I have a correlation search created. However, I want to exclude files from being alerted upon. I have an lookup file created that has a list of files to be excluded, however when I call that lookup file to exclude the files, the search results will exclude the whole host and affected files, not just the singular file I want excluded. My tstats search: | tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX by Symantec_ICDX.device_name | rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path Results of tstat search: New tstats search with putting in ruby.exe into the lookup file. | tstats values(Symantec_ICDX.device_public_ip) values(Symantec_ICDX.user_name) values(Symantec_ICDX.file.name) values(Symantec_ICDX.threat.name) values(Symantec_ICDX.type) values(Symantec_ICDX.file.sha2) as Symantec_ICDX.file.sha2 values(Symantec_ICDX.file.path) from datamodel=Symantec_ICDX by Symantec_ICDX.device_name | rename Symantec_ICDX.device_name as dest, values(Symantec_ICDX.device_public_ip) as dest_ip, values(Symantec_ICDX.user_name) as user, values(Symantec_ICDX.file.name) as file_name, values(Symantec_ICDX.threat.name) as threat_name, values(Symantec_ICDX.type) as type, Symantec_ICDX.file.sha2 as file_hash, values(Symantec_ICDX.file.path) as file_path | search NOT [| inputlookup exclusions.csv | fields file_name] | search dest=COFGOOPAL2572TW Results: Lookup file:
... View more
