7 Replies Latest reply on Feb 16, 2015 4:14 AM by xded

    How can you define the watch list to be case insensitive

    avjana

      How can define the watch list to be case insensitive for the source user or destination user type

       

      Thank you..

       

      Jana

        • 1. Re: How can you define the watch list to be case insensitive
          aszotek

          Can you please provide the scenario for use of this watchlist?

          You can populate dynamic watchlist with case-insensitive regex. Not sure if this is your intention.

          • 2. Re: How can you define the watch list to be case insensitive
            avjana

            Thank you for quick reply

             

            Here is my scenario.. I do have watchlist for the specific user list and built the correlation rule in reference to that watchlist for any account lockouts..

            What i found is .. if the user  typed  username with different case than whats mentioned in the watchlist.. Rule is not triggering events..

             

            When i do filter search.. we have the option of selecting "Aa" to do case insenstive search.. How can we do this in watchlist ..

             

            Whatchlist is a static watchlist..

             

            Appreciate your help !!

            • 3. Re: How can you define the watch list to be case insensitive
              ryan.fitzpatrick

              Watchlists would not allow for this functionality at this time. The way I have setup rules where this is a requirement, I have setup my filters in the ESM View to use the names not in the watchlist, where the rest of my filters are set according to the correlation rules, and then use the event drill down > Application > Source user summary and identify all user names triggering that are not on the watchlist, and start selecting the usernames that need to be added to it.

               

              It is a tedious process, but the only solution at this time with the limitation of non-case sensitive watchlist functions.

              • 4. Re: How can you define the watch list to be case insensitive
                LT McGary

                I'm just curious to know why you are using a watchlist to report on account lockouts. I just created a report in our environment filtering on Sig ID & Normalized ID, that fires every hour, and emails the report to our help desk.

                • 5. Re: How can you define the watch list to be case insensitive
                  protah

                  Depending on how your accounts are named you can use a dynamic watchlist and select "source type = ESM Strings" and use the below regex example

                   

                  Account Name:

                  Aab123

                  aab123

                  AAb123

                   

                  String:

                  /(\w{3}\d)/i

                   

                  RegExr: Learn, Build, & Test RegEx

                   

                  But other than that work around, Ryan Is correct

                  • 6. Re: How can you define the watch list to be case insensitive
                    avjana

                    Thank you all for the response .. I have the  fixed list of  high privileged account that i need to create an alarm for  an account lockout or usage of these accounts..what i found is whenever they use the account with different case it didnt trigger the alarm..

                     

                    i couldn't just  sig ID with normalize ID for these accounts.. as i would be restricting only for account lockouts..

                     

                    Ryan.. could you please provide more details on how did you the use views in correlation rules.. the solution you provided might work for me.. but i am trying to understand how to setup...

                     

                    Example of my scenarios :

                     

                    lets say i have account are :

                    peter2

                    greg2

                    john3

                     

                    These users are system accounts with admin privilege .. they shouldn't used unless there is some  admin activity is performed.. i would like to get alarms whenever these account have been used for any purpose..  I did setup the alarms with the above watchlist..

                     

                    if they use the account as Peter2..i didn't get alarm as it didnt match to the watchlist...  i am trying to setup such a way that  any combination of these accounts being used should trigger the alarm..

                     

                    Thank you so much in advance for your help !!

                    • 7. Re: How can you define the watch list to be case insensitive
                      xded

                      You can set the condition on a field match and than fill this condition with your activ directory.

                       

                      User Activity.png

                      or set your own variables. And than set the Alarm on all devices.

                      Useractivitydevice.png