Rule off ExtraneousInfo

We have some logs coming in from Panorama and I want to create Incidents/Rules off of the ones that were generated by specific firewall rules.

For example: We have an IP blocklist and if any machine attempts to hit those addresses the Block Malicious IP - OUT firewall rule drops the traffic.

These logs are being fed into SEM and I can see the "Block Malicious IP - OUT" text in the ExtraneousInfo field of ICMPTrafficAudit event types.  

However, when I go to create a rule I'm not seeing an option for "Contains".  The objective is to create rules off certain words that pop up in the Extraneous info field, is this possible?

Parents Reply Children
No Data