Using LEM 6.3.1
I am trying to learn this product and have stumbled upon what I thought would be an easy task - I want to take a an existing filter, clone it and then edit it to do what it is doing but to exclude certain keywords so I can reduce the sensitivity of the filter.
For example. I cloned the Incidents filter and now want to exclude events that have something *freebsd* or *pam* in the ToolAlias field.
This is what my traffic looks like coming in:
And this is how my filter looks:
But yet these events keep coming in.
What am I doing wrong?