3 Replies Latest reply on Jul 8, 2014 12:34 PM by rcavey

    Mcafee ESM wildcard searches

    pickles

      Is it possible to specify wildcards when creating filters in Mcafee ESM (Nitro). For example, can i create a filter where my matching criteria can be set to "Starts With", "Ends With", "Contains" etc.....

       

      So if I wanted to view all events from servers that start with DC1 for example, or events from devices where device name contains FF, or events from users who have a username starting with the letter A?

       

      Any help is appreciated

        • 1. Re: Mcafee ESM wildcard searches
          rcavey

          HI,

           

            I don't see this in any of the 9.3.X docs but in 9.4.0  you can use regex() or contains() in the filters section.

           

          So for you server example, In the ESM you would:

          - Switch to all filters versus visible filters

          - Scroll down in the list for "Host"

          - Type in regex(/^DC1.*/)     #For case insensitive use regex(/^DC1.*/i)   #Not sure you even need the "^" try with and without

          - Click the "Rn Query" icon

          Results:  You should see events from every source where host starts with DC1

           

          This applies to any filter and I believe regex/contains applies elsewhere in the ESM interface so you should read the product guide on both of these feature and pick the best tool for the job.

           

          EDIT:   I just found in the 9.3.2 release notes under "Searches and filters":

          To add a regular expression in a search or filter field, type contains(https.*).

          You can apply case insensitivity to these regular expressions by typing contains(/

          https.*/i).

          Non-Indexed custom types are now displayed in the global Filters pane. You can

          only use them to filter by regular expressions.

          end EDIT

           

          Cheers,

            -B

           

          Message was edited by: rcavey on 7/7/14 1:20:28 PM CDT
          • 2. Re: Mcafee ESM wildcard searches
            pickles

            Thanks for this, it was a big help and works !!!!

             

            However, if I try to create a rule where i want to see events from applications that contain the word 'Microsoft' for example, how do i specify the rule conditions with a filter as the options i have for Application is either IN or NOT IN. How do i stipulate the contains() logic?

             

            Example

             

            Application CONTAINS(Microsoft)

             

            The results I want would be Application = Microsoft Word, Microsoft Excel, Microsoft Powerpoint etc.......

             

            Another rule I may want to write could be for all events from users who username contains 'HR'. I can get the filter working in the filter panel on the right but I want the filter integrated within a rule.

             

            Any ideas?

            • 3. Re: Mcafee ESM wildcard searches
              rcavey

              pickles,

               

              Glad that worked.

               

               

              You could try something like this.

               

              Application CONTAINS(/Microsoft\s+(Word|Excel|Powerpoint).*/)

               

               

              For the other rule for the username 'HR'  you might be able to integrate a regex in a watchlist or a correlation rule?? might need 9.4.0 for this as they allow more regex verus 9.3.x??

              Another option would be to copy and modify and exiting rule and add in what you want OR create a "Custom Parser" in which you could ask support for the document titled "How to write a McAfee ESM Custom Parser and troubleshoot a data source.pdf"

               

              Good luck.