Would this discusion be better served by moving it to (ePO)?
This is issue is with SIEM
Thank you for the confirmation . The reason I asked, is I did a search within the forums, and 'Active Directory' was in a thread from (ePO). Disregard please, I was only trying to be helpful.
I tried to do something similar in our environment, I made a watchlist that would poll our Domain Admin accounts and I wanted to watch them for certain events. I ran into the same problem, and opened a ticket w/ McAfee. Long story short you cannot do it this way/it is not supported. Their answer to my ticket was: Resolution: C: Need to get more specific condition on alarm logic S: Currently, no support for this desired functionality. Customer could submit product idea.
And I did submit it as a feature request, but I don't know if it'll ever happen. I was disappointed that a tool like the SIEM would not allow you to create a case-insensitive watchlist. Here is the full details of my ticket w/ them: Service Request# X-XXXXXXXXXX has been closed as PER:
Severity: 4-Business not affected
Point Product: SIEM_ELM
Summary: Alarm Has no Option for Case-Insensitivity
Description: A: Admin trying to create a specific alarm R: Alarm interface has
no Option for Case-Insensitivity T: Posted to internal forum I'm trying to
create an alarm that will alert us when a Domain Admin account has a bad
password. I can create the scenario I want in the GUI using filters. Basically
I use a watchlist to poll from the Windows built-in group "Domain
Admins" and use this for my signature: 43-211005291 However, the watchlist
is taking the literal characters, including case. For example, if the username
is listed as User, it will ONLY find "User", not "user" if
it's lowercase. This is easy enough in the filter list, I can just check the
"case-insensitive" button and it works good. PROBLEM is that there is
no "case-insensitive" button when I create the alarm. I tell it
"if you match my watchlist and 43-211005291 signature, alarm". But I
can't tell it to ignore case, and as such we are missing the events if they
occur. I need a way to make this alarm work, and something so basic I am
surprised we can't do a "case-insensitive" alarm. How can we go about
creating the alarm? I am available anytime, thanks in advance.
Resolution: C: Need to get more specific condition on alarm logic S: Currently,
no support for this desired functionality. Customer could submit product idea.
Even Better! Thanks for sharing.