cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Quick filter question

Jump to solution

I want to add a filter to the existing Suspicious - User Login from Multiple Hosts rule such that it ignores activity by service accounts. As these end in a $, I think what I need is this:

Filter-rule.PNG

Am I barking completely up the wrong tree?

Regards

James

Labels (3)
1 Solution

Accepted Solutions

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

3 Replies
jp
Level 9
Report Inappropriate Content
Message 2 of 4

Re: Quick filter question

Jump to solution

Not sure if that will work or not, but I would use a Regex to accomplish this

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Quick filter question

Jump to solution

Add a dynamic watchlist for users ending with a dollar

and then in the source user field in the correlation rule configure

"not in" the "users ending with a dollar"- watchlist

Re: Quick filter question

Jump to solution

I think that there's an easier answer, which is to borrow the UBA watchlist which does what I want.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.