• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

How to filter on Payload or Rawdata in the directives


New Life Form


Right now in the directives there are several variables available out of box like From To  USERNAME PASS USERDATA1....9

I would like to filter based on some data in the Payload or Rawdata 

For Example

1. I would like it to alarm for all URL but when some URLs are shown in payload or raw data i would like it to not alarm on those

2. If i filter based on the IP then it could filter more alarms if there are more URLs hosted on the same IP

If it's not possible through the Threat Intelligence > Directives interface, please let me know how i would go about customizing this any other way.

You help would be greatly appreciated


Share post:


  • seanclt,

    Directives need to confirm that they are using apples to apples values in order to ensure consistency. In order to do this, they correlate against indexed data only. 

    You could create a custom plugin that filters which normalizes on the log data you are checking for, or use OTX and create a custom pulse to trigger on specific URLs/IP addresses if you are monitoring network traffic. Given the description you provide, however, it sounds like the solution you are looking for is not a SIEM rule, but a webfilter.
  • edited October 2017
    thanks, can you please guide or let me know about some documentation that we need to review to learn more about web filter and how to implement this

Sign In or Register to comment.