cancel
Showing results for 
Search instead for 
Did you mean: 
izik
Level 7

problem with lower and upper case

hi

i have  dynamic watchlist that pull data   from ActiveDirectory groups

i create correlation rule that search for failed remote login and the user is in the watchlist that i created before

this works great except the times that the event contains the username but with firs letter in uppercase

for example :

wacthlist contains username :

dani

event contain username:

Dani

for some reason it's not match and the correlation rule is not working ,

is there any solution for that case ?

thanks

izik

0 Kudos
7 Replies
catdaddy
Level 20

Re: problem with lower and upper case

Would this discusion be better served by moving it to (ePO)?

Cliff
McAfee Volunteer
0 Kudos
izik
Level 7

Re: problem with lower and upper case

Hi

Why?

This is issue is with SIEM

0 Kudos
catdaddy
Level 20

Re: problem with lower and upper case

Thank you for the confirmation . The reason I asked, is I did a search within the forums, and 'Active Directory' was in a thread from (ePO). Disregard please, I was only trying to be helpful.

Cliff
McAfee Volunteer
0 Kudos
gafunk
Level 7

Re: problem with lower and upper case

I tried to do something similar in our environment, I made a watchlist that would poll our Domain Admin accounts and I wanted to watch them for certain events. I ran into the same problem, and opened a ticket w/ McAfee. Long story short you cannot do it this way/it is not supported. Their answer to my ticket was: Resolution: C: Need to get more specific condition on alarm logic S: Currently, no support for this desired functionality. Customer could submit product idea.

And I did submit it as a feature request, but I don't know if it'll ever happen. I was disappointed that a tool like the SIEM would not allow you to create a case-insensitive watchlist. Here is the full details of my ticket w/ them: Service Request# X-XXXXXXXXXX has been closed as PER:

Severity: 4-Business not affected

Point Product: SIEM_ELM

Summary: Alarm Has no Option for Case-Insensitivity

Description: A: Admin trying to create a specific alarm R: Alarm interface has
no Option for Case-Insensitivity T: Posted to internal forum I'm trying to
create an alarm that will alert us when a Domain Admin account has a bad
password. I can create the scenario I want in the GUI using filters. Basically
I use a watchlist to poll from the Windows built-in group "Domain
Admins" and use this for my signature: 43-211005291 However, the watchlist
is taking the literal characters, including case. For example, if the username
is listed as User, it will ONLY find "User", not "user" if
it's lowercase. This is easy enough in the filter list, I can just check the
"case-insensitive" button and it works good. PROBLEM is that there is
no "case-insensitive" button when I create the alarm. I tell it
"if you match my watchlist and 43-211005291 signature, alarm". But I
can't tell it to ignore case, and as such we are missing the events if they
occur. I need a way to make this alarm work, and something so basic I am
surprised we can't do a "case-insensitive" alarm. How can we go about
creating the alarm? I am available anytime, thanks in advance.

Resolution: C: Need to get more specific condition on alarm logic S: Currently,
no support for this desired functionality. Customer could submit product idea.


0 Kudos
catdaddy
Level 20

Re: problem with lower and upper case

​,

                 Did you by chance create a Product Idea? Product Ideas (Corporate)

Cliff
McAfee Volunteer
0 Kudos
gafunk
Level 7

Re: problem with lower and upper case

Not on that site no. The rep I had the ticket open with recommended submitting it here instead: Intel Security Ideas Forum: Latest

catdaddy
Level 20

Re: problem with lower and upper case

Even Better!   Thanks for sharing.

Cliff
McAfee Volunteer
0 Kudos