cancel
Showing results for 
Search instead for 
Did you mean: 

Custom types in drilldown

Hello guys

I wonder why I cant find custom types like "User_agent", "Referer" i drilldown.

no user agent field

user agent.PNG

no referer field

referer.PNG

6 Replies
abanaru
Level 11
Report Inappropriate Content
Message 2 of 7

Re: Custom types in drilldown

I'm interested in the reason as well. For example when doing drill-down on 43-263046630 which is for files audit on windows I would like to drill-down on Destination_Filename and not on Object. Also Access_Privileges is missing as well from the drill-down...

123.PNG

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: Custom types in drilldown

I think because these are not indexed fields.

abanaru
Level 11
Report Inappropriate Content
Message 4 of 7

Re: Custom types in drilldown

You are correct. I've tried adding a new Custom Type and inside the description it's stated that "Non-indexed string types will be filterable by regular expression only.".

A quick validation on this can be done by creating a new custom type with Indexing enabled and another with indexing disabled. The one with Indexing enabled will be usable in drill-downs as for the disabled one it will not appear.

Valid for custom aggregation fields as well - if it's indexed you can aggregate data based on it.

Re: Custom types in drilldown

Hi Comader,

What are you trying to accomplish with the "Referer".

Are you tying to see if somebody web scrapped your website and now is using it to Phish credentials and when they use it on there maliuos site it sends a Referer to your web login page? Possible Action could be to tail the log file the Referer is in and then create a log parser to pull data out and alert on it.

Re: Custom types in drilldown

How can i index this two custom files? Destination_Filename, Access_Privileges

I Can't edit.

I try export, change and import but i was ignored by siem lol

xded
Level 12
Report Inappropriate Content
Message 7 of 7

Re: Custom types in drilldown

You can't.
The only option you have is to add a new custom type like destination_filename2

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community