Skip to main content
gauravpawar
gauravpawar
Explorer III
August 28, 2025
Question

Can we add wildcards in Watchlist

  • August 28, 2025
  • 4 replies
  • 928 views

Hi All,

 

I want to create a watchlist with around 100 keyword entries.
Each entry contain wildcards (*).
In rule condition, I want FortiSIEM to check whether an event attribute matches any of the wildcard (regex) patterns from the entire watchlist.
If a match is found → the rule should trigger an incident.

 

could some one guide how to achieve this ?  does SIEM support wildcards ?  

 

@Secusaurus @Anthony_E could you please help here

4 replies

gauravpawar
gauravpawarAuthor
Explorer III
September 1, 2025

@tylerkelley1980 thanks for sharing will try this 

Secusaurus
Secusaurus
Contributor III
September 1, 2025

Hi everyone,

 

Just as a note: At the moment, a workaround is the only option. The database query using watchlists only understands "is it in the list?", which means a 100% match.

 

You could, however, have a look at the Advanced Queries (from 7.3 onwards), which is coming more and more to the rules as well, and try to build something to improve your lookup. But this also has limitations at the moment.

 

Best,

Christian

NSE8 | Fortinet Advanced MSSP Partner
    sioannou
    sioannou
    Explorer II
    September 1, 2025

    @gauravpawar , the closest we came to that functionality is the utilisation of dnstwist and API to update watchlist.

     

    Regards,

      cdurkin_FTNT
      Staff
      cdurkin_FTNT
      Staff
      September 2, 2025

      You could use an Advanced Search (SQL) to do this, as long as your event database is ClickHouse.

       

      If you want to use a rule, make sure the SQL display columns do not contain spaces.

       

       

        Terms & ConditionsAccessibility statement