Hi community!
I've been using the FAZ handlers and they've been a great help. I am trying to exclude the notifications for a specific network, so according to documentation it has to be inserted with Regex in Generic
For example this one works fine without adding the following sintax: and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")
I was trying to exlude network any notification from a host within this network: 10.39.14.0/24
Bolded text is what comes in the handler, the rest is added by me
(catdesc=='Malicious Websites' or catdesc=='Phishing' or catdesc=='Spam URLs' or catdesc=='Newly Observed Domain' or catdesc=='Newly Registered Domain' or catdesc~'Dynamic DNS' or catdesc=='Proxy Avoidance') and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")
However after the change I stopped receiving the notifications...is it possible to do it??
Thanks
Andres
Solved! Go to Solution.
Hi @Skytech1 ,
Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"
You may refer this KB:
Hello Andres,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Andres,
Did you already have a look at this document?:
Could you please tell me if it is helping?
Regards,
Hi Anthony,
Thanks for the follow up!, yeap, that helps as long as you insert a specific IP Address, example 10.39.14.7, tried before and it works, but if wanted to exclude a whole network 10.39.14.0/24 I understand that has to be managed on generic text filters with regex...because i've tried with exclusion pre-filters with 10.39.14.0/24 or 10.39.14.* but none of those work there.
Thanks,
Andres
Have you tried with Subnets?
Hi @ebilcari
Yeap...but it doesn't work with subnets, my understanding is that the log comes with the specific IP address, therefore the regex has to be with the IP
Thanks!
Hello Skytech,
Oh ok.
I will try to find an expert to reply to your question :)! It will be more accurate!
Regards,
Hi @Skytech1 ,
Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"
You may refer this KB:
Hy @smkml that did the trick!! thanks a lot!
Hi,
Just one example:
To meet the requirement to not to trigger the event handler when (dst ip == 10.1.13.33 or when hostname == proxy-safebrowsing.googleapis.com".)
the prefilter can be (dst ip != 10.1.13.33 and hostname != proxy-safebrowsing.googleapis.com"). This will look for logs other than the specified dstip and hostname.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.