cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 6

How to Wildcard a Domain value

I am trying to determing if it is possible to do regex or contains() matching on the Domain field in a Correlation rule. 

For example - If I am looking for the espn.com domain I cannot find it with just searching for espn.com. Users are rerouted to espncdn.com or something similar. In the dashboard view the only way to see it is to search like this: Domain = contains(espn)  However, I cannot do this in a correlation rule. 

Is there a way to put the domain in either a watchlist or a correlation rule with wildcards. Could I do something like *espn*?? I have been attempting to test several different ways of doing this and cannot figure it out. 

Thanks!!

5 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: How to Wildcard a Domain value

Hi

in correlation there isn't a way to add REGEX

"just" in the URL field.

if your domain data is not in the URL field you could try creating a dynamic watchlist that contains this values, and add thim to the correlation rule.

Hope i helped

 

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 6

Re: How to Wildcard a Domain value

The problem with using REGEX or the Contains() function is that you cannot imply the inverse. 

What I mean by this is that if I use the REGEX option I CANNOT use the 'Not In' operator. My goal is to whitelist a domain, which should be as easy as saying :

Domain | Not In | *.google.com

 

However, because we cannot use wild cards and we cannot use REGEX in conjunction with Not In this seems like another simple task ESM is not capable of...

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: How to Wildcard a Domain value

Hi,

the problem with regex, is that its' mentobe a matching language.

but here your trying to performe cind of a negative search...

but i think i found a way to go around.. tell me if it worked for you.

try this:

^((?!espn).)*$

Thank you.

Highlighted
Level 9
Report Inappropriate Content
Message 5 of 6

Re: How to Wildcard a Domain value

David, 

I agree with you and in theory what you are posting should work. However, I went down this path a few weeks ago. I was trying to whitelist a directory in SIEM and did all sorts of Regex Kung Fu before I gave up. 

Here is the post that I made regarding that - https://community.mcafee.com/t5/Security-Information-and-Event/Whitelist-a-Directory-in-Alarm/m-p/60...

No matter how I tried to implement negative look ahead the SIEM is not capable of handling it.  I was not able to get the directory whitelisted. 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: How to Wildcard a Domain value

Hi jp.

theres a lot of REGEX syntax that i tried in regex testers online and worked perfect!

but then when i'm transforming it to McAfee it's just not working Smiley Sad

i'm not so proud from the McAfee ESM .... i think theres' a lot what to tune and fix in the system.

 

Who that filles the Same, should give a like!

it's time for McAfee to notice the Users feelings.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community