I would like to suggest that there should be a better way to filter out events that we don't want to see or to have trigger a rule. Currently, we only have AND | OR for a group, and there is no way to filter out very specific events that belong to a specific group.
I have a bunch of events that keep occurring that I don't want to see, but I don't want to filter out similar events, so I can't just exclude based upon a single alert value such as SourceAccount, DestinationAccount, or Modification.
For example, I would like a rule that would essentially look like this:
UserModifyAttribute NOT ( (UserModifyAttribute.DestinationAccount = Group1) AND (UserModifyAttribute.Modification = *administrators group*) AND (UserModifyAttribue.SourceAccount = ANONYMOUS LOGON) )
There is currently no way to make a rule that is anything close to this in syntax. I can try to work through the boolean logic to do the same thing with only AND and OR operators, but bueing able to use NOT on an expression group would really really help!