cancel
Showing results for 
Search instead for 
Did you mean: 
avjana
Level 7
Report Inappropriate Content
Message 1 of 8

How can you define the watch list to be case insensitive

How can define the watch list to be case insensitive for the source user or destination user type

Thank you..

Jana

7 Replies
aszotek
Level 10
Report Inappropriate Content
Message 2 of 8

Re: How can you define the watch list to be case insensitive

Can you please provide the scenario for use of this watchlist?

You can populate dynamic watchlist with case-insensitive regex. Not sure if this is your intention.

avjana
Level 7
Report Inappropriate Content
Message 3 of 8

Re: How can you define the watch list to be case insensitive

Thank you for quick reply

Here is my scenario.. I do have watchlist for the specific user list and built the correlation rule in reference to that watchlist for any account lockouts..

What i found is .. if the user  typed  username with different case than whats mentioned in the watchlist.. Rule is not triggering events..

When i do filter search.. we have the option of selecting "Aa" to do case insenstive search.. How can we do this in watchlist ..

Whatchlist is a static watchlist..

Appreciate your help !!

Re: How can you define the watch list to be case insensitive

Watchlists would not allow for this functionality at this time. The way I have setup rules where this is a requirement, I have setup my filters in the ESM View to use the names not in the watchlist, where the rest of my filters are set according to the correlation rules, and then use the event drill down > Application > Source user summary and identify all user names triggering that are not on the watchlist, and start selecting the usernames that need to be added to it.

It is a tedious process, but the only solution at this time with the limitation of non-case sensitive watchlist functions.

Re: How can you define the watch list to be case insensitive

I'm just curious to know why you are using a watchlist to report on account lockouts. I just created a report in our environment filtering on Sig ID & Normalized ID, that fires every hour, and emails the report to our help desk.

avjana
Level 7
Report Inappropriate Content
Message 6 of 8

Re: How can you define the watch list to be case insensitive

Thank you all for the response .. I have the  fixed list of  high privileged account that i need to create an alarm for  an account lockout or usage of these accounts..what i found is whenever they use the account with different case it didnt trigger the alarm..

i couldn't just  sig ID with normalize ID for these accounts.. as i would be restricting only for account lockouts..

Ryan.. could you please provide more details on how did you the use views in correlation rules.. the solution you provided might work for me.. but i am trying to understand how to setup...

Example of my scenarios :

lets say i have account are :

peter2

greg2

john3

These users are system accounts with admin privilege .. they shouldn't used unless there is some  admin activity is performed.. i would like to get alarms whenever these account have been used for any purpose..  I did setup the alarms with the above watchlist..

if they use the account as Peter2..i didn't get alarm as it didnt match to the watchlist...  i am trying to setup such a way that  any combination of these accounts being used should trigger the alarm..

Thank you so much in advance for your help !!

xded
Level 12
Report Inappropriate Content
Message 7 of 8

Re: How can you define the watch list to be case insensitive

You can set the condition on a field match and than fill this condition with your activ directory.

User Activity.png

or set your own variables. And than set the Alarm on all devices.

Useractivitydevice.png

protah
Level 7
Report Inappropriate Content
Message 8 of 8

Re: How can you define the watch list to be case insensitive

Depending on how your accounts are named you can use a dynamic watchlist and select "source type = ESM Strings" and use the below regex example

Account Name:

Aab123

aab123

AAb123

String:

/(\w{3}\d)/i

RegExr: Learn, Build, & Test RegEx

But other than that work around, Ryan Is correct

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community