,


I have the following ESA rule.


SELECT * FROM Event((alert IS NOT NULL AND ((asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%bear%') OR (asStringArray(alert)).anyOf(v => v.toLowerCase() LIKE '%spider%'))))


I want to be able to not trigger when an ip_dst is set.


eg. IF ALERT is like bear and ip_dst is not 


I'm having a brain block on how to write the syntax.