I'm trying to filter a view using "contains(00:03:93,00:05:02,00:0A:27)" three comma separated partial OUIs on the filter field "Source MAC" but I get the error Invalid Mac Address (ER1024). I'm trying to search for Apple OS OUI's to see how many Apple users we have. I tried using regex as well but that does not work either. Is there a better way to do this?
Due to the source mac address is not a string field you cannot achieve that what you want, just using contains or regex function.
Im afraid that you have to export all MAC adresses from your ESM, filter these data and than you can use a static watchlist for ESM filter purposes.
To automate that you can also use an "execute remote command" - but only for new events.