cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Quick filter question

Jump to solution

I want to add a filter to the existing Suspicious - User Login from Multiple Hosts rule such that it ignores activity by service accounts. As these end in a $, I think what I need is this:

Filter-rule.PNG

Am I barking completely up the wrong tree?

Regards

James

Labels (3)
1 Solution

Accepted Solutions

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

3 Replies
jp
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Quick filter question

Jump to solution

Not sure if that will work or not, but I would use a Regex to accomplish this

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Quick filter question

Jump to solution

Add a dynamic watchlist for users ending with a dollar

and then in the source user field in the correlation rule configure

"not in" the "users ending with a dollar"- watchlist

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community