cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How to filter out on event

Hi Expert,

I would like to know about how to filter out watchlist on an event such as in the case I  would filter out administrator user on AD Event 

 

Thank you 

 

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: How to filter out on event

Hi Pattarachai.

Hi i'm not sure i understand what you wan't...

but if you wish to filter out in the receiver phase all of AD events that are done by the admin,

configure the filter with "contains string" 

1- event id's that are associated to AD events.

2-administrator.

but filtering out these events are really not a good idea....

 

Best regards👍👍👍

David.

Highlighted

Re: How to filter out on event

Hi @David1111 

Thank you for clarify is assume about I would fill out some value such as $ user how to use contains

 

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: How to filter out on event

Hi,

if i understand correct, your asking what to do when you want to filter out a Variable and not a Static string. e,g, user that end with a dollar.

for that you will need to enter a REGEX in the PCRE box in the filter wizard.

again, i wouldn't recommend filtering out such data... but it's your choice.

 

Best regards👍👍👍

David.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: How to filter out on event

@Pattarachai You are trying to remove computer accounts from correlation rules aren't you?

I see this as a common problem. I do not believe @David1111 solution will work in this particular case, otherwise it is the correct answer. Source User is an indexed string and does not support regex in the correlation rule editor. The only way I have found to overcome this is to change the windows parser (if you use WMI or something else, you will not be able to do this until you upgrade to v11.1???) and write the User into a field that supports regex.

Brent
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: How to filter out on event

Hi brenta.

Pattarachai was wondering about filteringout in the Receiver level.

and that you could accomplish by inserting a regex syntax in the PCRE field in the receiver \ filter wizard that checks in the entire packet for the matching REGEX.

 

if you want to filter out from correlation rules  users that end with a dollar, the best solution (and i'm sure Brenta knows it ...) is to create a dynamic wathclist  in the ESM and in the Correlation rule to configure "not in" - wathclist_x . 

 

Best regards👍👍👍

David.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: How to filter out on event

@David1111: Ahhh, thanks missed that.

You do really need to be careful when adding 'short filters'. By short filters I mean anything that matches on a small number of characters, as it is quite easy for a short sequence to appear in a packet or even be "placed" there by an attacker.

I do believe I have used the following regex before with success for filtering events containing machine names.

Filter Machine Names
(?>(?:\|\|.*?)(?:\$\|\|))
Send Log to ELM
Stop processing filter rules

With that do keep in mind you should always run this against some historical data to ensure you are not erroneously filtering valid data. It also should ONLY be applied to Windows data sources.

Brent
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community