- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Handlers with generic filters on FAZ to exclude network
Hi community!
I've been using the FAZ handlers and they've been a great help. I am trying to exclude the notifications for a specific network, so according to documentation it has to be inserted with Regex in Generic
For example this one works fine without adding the following sintax: and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")
I was trying to exlude network any notification from a host within this network: 10.39.14.0/24
Bolded text is what comes in the handler, the rest is added by me
(catdesc=='Malicious Websites' or catdesc=='Phishing' or catdesc=='Spam URLs' or catdesc=='Newly Observed Domain' or catdesc=='Newly Registered Domain' or catdesc~'Dynamic DNS' or catdesc=='Proxy Avoidance') and !(srcip~"10.39.14\.[1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]")
However after the change I stopped receiving the notifications...is it possible to do it??
Thanks
Andres
Solved! Go to Solution.
- Labels:
-
FortiAnalyzer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Skytech1 ,
Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"
You may refer this KB:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Andres,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Andres,
Did you already have a look at this document?:
Could you please tell me if it is helping?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Anthony,
Thanks for the follow up!, yeap, that helps as long as you insert a specific IP Address, example 10.39.14.7, tried before and it works, but if wanted to exclude a whole network 10.39.14.0/24 I understand that has to be managed on generic text filters with regex...because i've tried with exclusion pre-filters with 10.39.14.0/24 or 10.39.14.* but none of those work there.
Thanks,
Andres
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried with Subnets?
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ebilcari
Yeap...but it doesn't work with subnets, my understanding is that the log comes with the specific IP address, therefore the regex has to be with the IP
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Skytech,
Oh ok.
I will try to find an expert to reply to your question :)! It will be more accurate!
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Skytech1 ,
Since you need to exclude network 10.39.14.0/24 , you may try this expression: srcip!~"10.39.14\.[0-9]+"
You may refer this KB:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hy @smkml that did the trick!! thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Just one example:
To meet the requirement to not to trigger the event handler when (dst ip == 10.1.13.33 or when hostname == proxy-safebrowsing.googleapis.com".)
the prefilter can be (dst ip != 10.1.13.33 and hostname != proxy-safebrowsing.googleapis.com"). This will look for logs other than the specified dstip and hostname.
