• Support
  • Forums
  • Blogs

Suppression Rules using Variables not Working

alex.usechealex.useche

New Life Form
I am getting multiple "logon", "logoff" and "Special Logon" events a second for at least half my assets where the username is the same as the asset name with a "$" character added at the end. 
For instance, for a host named MY-AWESOME-HOST there are multiple logon events a second where the username is MY-AWESOME-HOST$. I would prefer not to have to create one suppression rule for every host where this happens so I though I'd use the "Assign or Equal" operator to suppress events where the destionation_name is LIKE the username. I have tried rules like this:

(packet_type == 'log' AND event_severity == 'INFO' AND (destination_username contains* [var_destination_name] OR source_username contains* [var_destination_name]) AND destination >> [var_destination])

But all that does is suppress ALL INFO Success events. The documentation on the assign or equal operator is VERY limited. 
Where can I find suggestions on how to leverage variables in my rules? 
Is anybody else facing similar issues where multiple logon events a second are sent to USM where the username is the same as the destination?

Share post:

Best Answer

  • Answer ✓
    Hello @alex.useche,

       At this time, REGEX with variable is not a viable function. I would be more than happy to file this as a possible Idea_Request. 

       Regards,

    - kratos
    alex.useche

Answers

Sign In or Register to comment.