Endpoint Protection

This is NOT about a rule at all. Nothing to do with blocking or not, configuring the firewall or IPS, etc.
This is about VIEWING the logs - the results. VIEWing, choosing what to NOT view.

Scenario - SEP management console.
Choose Monitors tab on the left.
Choose Logs tab on the top.
Under "What type of log would you like to see?" choose Network Threat Protection from the Log type dropdown.
Choose "attacks" from Log content dropdown.
Under "What filter settings would you like to use?" choose any time you like - I picked "Past Week".
Severity - choose Critical from the dropdown.
The QUESTION - How can I view all entries that this would show EXCEPT a certain IP address under "Remote IP address".
The default is * - meaning show ALL log entries related to attacks in the past week that were critical in severity involving ANY remote IP address.
I want to EXCLUDE certain remote IP addresses as there's a test that runs on occasion that triggers dozens of "attack" entries. That's fine, that's what I hope, however, when I view the logs as above, I want to view everything EXCEPT that IP address.
Actually you can apply that request to most logs, be it application control, device control, NTP, etc. - how can I view logs but choose to NOT view those related to a certain computer or certain remote host or IP address?
Say a computer has a problem that causes it to generate numerous entries in the application control logs - I use all of the above list but choose application control and not NTP/attacks - and want to see all entries for application control EXCEPT for a computer named "his-computer".

Is there a way to create a NEGATIVE filter, so far all I see are "positive" filters - "include", I see no "exclude" available.
Where there is a * by default, I want to put in <>10.111.222.12 for example and view all log entries except those involving that IP.
Or for some applicatin control checks, I want to put in <>COMPUTERNAME  (or ! COMPUTERNAME )
I guess if there is no such thing - I'm pretty suprised - but perhaps not really as the logging/reporting doesn't allow to receive alerts on just BLOCKED devices, either - it's all detected be it allowed or not, or get no reports at all.

I'm hoping this isn't a limitation on SEP logs - logs are the most important tool for me and my work.
Without logs, I'd never be able to claim 29 months VIRUS FREE here  (protecting 350 users who like to click anything that remotly resembles a link...............).

 

I've never found a way to do excludes in the filtering using wildcards. If there is, I would love to see it.

Per the Help link in SEPM:

The filter option fields that accept wildcard characters and search for matches are not case sensitive. The ASCII asterisk character is the only asterisk character that can be used as a wildcard character.

So I think that says it right there...

Basic requirement in day to day operations.
I always expor the logs and do Vlookup in excel thats how its been working for me so far....

Sorry, but with all due respect, That's not a solution, it's a "work around" for something that's not right. 
 I don't have time to every time I want to see certain things in logs do an export, pull into Excel and sort. That's the job of the built-in logging and reporting. I'd be exporting several times a day in some cases.

Since the days of SAV, SEP has had almost worthless alerting and reporting and I'm not the only one saying that. SEP reports seem to me to be made for those management types who are clueless about details but love pretty pie charts. I want a report that's got meat and potatos.

I should be able to hit that monitors tab any time of the day, several times a day if necessary, and filter the logs to show me a list of items I'm looking for. Part of the reason we remain virus free for over 28 months is also because we monitor - we see what folks are up to. We've got to monitor logs and try to check reports because the SEP alerting is also worthless and broken. The product does protect (with proper configuration) but it really doesn't tell you much else without jumping through hoops.

I need to several times a day take a quick look at what's going on. Our people click anything that looks cool or appears to be a link - apparently fearing they might miss out on something, I dunno, but it's like having to watch over beginners, so the logging and reporting is at least as useful as any other tool could be, however, in the case of SEP, it's missing so many obvious things that are available in other products. If it wasn't for the great protection, the reporting, logging and ALERTING sure couldn't stand on its own. The alterting is worthless, the Monitors/logs is nearly so at times, especially without the ability to filter to the negative - to EXclude things or give it multiple criteria. It's all or 1.

I'd also add - you get all or 1 for severity level - and yet OTHER PRODUCTS allow "warning or above" for example. Not SEP - it's either critical, OR major, OR minor, OR informational. Why not "major and above"??  Seriously, we've got a number of other products that handle logs that allow that sort of filtering. They give us choices. They don't put us in a box and say "here's the reports any way you like them, as long as you like them like we do". That's the Henry Ford method - any color you want as long as it's black. SEP is "any report you want as long as it's one of our own standard favorites"