cancel
Showing results for 
Search instead for 
Did you mean: 
izik
Level 7

Watchlists with wildcard

hi

how can i configure watchlist that contain wildcard or regex ?

lets say i want to create Watchlists that contain urls but i don't want to add all urls , for example if i have

clients1.google.com

clients2.google.com

clients3.google.com

i just want to add *google* or some regex

is it possible ?

0 Kudos
13 Replies
sssyyy
Level 12

Re: Watchlists with wildcard

don't believe ESM regex support look ahead or behind...

0 Kudos
xded
Level 12

Re: Watchlists with wildcard

Do you want to use this watchlist in correlation?

If yes you can use contains equal as watchlist. Just add google. / GOOGLE etc ....

0 Kudos
izik
Level 7

Re: Watchlists with wildcard

hi

thanks for your replay

what if i need not contains ?

0 Kudos
sssyyy
Level 12

Re: Watchlists with wildcard

That's the catch, it doesn't support look ahead or behind. So you need to make sure the list of values you are trying to match again are either all IP address or characters, it can't look to see if it matches your regex and pull the value out into a watchlist.

0 Kudos
xded
Level 12

Re: Watchlists with wildcard

There is no "Contains not" but you can write a dynamic watchlist with ESM String an regex.

0 Kudos
sssyyy
Level 12

Re: Watchlists with wildcard

yeah, you can. but the values need have appeared in ESM before to use ESM string as an regex.

0 Kudos
izik
Level 7

Re: Watchlists with wildcard

hi

i trying to configure as you say , but when i have to choose type of value i don't have all the fields , especially the one i need (destination_hostname)

what can i do ?

des.JPG

0 Kudos
xded
Level 12

Re: Watchlists with wildcard

Fore this you can use Host. Its the same in watchlist like dest host and source host.

After this you can setup a correlation rule with destination_host and set in this watchlist withe the type of host.

0 Kudos
izik
Level 7

Re: Watchlists with wildcard

hi

host is no good i trying configure with host , but when i trying to add it  to the rule the wachtlist not there...

the field destination_hostname is custom field that i create , could that be the problem ?

0 Kudos