-
Title
How to blackout a specifc rule for a specific host -
Description
Is it possible to blackout a specific rule for a specific host?
By default it is possible to blackout a specific rule for all hosts, and blackout all rules on a specific host. -
Resolution
Select the rule to blackout for the specific host, open the Rule Definition tab and hit the Scoping Query Editor option. A list of instances to which the rule applies will be displayed. Select all of the instances to ignore (such as <hostname> <agentID> <agentName> Windows_System System_Table), and then press Insert Query.
The Rule Scope will look something like:
Windows_System_System_Table (uniqueId=dc961417-514c-46b0-acca-dfa45007dab6) or (uniqueId=55223054-943e-4d45-894e-faa7e4fe0553)
Next insert the word where between Windows_System_System_Table and the rest of the string. Then change the = to != for all the uniqueIds, and change the ors to ands.
It should look like this after you are done:
Windows_System_System_Table where
(uniqueId!=dc961417-514c-46b0-acca-dfa45007dab6) and
(uniqueId!=55223054-943e-4d45-894e-faa7e4fe0553)
Then finally select the validate button to ensure that the scoping string is valid.