This issue was caught in moderation. I removed the PII (email address) and approved this post.
You can configure a routing rule in QRadar to drop specific events. You can use default normalized fields, such as source IP, destination IP, port, username. If the unique values in this payload are not a normalized property, you could create a custom property in the DSM Editor, then use your Routing Rule to drop any events that match your custom property. The benefit of routing rules is that you receive license giveback on the next interval for events you do want to keep in QRadar.
If someone here has Forcepoint MDC tuning best practices, feel free to include in in this thread.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------
Original Message:
Sent: Tue July 25, 2023 01:20 PM
From: Muhammad Zeeshan
Subject: ForcePoint MDC Firewall Excessive logs issue.
Hi,
My friend asked for me in resolving an excessive log issue related to ForcePoint DC firewall. I'm seeking advice from experts on the best configuration settings for this. If anyone has insights, please feel free to share, and let me know if there's any information I can provide to assist further. Thanks!
------------------------------
Muhammad Zeeshan
------------------------------