7 Replies Latest reply on Feb 23, 2017 6:33 PM by catdaddy

    problem with lower and upper case

    izik

      hi

       

      i have  dynamic watchlist that pull data   from ActiveDirectory groups

       

      i create correlation rule that search for failed remote login and the user is in the watchlist that i created before

       

      this works great except the times that the event contains the username but with firs letter in uppercase

       

      for example :

       

      wacthlist contains username :

       

      dani

       

      event contain username:

       

      Dani

       

      for some reason it's not match and the correlation rule is not working ,

       

      is there any solution for that case ?

       

      thanks

      izik

        • 1. Re: problem with lower and upper case
          catdaddy

          Would this discusion be better served by moving it to (ePO)?

          • 2. Re: problem with lower and upper case
            izik

            Hi

            Why?

            This is issue is with SIEM

            • 3. Re: problem with lower and upper case
              catdaddy

              Thank you for the confirmation . The reason I asked, is I did a search within the forums, and 'Active Directory' was in a thread from (ePO). Disregard please, I was only trying to be helpful.

              • 4. Re: problem with lower and upper case
                gafunk

                I tried to do something similar in our environment, I made a watchlist that would poll our Domain Admin accounts and I wanted to watch them for certain events. I ran into the same problem, and opened a ticket w/ McAfee. Long story short you cannot do it this way/it is not supported. Their answer to my ticket was: Resolution: C: Need to get more specific condition on alarm logic S: Currently, no support for this desired functionality. Customer could submit product idea.

                 

                And I did submit it as a feature request, but I don't know if it'll ever happen. I was disappointed that a tool like the SIEM would not allow you to create a case-insensitive watchlist. Here is the full details of my ticket w/ them: Service Request# X-XXXXXXXXXX has been closed as PER:

                Severity: 4-Business not affected

                Point Product: SIEM_ELM

                Summary: Alarm Has no Option for Case-Insensitivity

                Description: A: Admin trying to create a specific alarm R: Alarm interface has
                no Option for Case-Insensitivity T: Posted to internal forum I'm trying to
                create an alarm that will alert us when a Domain Admin account has a bad
                password. I can create the scenario I want in the GUI using filters. Basically
                I use a watchlist to poll from the Windows built-in group "Domain
                Admins" and use this for my signature: 43-211005291 However, the watchlist
                is taking the literal characters, including case. For example, if the username
                is listed as User, it will ONLY find "User", not "user" if
                it's lowercase. This is easy enough in the filter list, I can just check the
                "case-insensitive" button and it works good. PROBLEM is that there is
                no "case-insensitive" button when I create the alarm. I tell it
                "if you match my watchlist and 43-211005291 signature, alarm". But I
                can't tell it to ignore case, and as such we are missing the events if they
                occur. I need a way to make this alarm work, and something so basic I am
                surprised we can't do a "case-insensitive" alarm. How can we go about
                creating the alarm? I am available anytime, thanks in advance.

                Resolution: C: Need to get more specific condition on alarm logic S: Currently,
                no support for this desired functionality. Customer could submit product idea.


                • 5. Re: problem with lower and upper case
                  catdaddy

                  gafunk,

                                   Did you by chance create a Product Idea? Product Ideas (Corporate)

                  • 6. Re: problem with lower and upper case
                    gafunk

                    Not on that site no. The rep I had the ticket open with recommended submitting it here instead: Intel Security Ideas Forum: Latest

                    • 7. Re: problem with lower and upper case
                      catdaddy

                      Even Better!   Thanks for sharing.