topic Re: Cisco Secure Network Analytics - .CSE Rule Exclude Payload informa in Security Analytics https://community.cisco.com/t5/security-analytics/cisco-secure-network-analytics-cse-rule-exclude-payload/m-p/5306604#M1198 <P><SPAN class="">It looks like you're hitting a limitation in Cisco Secure Network Analytics (StealthWatch/SAN)—<STRONG>custom security events (CSEs) don’t support filtering or excluding based on “Subject Payload”</STRONG>. That filter is only available in <STRONG>Flow Search</STRONG>, under <EM>Advanced Connection Options → Payload</EM>, but that same capability isn’t exposed in CSE creation under <EM>Policy Management</EM>.</SPAN></P><HR /><H3><span class="lia-unicode-emoji" title=":magnifying_glass_tilted_left:">🔍</span> What You <EM>Can</EM> Do Instead</H3><H4>1. <STRONG>Pre-filter with Flow Search + Scripted Alerting</STRONG></H4><UL><LI><P><SPAN class=""><STRONG>Regularly run</STRONG> a scheduled Flow Search via API or CLI that includes Payload filters to <STRONG>exclude unwanted “Subject Payload”</STRONG> values.</SPAN></P></LI><LI><P><SPAN class=""><STRONG>Script processing</STRONG> of the results and generate alerts or write logs externally.</SPAN></P></LI><LI><P><SPAN class="">While this doesn’t use CSE, it allows fine-grained payload control.</SPAN></P></LI></UL><H4>2. <STRONG>Use Caller Context (Custom Fields)</STRONG></H4><UL><LI><P><SPAN class="">In Flow Search, add payload filters to <STRONG>capture only desired events</STRONG>.</SPAN></P></LI><LI><P><SPAN class="">Export these events, then ingest them into your SIEM or Splunk, where you can <STRONG>alert or alert-categorize</STRONG> based on payload content.</SPAN></P></LI></UL><H4>3. <STRONG>File a Feature Request</STRONG></H4><UL><LI><P><SPAN class="">Cisco docs and the community confirm this isn’t currently supported</SPAN> .</P></LI><LI><P>Consider submitting a feature request or POC to Cisco via TAC, asking to add payload filtering into CSE criteria.</P></LI></UL><HR /><H3><span class="lia-unicode-emoji" title=":warning:">⚠️</span> TL;DR</H3><UL><LI><P><STRONG>CSEs</STRONG>: can filter by host groups, bytes, packets, app, etc., but <STRONG>not by payload fields</STRONG>.</P></LI><LI><P><STRONG>Flow Search</STRONG>: <EM>is</EM> payload-aware, but results aren’t alerting via CSE.</P></LI><LI><P><STRONG>Workaround</STRONG>: Use scheduled Flow Search + scripting (or SIEM ingestion) to replicate what you want.</P></LI></UL> Mon, 07 Jul 2025 16:39:51 GMT wajidhassan 2025-07-07T16:39:51Z Cisco Secure Network Analytics - .CSE Rule Exclude Payload information https://community.cisco.com/t5/security-analytics/cisco-secure-network-analytics-cse-rule-exclude-payload/m-p/5277384#M1172 <P>Hi everyone,</P><P>Having some .CSE rules when high amount of data Is leaving a internal network. Having alot of false positives related to this.&nbsp;<BR />And I'm wondering If It's possible in some way to exclude a specifik "Subject Payload" field?</P><P>That "Subject Payload" Is visibile due to my SAL logging that I have.&nbsp;</P><P>From a regular "flow search" I can exclude&nbsp; the "Subject Payload" field under,&nbsp;<BR />--&gt; Advanced Connection Options<BR />--&gt; Payload</P><P>But this Is not available under,<BR />--&gt; Policy Management<BR />--&gt; Custome Security Events</P><P>Thanks</P> Wed, 02 Apr 2025 07:09:22 GMT https://community.cisco.com/t5/security-analytics/cisco-secure-network-analytics-cse-rule-exclude-payload/m-p/5277384#M1172 aleksta9826435 2025-04-02T07:09:22Z Re: Cisco Secure Network Analytics - .CSE Rule Exclude Payload informa https://community.cisco.com/t5/security-analytics/cisco-secure-network-analytics-cse-rule-exclude-payload/m-p/5306604#M1198 <P><SPAN class="">It looks like you're hitting a limitation in Cisco Secure Network Analytics (StealthWatch/SAN)—<STRONG>custom security events (CSEs) don’t support filtering or excluding based on “Subject Payload”</STRONG>. That filter is only available in <STRONG>Flow Search</STRONG>, under <EM>Advanced Connection Options → Payload</EM>, but that same capability isn’t exposed in CSE creation under <EM>Policy Management</EM>.</SPAN></P><HR /><H3><span class="lia-unicode-emoji" title=":magnifying_glass_tilted_left:">🔍</span> What You <EM>Can</EM> Do Instead</H3><H4>1. <STRONG>Pre-filter with Flow Search + Scripted Alerting</STRONG></H4><UL><LI><P><SPAN class=""><STRONG>Regularly run</STRONG> a scheduled Flow Search via API or CLI that includes Payload filters to <STRONG>exclude unwanted “Subject Payload”</STRONG> values.</SPAN></P></LI><LI><P><SPAN class=""><STRONG>Script processing</STRONG> of the results and generate alerts or write logs externally.</SPAN></P></LI><LI><P><SPAN class="">While this doesn’t use CSE, it allows fine-grained payload control.</SPAN></P></LI></UL><H4>2. <STRONG>Use Caller Context (Custom Fields)</STRONG></H4><UL><LI><P><SPAN class="">In Flow Search, add payload filters to <STRONG>capture only desired events</STRONG>.</SPAN></P></LI><LI><P><SPAN class="">Export these events, then ingest them into your SIEM or Splunk, where you can <STRONG>alert or alert-categorize</STRONG> based on payload content.</SPAN></P></LI></UL><H4>3. <STRONG>File a Feature Request</STRONG></H4><UL><LI><P><SPAN class="">Cisco docs and the community confirm this isn’t currently supported</SPAN> .</P></LI><LI><P>Consider submitting a feature request or POC to Cisco via TAC, asking to add payload filtering into CSE criteria.</P></LI></UL><HR /><H3><span class="lia-unicode-emoji" title=":warning:">⚠️</span> TL;DR</H3><UL><LI><P><STRONG>CSEs</STRONG>: can filter by host groups, bytes, packets, app, etc., but <STRONG>not by payload fields</STRONG>.</P></LI><LI><P><STRONG>Flow Search</STRONG>: <EM>is</EM> payload-aware, but results aren’t alerting via CSE.</P></LI><LI><P><STRONG>Workaround</STRONG>: Use scheduled Flow Search + scripting (or SIEM ingestion) to replicate what you want.</P></LI></UL> Mon, 07 Jul 2025 16:39:51 GMT https://community.cisco.com/t5/security-analytics/cisco-secure-network-analytics-cse-rule-exclude-payload/m-p/5306604#M1198 wajidhassan 2025-07-07T16:39:51Z