Hi is there a way to exclude only application/pkix-cert from files.log ?

Thanks in advanced

You may find these walkthroughs helpful.


This is what I do. It allowed me to cut the number of files events by
like 70% and the total SIEM intake by a whooping 30%

You most definitely want to filter those out. Be aware there are some
drawbacks, though, like you just lost the trivial ability to correlate
x509-files-ssl but you combat that by correlating the "id" field from
the x509 log with the cert_chain_fuids field from the ssl.log

module LogFilter;

event bro_init()



        Log::add_filter(Files::LOG, [$name = "files-noise",

                                      $pred(rec: Files::Info) = {

                                        for (tx_host in rec$tx_hosts) {

                                                if ((rec?$mime_type)
&& ((rec$mime_type == "application/pkix-cert") || (rec$mime_type ==
"application/x-x509-ca-cert") || (rec$mime_type ==
"application/x-x509-user-cert") ))

                                                    return F;

                                            return T;


                                        return T;