Cannot see the option to use "contain" for command field for any alarm. After going through many posts in this community I understand that this can be done through regex on ESM string watchlist. But problem is ESM_string will only work in case of view\ report and not for alarms. Since the lowest frequency of update we can set is "every 15 minutes".
Is there any other way around to achieve this? Lets say I want to create an alarm if command field contains "erase". As far as I understand we cannot directly use regex as well. Any inputs will be appreciated.
Make a new correlation rule with this searchstring and set the Signature ID from this correlation in the Alarm. But this doesn't work for command becaus you can't use contain for this field. Contains works only for fields with the attribute String
Exactly that is the problem; Command is the field where I want to put a "contains" condition since my firewall commands executed are being mapped to this field.
Wondering if there is any easy way to change the parser and put the commands executed to a field which supports string attribute!?
It should be "random string" type. Sometimes creation of dynamic watchlist with ESM strings (supports regexp) could help. You can then compare values from logs with that watchlist(in alarm or correlation). There was few howtos on this forum about that issue.