I want to add a filter to the existing Suspicious - User Login from Multiple Hosts rule such that it ignores activity by service accounts. As these end in a $, I think what I need is this:
Am I barking completely up the wrong tree?
Go to Solution.
I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.
Not sure if that will work or not, but I would use a Regex to accomplish this
Add a dynamic watchlist for users ending with a dollar
and then in the source user field in the correlation rule configure
"not in" the "users ending with a dollar"- watchlist
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC