I need to create a new correlation rule filtered only on source user beginning with "XX" (case insensitive).
Do you know if you can use regular expression (regex) in correlation rule to filter source user?
If yes, how can I set it?
If no, other solutions?
Tried this morning by creating a correlation rule with Source User in regex(^[Aa]dmin.*$) and it did not fire.
I don't think it's supported because of the load it might put on the correlation engine.
Maybe you can achieve the same thing by creating a dynamic watchlist and query the user database, then use that watchlist in your correlation rule.
As mentioned above you have to create dynamic watchlist with type ESM string.
Insert the reqex into search and set in values type source user.
After this you can call this watchlist in CRL
You cannot use a regex syntax in a source user field.
In correlation rule you can only to that for Random String fileds (Source User is String).
You can achieve smth similar using dynamic watchlist (like Mike said) or if you want to monitor some specific events/devices you can modify a parser and assign user to some random string field and than used them in correlation.
If you have some questions let me know.