I am new to OSSIM (v 4.14). I have problem with policies. I have OSSIM (server+sensor) on single server. It generates a lot of events (mostly avapi):
ossec: Successful sudo to ROOT executed
from ossec-sudo (event ID:5402) in /home/avapi/
snort: "ET POLICY Python-urllib/ Suspicious User Agent"
which is some HTTP GET to google server (no idea which process generates it)
And I want to filter out them with 2 policies I made in Default policy group. Each policy has defined event type as new DS group (for particular event id's mentioned above), source as my OSSIM server+sensor address, destination as ANY, sensor: ANY and Policy consequences-SIEM: all No.