I am getting alarms for kerberos authentications which i don't want.
Can some one help me to filter these users ending with "$" in source user field from correlation rules.
1. configure a dynamic watchlist
2. set the source on ESM String
2.1 ".*\$\s*$" put this without the " in the searchtab
3. set source user as Value Type
4. Make a test with Run Now
Retrieving data ...