cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 10

Correlation rules and regex/contains filter options

A very simple question but having a hard time to find the answer. Can a correlation rule -> match component contain regex or contains() filters to trigger on a part of a value?

example: contains(admin) for a source user.

If not, are there any other ways to trigger on a part of a value in a correlation rule?

9 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 10

Re: Correlation rules and regex/contains filter options

Looks like that contains and regex are limited to "random string" fields. "string" fields (like source user) do not have the option for regex/contains. Is there stilla way to filter on a specific value for a source user or any other string field?

alexander_h
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 10

Re: Correlation rules and regex/contains filter options

SourceTypeSelect the type of source the search should run against. The remaining fields on the page will vary based on the type you select. Most of them are self-explanatory.

If you select ESM Strings, it searches the StringMap table, which contains strings found in events. If you select ESM Rule Names, it searches the rule messages from the Rule table, which contains a short description of the rule. When you select these types, enter the regular expression or string search criteria in theSearch field. Searches are case sensitive by default. To perform a case-insensitive search, surround your search string or regular expression with forward slashes followed by i, such as /Exploit/i.

alexander_h
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: Correlation rules and regex/contains filter options

Hi Robert,

I'm doing something similar with Dynamic watchlists,

You can use some ESM strings to match.

For example if you specify only "(adm\w{2})" it will return results for all accounts encountered in events containing that string(seems like it works with Regex).

Let me know how it goes

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 10

Re: Correlation rules and regex/contains filter options

Hi Alexander,

hmmm... I'll give it a shot tomorrow and see what comes out

I'll post the results.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 10

Re: Correlation rules and regex/contains filter options

Okay, so I can't input ESM strings into "string" fields in correlation rules. Well... I can but it won't work But using Dynamic watchlists and esm strings you can get the same results and then use the watchlist or lists in the correlation rule. Tried it and works.

So when you have a corerlation rule and need to trigger on a part of a value:

- if the field is of the type "random string" you can select contains or regex and then type the value/string on what needs to be triggered.

- if the field is of the type "string" you will need to create a dynamic watchlist ith source "esm strings" the fields (types) that you can choose on the last tab are of the type "string"

Thanks for the help Alexander! You pushed me in the right direction!

alexander_h
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: Correlation rules and regex/contains filter options

It's good experience for all of us

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 10

Re: Correlation rules and regex/contains filter options

Hello,

how did you make the contains(admin) into a case insensitive when you input it int the search field for the dynamic whitelist

r_gine
Level 9
Report Inappropriate Content
Message 9 of 10

Re: Correlation rules and regex/contains filter options

I know I'm a couple of years late but I'm still running into a similar issue....

We monitor for Windows Security Groups that outside of a group of users authorized to create domain groups in our environment. We do not want to alert when the group created starts with 'sd -' (for software distribution groups)

So our rule is:

Signature ID (in) 43-263047540, 43-263047270,43-263047310

Source User (not in) [group of users authorized to make security groups]

Object (not in) [regex(SD|sd).*]

Unfortunately this is not working.

'Object' is a 'String' data type.  I'm having a hard time wrapping my head around building a dynamic watchlist for this.

Thanks for any help/suggestions!

-Ryan

Former Member
Not applicable
Report Inappropriate Content
Message 10 of 10

Re: Correlation rules and regex/contains filter options

Noted in a previous post:

when you have a corerlation rule and need to trigger on a part of a value:

- if the field is of the type "random string" you can select contains or regex and then type the value/string on what needs to be triggered.

- if the field is of the type "string" you will need to create a dynamic watchlist ith source "esm strings" the fields (types) that you can choose on the last tab are of the type "string"

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community