2 Replies Latest reply on Feb 3, 2014 9:31 AM by rth67

    Filter Out Wildcards

    planting_acorns

      I am seeking create a dashboard which shows failed logons where the Source User is NOT a comptuer account.

       

      Screenshot 1 shows the Variable Non-Computer Accounts I have successfully created within Policy Editor to match computer accounts.

       

      Screenshot 2 shows the new Variable Non-Computer Accounts I created is not an option to select to insert into the Source User field.

       

      The question is:

      Why is the new Variable Non-Computer Accounts not available?

       

      Thank you.

       

      Message was edited by: planting_acorns on 1/29/14 3:56:41 PM CST
        • 1. Re: Filter Out Wildcards
          Scott Taschler

          Unfortunately, variables are not useable as filters, as you have seen.  Variables are useable only in rules.  Today they are mostly useful in correlation rules, but are also incorporated into IPS rules and elsewhere.

           

          In your case, you could try a couple of different options:

           

          1) A dynamic watchlist.  You can set up a dynamic watchlist of users that match your regular expression.  Then use the watchlist + the NOT operator as a filter for your dashboard.

           

          2) Use a "contains" filter.  In 9.3.2 we introduced the ability to filter based on regex, through use of the phrase "contains()".  In the Source User filter field, enter "contains(regex)", and select the "!" operator, and you should get similar results.   

           

          Scott

          • 2. Re: Filter Out Wildcards
            rth67

            Also available in 9.3.2 is the ability to use a Dynamic Watchlist with a Source of LDAP (to be able to point at your AD Domain hopefully), this will speed up the time and accuracy of your Regex which looks for Computer Objects as Source Users.

             

            Currently, if you create a Dynamic Watchlist using Regex for Source User to find anything ending in $, it searches the entire SIEM Database.

             

            We are still on 9.3.1, but planning to upgrade either later this month or sometime next month.