how can i configure watchlist that contain wildcard or regex ?
lets say i want to create Watchlists that contain urls but i don't want to add all urls , for example if i have
i just want to add *google* or some regex
is it possible ?
That's the catch, it doesn't support look ahead or behind. So you need to make sure the list of values you are trying to match again are either all IP address or characters, it can't look to see if it matches your regex and pull the value out into a watchlist.
i trying to configure as you say , but when i have to choose type of value i don't have all the fields , especially the one i need (destination_hostname)
what can i do ?
Fore this you can use Host. Its the same in watchlist like dest host and source host.
After this you can setup a correlation rule with destination_host and set in this watchlist withe the type of host.
host is no good i trying configure with host , but when i trying to add it to the rule the wachtlist not there...
the field destination_hostname is custom field that i create , could that be the problem ?