I don't see this in any of the 9.3.X docs but in 9.4.0 you can use regex() or contains() in the filters section.
So for you server example, In the ESM you would:
- Switch to all filters versus visible filters
- Scroll down in the list for "Host"
- Type in regex(/^DC1.*/) #For case insensitive use regex(/^DC1.*/i) #Not sure you even need the "^" try with and without
- Click the "Rn Query" icon
Results: You should see events from every source where host starts with DC1
This applies to any filter and I believe regex/contains applies elsewhere in the ESM interface so you should read the product guide on both of these feature and pick the best tool for the job.
EDIT: I just found in the 9.3.2 release notes under "Searches and filters":
To add a regular expression in a search or filter field, type contains(https.*).
You can apply case insensitivity to these regular expressions by typing contains(/
Non-Indexed custom types are now displayed in the global Filters pane. You can
only use them to filter by regular expressions.
Thanks for this, it was a big help and works !!!!
However, if I try to create a rule where i want to see events from applications that contain the word 'Microsoft' for example, how do i specify the rule conditions with a filter as the options i have for Application is either IN or NOT IN. How do i stipulate the contains() logic?
The results I want would be Application = Microsoft Word, Microsoft Excel, Microsoft Powerpoint etc.......
Another rule I may want to write could be for all events from users who username contains 'HR'. I can get the filter working in the filter panel on the right but I want the filter integrated within a rule.
Glad that worked.
You could try something like this.
For the other rule for the username 'HR' you might be able to integrate a regex in a watchlist or a correlation rule?? might need 9.4.0 for this as they allow more regex verus 9.3.x??
Another option would be to copy and modify and exiting rule and add in what you want OR create a "Custom Parser" in which you could ask support for the document titled "How to write a McAfee ESM Custom Parser and troubleshoot a data source.pdf"