I am attempting to create a custom trigger condition for the alert below that will only trigger if the dest_ip does not equal a specific IP.
Currently attempting the trigger alert when custom with: search NOT dest_ip=xxx.xxx.xxx.xxx
and have also tried: search dest_ip!=xxx.xxx.xxx.xxx
and I am still seeing email alerts being sent for alerts in which the destination ip is the one that should be omitted.
index=someindex [search index=someindex retro_disposition=3 OR disposition=3 latest=now earliest=-3m | fields sha256] | eval time=strftime(event_sec,"%m/%d/%y %H:%M:%S") | table _time time src_ip src_port dest_ip dest_port file_type file_name file_size retro_disposition disposition sha256 sensor uri | sort sha256 -_time
Any help is greatly appreciated,
Jimmy
... View more