I am trying to determing if it is possible to do regex or contains() matching on the Domain field in a Correlation rule.
For example - If I am looking for the espn.com domain I cannot find it with just searching for espn.com. Users are rerouted to espncdn.com or something similar. In the dashboard view the only way to see it is to search like this: Domain = contains(espn) However, I cannot do this in a correlation rule.
Is there a way to put the domain in either a watchlist or a correlation rule with wildcards. Could I do something like *espn*?? I have been attempting to test several different ways of doing this and cannot figure it out.
in correlation there isn't a way to add REGEX
"just" in the URL field.
if your domain data is not in the URL field you could try creating a dynamic watchlist that contains this values, and add thim to the correlation rule.
Hope i helped
The problem with using REGEX or the Contains() function is that you cannot imply the inverse.
What I mean by this is that if I use the REGEX option I CANNOT use the 'Not In' operator. My goal is to whitelist a domain, which should be as easy as saying :
Domain | Not In | *.google.com
However, because we cannot use wild cards and we cannot use REGEX in conjunction with Not In this seems like another simple task ESM is not capable of...
the problem with regex, is that its' mentobe a matching language.
but here your trying to performe cind of a negative search...
but i think i found a way to go around.. tell me if it worked for you.
I agree with you and in theory what you are posting should work. However, I went down this path a few weeks ago. I was trying to whitelist a directory in SIEM and did all sorts of Regex Kung Fu before I gave up.
Here is the post that I made regarding that - https://community.mcafee.com/t5/Security-Information-and-Event/Whitelist-a-Directory-in-Alarm/m-p/60...
No matter how I tried to implement negative look ahead the SIEM is not capable of handling it. I was not able to get the directory whitelisted.
theres a lot of REGEX syntax that i tried in regex testers online and worked perfect!
but then when i'm transforming it to McAfee it's just not working
i'm not so proud from the McAfee ESM .... i think theres' a lot what to tune and fix in the system.
Who that filles the Same, should give a like!
it's time for McAfee to notice the Users feelings.