It looks like you're hitting a limitation in Cisco Secure Network Analytics (StealthWatch/SAN)—custom security events (CSEs) don’t support filtering or excluding based on “Subject Payload”. That filter is only available in Flow Search, under Advanced Connection Options → Payload, but that same capability isn’t exposed in CSE creation under Policy Management.

What You Can Do Instead

1. Pre-filter with Flow Search + Scripted Alerting

• Regularly run a scheduled Flow Search via API or CLI that includes Payload filters to exclude unwanted “Subject Payload” values.

• Script processing of the results and generate alerts or write logs externally.

• While this doesn’t use CSE, it allows fine-grained payload control.

2. Use Caller Context (Custom Fields)

• In Flow Search, add payload filters to capture only desired events.

• Export these events, then ingest them into your SIEM or Splunk, where you can alert or alert-categorize based on payload content.

3. File a Feature Request

• Cisco docs and the community confirm this isn’t currently supported .

• Consider submitting a feature request or POC to Cisco via TAC, asking to add payload filtering into CSE criteria.

TL;DR

• CSEs: can filter by host groups, bytes, packets, app, etc., but not by payload fields.

• Flow Search: is payload-aware, but results aren’t alerting via CSE.

• Workaround: Use scheduled Flow Search + scripting (or SIEM ingestion) to replicate what you want.