NetWitness Community

rajbirsingh · ‎2019-08-06

how to remove system names (which ends with $) from destination/source users? is it require regex, need suggestion for regex on the same?

was trying to create a dashboard for failed logon users but found lots of systems names are coming in the source/destination usernames.

also,can you guys confirm that rules which includes regex will show same output on dashboard, as it shows in reports and at the time of testing rule?

Thanks in advance!

DaveGlover · ‎2019-08-06

Rajbir

When creating your rule use -> (not( user.dst ends “$”))

That should give you what you are looking for

Dave

DaveGlover · ‎2019-08-06

Rajbir

When creating your rule use -> (not( user.dst ends “$”))

That should give you what you are looking for

Dave

rajbirsingh · ‎2019-09-05

Dear Dave,

Thanks for the solution, it's working as expected.

May i know how we can remove system names while creating ESA rules. Because of system name my ESA creating lots of flase alarms.

Need help on this, thanks in advance.

I tried using not contains but its not working, i was thinking to use not ends but there is only ends or beginning option are there.

Best Regards,

Rajbir

How to remove system names from destination or source users?