cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Quick filter question

Jump to solution

I want to add a filter to the existing Suspicious - User Login from Multiple Hosts rule such that it ignores activity by service accounts. As these end in a $, I think what I need is this:

Filter-rule.PNG

Am I barking completely up the wrong tree?

Regards

James

Labels (3)
1 Solution

Accepted Solutions

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

View solution in original post

3 Replies
jp
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Quick filter question

Jump to solution

Not sure if that will work or not, but I would use a Regex to accomplish this

David1111 Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Quick filter question

Jump to solution

Add a dynamic watchlist for users ending with a dollar

and then in the source user field in the correlation rule configure

"not in" the "users ending with a dollar"- watchlist

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community