Is there a way to use regex in source user field in correlation (SIEM 11.3)?
Let's say I need the correlation trigger every time when user name include "admin".
Not case sensitive and in any form like: admin, user_admin, domainadmin etc.
is there a way to do it or some workaround?
thank you in advance
Currently there is not a way to do this you could submit an idea to see this in the future. However, as a work around you could create a Watchlist with all variations of the Source User name you are looking to collect.
unfortunately, it's a dynamic list: new users can be added frequently.
the only rule is to include some specific part into username.
in the correaltion rule GUI you can't use the REGEX for Source User.
but you could do a work arround.
open up a Dynamic Watchlist > serch on - ESM String >
REGEX = (?i).*(Admin|User\_Admin|DomainAdmin).*
Value = Source User
After configuring the watchlist go to the Correlation Rule GUI
and configure the Source User field to point to the above Watchlist.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC