• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Filter out events caused by a user account


New Life Form
Is there a way that I can filter out events by a partiular user account?

Share post:

Best Answer

  • Answer ✓
       Policies do not allow you to select '$userdata' as a field (at this time). You must create a Custom_Directive, and from there you can then create a Policy based on the Event_ID of your Custom_Directive.  

       There is currently an Idea_Request with Development that would allow users to create Policies based on additional data-fields. However, at this time, you must use a combination of creating a Custom_Directive, and Policies. When the Idea_Request is released, you will only need to create a Policy. 


    - kratos


  • Hello @alienray,

        Can you elaborate on "where" you are trying to filter these Events?

       * In SIEM, you can select one of the "$userdata" fields at the lower section of the SIEM search. 
       * In Custom_Directives, you can also use the different "$userdata" fields (1-9), or even use negation (!).  


    - kratos
  • @kratos 

    I was referring to where you create polices. In CONFIGURATION->THREAT INTELLIGENCE->POLICY

    So I have to create a custom directive and then create a policy to filter that user account out of the SIEM database using the custom directive?
Sign In or Register to comment.