• Support
  • Forums
  • Blogs

Filter out events caused by a user account

alienrayalienray

New Life Form
Is there a way that I can filter out events by a partiular user account?

Share post:

Best Answer

  • Answer ✓
       Policies do not allow you to select '$userdata' as a field (at this time). You must create a Custom_Directive, and from there you can then create a Policy based on the Event_ID of your Custom_Directive.  

       There is currently an Idea_Request with Development that would allow users to create Policies based on additional data-fields. However, at this time, you must use a combination of creating a Custom_Directive, and Policies. When the Idea_Request is released, you will only need to create a Policy. 

       Regards,

    - kratos
    alienray

Answers

  • Hello @alienray,

        Can you elaborate on "where" you are trying to filter these Events?

       * In SIEM, you can select one of the "$userdata" fields at the lower section of the SIEM search. 
       * In Custom_Directives, you can also use the different "$userdata" fields (1-9), or even use negation (!).  

       Regards,

    - kratos
    alienray
  • @kratos 

    I was referring to where you create polices. In CONFIGURATION->THREAT INTELLIGENCE->POLICY

    So I have to create a custom directive and then create a policy to filter that user account out of the SIEM database using the custom directive?
Sign In or Register to comment.