How to quickly filter by rule.name in SOC Alerts by OQL

[linuxlurak]

Version

2.4.0

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

n/a

RAM

n/a

Storage for /

n/a

Storage for /nsm

n/a

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

If someone could point me in the right direction: I want to filter quickly using rule.name and wildcards or similar.

For example, to filter rules starting with "ET", I'd like to use something like this:
* AND NOT rule.name:ET* | groupby rule.name event.module* event.severity_label

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[reyesj2]

In the alerts dashboard at the top of the page click 'options' then toggle on "Temporarily enable advanced features".

Once that is enabled you can run the search you posted to not show rules matching rule.name: ET*

[linuxlurak]

Hmmmm, thanks a lot. I was absolutely sure I used this query string but obviously I didn't...

Some simple cases for others searching about this:
This works: * AND NOT rule.name: ET*
This works too: * AND NOT rule.name: ET* --> Note the many white spaces after "rule:"
This won't work: * AND NOT rule.name: ET * --> Note the white space between "ET" and "*"
This does not work too: *AND NOT rule.name: ET* --> Note the missing white space between * and AND in "*AND"
Also not working: * and not rule.name: ET* --> Note: small caps for AND NOT are invalid.

Thanks @reyesj2 👍