IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
I added a second EventID to filter and it is not working. I added a comma and no space with the EventID and Q is still showing the logs. Any help would be appreciated.
Michael, not enough details to provide an answer. Is this a standard search or AQL? What are you trying to achieve? For example: in the standard search, if you need to have an OR test you can apply the <CustomProperty> Equals any of and then add the values in the list; adding a filter on top of an existing one means previous AND current.
If you go into the log source for Windows and the protocol is Wincollect, you have the ability to filter eventIDs so that they do not send to Qradar.
You are refering to inclusion,exclusion and NSA (inclusion) filters?
Note that if any of these options is selected, the events will arrive to QRadar (and thus consume some EPS), but true - part should be discarded after the filter is checked. Which option did you use? Any other things noticed?
With WinCollect it might be better to create the XPATH query covering needed events - that way you will really filter the events on the source (and save some EPS).
I have it as an exclusion filter. I had 1 EventID filtered and it worked but I added a second ID and it will not filter the second ID.