Can you please provide the scenario for use of this watchlist?
You can populate dynamic watchlist with case-insensitive regex. Not sure if this is your intention.
Thank you for quick reply
Here is my scenario.. I do have watchlist for the specific user list and built the correlation rule in reference to that watchlist for any account lockouts..
What i found is .. if the user typed username with different case than whats mentioned in the watchlist.. Rule is not triggering events..
When i do filter search.. we have the option of selecting "Aa" to do case insenstive search.. How can we do this in watchlist ..
Whatchlist is a static watchlist..
Appreciate your help !!
Watchlists would not allow for this functionality at this time. The way I have setup rules where this is a requirement, I have setup my filters in the ESM View to use the names not in the watchlist, where the rest of my filters are set according to the correlation rules, and then use the event drill down > Application > Source user summary and identify all user names triggering that are not on the watchlist, and start selecting the usernames that need to be added to it.
It is a tedious process, but the only solution at this time with the limitation of non-case sensitive watchlist functions.
I'm just curious to know why you are using a watchlist to report on account lockouts. I just created a report in our environment filtering on Sig ID & Normalized ID, that fires every hour, and emails the report to our help desk.
Depending on how your accounts are named you can use a dynamic watchlist and select "source type = ESM Strings" and use the below regex example
But other than that work around, Ryan Is correct
Thank you all for the response .. I have the fixed list of high privileged account that i need to create an alarm for an account lockout or usage of these accounts..what i found is whenever they use the account with different case it didnt trigger the alarm..
i couldn't just sig ID with normalize ID for these accounts.. as i would be restricting only for account lockouts..
Ryan.. could you please provide more details on how did you the use views in correlation rules.. the solution you provided might work for me.. but i am trying to understand how to setup...
Example of my scenarios :
lets say i have account are :
These users are system accounts with admin privilege .. they shouldn't used unless there is some admin activity is performed.. i would like to get alarms whenever these account have been used for any purpose.. I did setup the alarms with the above watchlist..
if they use the account as Peter2..i didn't get alarm as it didnt match to the watchlist... i am trying to setup such a way that any combination of these accounts being used should trigger the alarm..
Thank you so much in advance for your help !!