Our use case for this is more along the lines of looking at logs, ingested through Splunk, and being able to filter off of a name of an exception list not taking into account the checks for this. Seeing if a rule has been used, maybe to help us determine if an exception list is used(still used or perhaps last used) or which is the most used, finding a rule then filtering on particular servers, or being able to filter out when a particular one was used to correlate other events, among other uses.
↧