We have some logs coming in from Panorama and I want to create Incidents/Rules off of the ones that were generated by specific firewall rules.
For example: We have an IP blocklist and if any machine attempts to hit those addresses the Block Malicious IP - OUT firewall rule drops the traffic.
These logs are being fed into SEM and I can see the "Block Malicious IP - OUT" text in the ExtraneousInfo field of ICMPTrafficAudit event types.
However, when I go to create a rule I'm not seeing an option for "Contains". The objective is to create rules off certain words that pop up in the Extraneous info field, is this possible?