Hi all.
I'm trying to exclude certain files from a FileWatch detection policy on certain assets, yet allow it for others.
For example;
I have a base policy with a filewatch rule to check for modifications in this path: /someApp/configs/*
On some servers (assets) I want to ignore certain files within that path /someApp/configs/log.txt
On other assets I do NOT want to ignore those files.
Is there way to 'stack' detection policies so that I can use the base policy throughout the environment and apply a second policy containing the path and file names of those to be ignored?
What I've done so far:
- Created the Base (Master) policy and applied it at the group level
- Created the second (custom) policy and applied that to an individual asset within the above mentioned group
I'm still getting events returned from the Base policy. The 'ignore' part of the custom policy seems to have no affect.
Any help or ideas will be appreciated.
Thanks!
Will