Video Screencast Help

Event Query wildcards

Created: 29 Aug 2008 • Updated: 22 May 2010 | 3 comments
antilles's picture

Does anyone know if wildcards characters can be used in Event Query Wizard in SSIM 4.5 and/or SSIM 4.6?
I am trying to create a simple report based on "Top 10 Machines with Virus Infection" but I want to display only hosts which matches following template: DCK*

So far I have not been able to get this to work.
When I create a correlation rule in event criteria "matches" and "doesn't match" operators are available, but those operators aren't allowed in Query wizard.
Is it possible to change this?

regards,
Antilles

Comments 3 CommentsJump to latest comment

Clément Herssens's picture

I have the same issue. Have y ou found a way to bypass the issue yet?

Rgds,
cherssen

Clément Herssens's picture

I just received a possible solution from a Symantec employee:

For every created conclusion, the SSIM generates an event with Event Type ID "Conclusion Created" (Vendor Signature: 153003, Product: Symantec Security Information Manager). Those events include the triggered correlation rule and the conclusion description. You could then use the correlation rules for the matching part and extract the information from the resulting "Conclusion Created" event.

antilles's picture

Yes, it is some kind of workaround but based on assumption that query will be executed against events previously matched by at least one correlation rule.

So, honestly, is not very useful and I'm still waiting for possibility to use regexp in event queries criteria.

Regards,
Antilles