I wanted to know how to make an exception to a rule by filtering whats in the payload. For instance, if the phrase "attack blocked" was seen in the payload, or if I had a series of numbers such as in a Barracuda Web Filter log, 2 1 0 1 1. I would want the alert to be suppressed when there is either an "attack blocked" seen or when there is a "1" in the 4th position.
Neither if these are currently parsed out under any of the UserData fields. In theory, I would like for these to be populated in the UserData fields and use those to filter out the false positives.