Unfortunately not. The "in" option (example src_ip in (ipaddress1, ipaddress2)) will answer to the need IF the proposed filter values are all the available values in logs. But currently it's not: only the values in the last 500 requests are available in the proposed filter values.
Use Case: a auditor looks for a False Positive and wants to define the most accurate WAF exclusion rule. He does:
filter on log of Last 30 days
filter on the "False Positive" signatures.id XXX
open the filter country: only 5 (AA to EE) are shown. AA and BB countries are selected, this where their business partners are.
open the filter on user_agent. User agent used are noted to create an exeption rule
The result of this analysis is wrong, business partners of other countries (ZZ) will still encouters False Positives because only the countries of the last seen 500 requests were displayed.
It's a real paint point shared by my customer, security analysis using XC console is too dificult due to the limitation of top 500 requests. My customer is now using Splunk for analytics and XC dashboard only for a big picture.
Unfortunately not. The "in" option (example src_ip in (ipaddress1, ipaddress2)) will answer to the need IF the proposed filter values are all the available values in logs. But currently it's not: only the values in the last 500 requests are available in the proposed filter values.
Use Case: a auditor looks for a False Positive and wants to define the most accurate WAF exclusion rule. He does:
filter on log of Last 30 days
filter on the "False Positive" signatures.id XXX
open the filter country: only 5 (AA to EE) are shown. AA and BB countries are selected, this where their business partners are.
open the filter on user_agent. User agent used are noted to create an exeption rule
The result of this analysis is wrong, business partners of other countries (ZZ) will still encouters False Positives because only the countries of the last seen 500 requests were displayed.
It's a real paint point shared by my customer, security analysis using XC console is too dificult due to the limitation of top 500 requests. My customer is now using Splunk for analytics and XC dashboard only for a big picture.
Attachments Open full size
wont the in option work ? for example, src_ip in (ipaddress1, ipaddress2) . This is similar to OR functionality
Attachments Open full size
Favorable. Evite les recherches multiples.
Attachments Open full size