cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Highlighted
layer0
layer0
Level 8
Report Inappropriate Content
Message 1 of 5
‎02-09-2016 10:09 AM

How to change values in Watchlist

Hello

I have the following situation I want to create a rule from a watchlist that have machines names like "pcexample$" or "pczzyy$" this list is populated with events in Active Directory. I want to correlate this watchlist with events that i see in another data source, but in this data source the machine names are like "PCEXAMPLE" or "PCZZYY". How can i transform the data in a watchlist from "pcexample$" to "PCEXAMPLE"?

Thanks

0 Kudos
Reply
4 Replies
rgarrett
rgarrett
Level 9
Report Inappropriate Content
Message 2 of 5
‎02-09-2016 11:35 AM

Re: How to change values in Watchlist

Hi - Watchlists are case sensitive.  The best thing to do would be to open the Watchlist, go to values and export the data to a file. You can run a convert to uppercase (several editor do that) then add that as a new Watchlist.  I would then use both Watchlists in your rule, to catch both possibilities.

Reply
layer0
layer0
Level 8
Report Inappropriate Content
Message 3 of 5
‎02-10-2016 11:56 AM

Re: How to change values in Watchlist

Thank you, but i need an automatic way to do this, it's something that we have to do several times by day.

0 Kudos
Reply
xded
xded
Level 12
Report Inappropriate Content
Message 4 of 5
‎02-11-2016 12:56 AM

Re: How to change values in Watchlist

Hi Layer0,

you can extract all of your Hostname from the ESM. The thing is you need the right regex string.

Watchlist --> Add --> Dynamic--> Source --> ESM String --> your Regex --> value -->

Type --> Host

(Regex: its easy to regex the ESM string if you now a prequel from you hostnames like "xyz" or something else.

Your company Hostnames are like xyz1234

So you have a regex with ([xyz\d{0-3}]+)

0 Kudos
Reply
yassinezeroual
yassinezeroual
Level 10
Report Inappropriate Content
Message 5 of 5
‎05-03-2016 12:32 PM

Re: How to change values in Watchlist

Best solution

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC