SSIM: using wildcards in rule critera / lookup tables
Created: 10 Oct 2012 | Updated: 17 Oct 2012 | 4 comments
This issue has been solved. See solution.
Hi everyone,
I am trying to create a rule in SSIM 4.7.4 to trigger incidents for abnormalies such as account guessing attempts.
In my network, everyone's account is of a strict format for eg. "x0000x" where x = char, 0 = numeric digit. I know that databases such as MSSQL allows using such wildcards such as "%" and "YY".
Is SSIM capable of doing this also? It will be good as we can safely ignore login failure attempts with the same username format, but zoom in and target login failures with non-standard usernames.
Many thanks
Discussion Filed Under:
Group Ownership:
Comments 4 Comments • Jump to latest comment
Wrong forum, this is for ESM.
Try: https://www-secure.symantec.com/connect/security/f...
thanks Ted, I have moved it to the correct forum. Can anyone advise?
Use the matches or doesn't match operators and then specify your regex. I haven't tested it fully, but at least basic regexes appear to work. In your case, try a doesn't match on [a-zA-z]{1,1}[\d]{4,4}[a-zA-z]{1,1}
thanks! this is what I'm looking for!
Would you like to reply?
Login or Register to post your comment.