Here is an example how to achieve it - the Captured Summary starts with any of specified words and the Captured Object doesn't contain any of the specified words:
The route to group rules are working this way:
- it evaluates all top level rules (there is only 1 in the screenshot above) - and uses it when it matches (and evaluation finishes)
- the top level rules are evaluated in order as defined (the first one has the higher priority)
- when no top level rule matches, then the default group/action is used (the "By default" part above the rules)
Thank you for your reply. When I saw your example it instantly made sense. I had thought of this but because the top level said "all child rules match" I assumed it would ignore the grouping, guess i was expecting it to say "all child groups match".
Anyway, when I did try this, it did not work, each test I did would not filter my alerts correctly. Valid alerts would not match anything and be discarded. Then whenever I went back to the route to goup it seemed to keep pushing over the lower group to a different level. I know it was on the same level as the other group:-
I did come up with something that did work for all of my alerts but I think I prefer the logical approach of yours.