Hi, I'm trying to add a drop_event condition to drop events with Suricata alert severity below a threshold.
Currently I have modified /filebeat/module/suricata/eve/config/eve.yml to contain:
- drop_event:
when:
equals.event.severity: 3
But with this saved I am still receiving events with severity of 3.
Any thoughts? I have also tried with equals.suricata.eve.severity: 3 and had no luck either.