Hi gang,
is it possible to use value list as anything other than an exception?
I have a list of Command and Control servers and would like to get a signal every time an ip address from that value list is part of "destination.address" however I can only see the option to use the list as an exception.
If someone could point me in the right direction that'd be rather nice.
Doable if you use the "not in list" operator. Then your signal will trigger on every entry in the list.
It is very unintuitive tho.
Hey @madduck !
That certainly is a common use case and you're correct in your follow up post that using the "not in list" operator will result in the functionality you are looking for.
Adding a link to the exceptions API docs here just for reference. They go into a bit more detail and might come in handy!
It's always great to get feedback - appreciate you letting us know your experience with the exceptions.
Best,
Yara
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.