You are refering to inclusion,exclusion and NSA (inclusion) filters?
Note that if any of these options is selected, the events will arrive to QRadar (and thus consume some EPS), but true - part should be discarded after the filter is checked. Which option did you use? Any other things noticed?
With WinCollect it might be better to create the XPATH query covering needed events - that way you will really filter the events on the source (and save some EPS).
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Tue November 28, 2023 02:33 PM
From: Michael Anderson
Subject: Security Log Filtering
If you go into the log source for Windows and the protocol is Wincollect, you have the ability to filter eventIDs so that they do not send to Qradar.
------------------------------
Michael Anderson
Original Message:
Sent: Tue November 28, 2023 04:15 AM
From: Dusan VIDOVIC
Subject: Security Log Filtering
Michael, not enough details to provide an answer. Is this a standard search or AQL? What are you trying to achieve? For example: in the standard search, if you need to have an OR test you can apply the <CustomProperty> Equals any of and then add the values in the list; adding a filter on top of an existing one means previous AND current.
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Mon November 27, 2023 02:29 PM
From: Michael Anderson
Subject: Security Log Filtering
Hello all,
I added a second EventID to filter and it is not working. I added a comma and no space with the EventID and Q is still showing the logs. Any help would be appreciated.
Thanks
------------------------------
Michael Anderson
------------------------------