Can we add wildcards in Watchlist

gauravpawar · ‎08-27-2025

Hi All,

I want to create a watchlist with around 100 keyword entries.
Each entry contain wildcards (*).
In rule condition, I want FortiSIEM to check whether an event attribute matches any of the wildcard (regex) patterns from the entire watchlist.
If a match is found → the rule should trigger an incident.

could some one guide how to achieve this ? does SIEM support wildcards ?

@Secusaurus @Anthony_E could you please help here

tylerkelley1980 · ‎08-30-2025

I ran into this too—wanted to bulk monitor domains with similar patterns and thought a wildcard would do it. Turns out Fortinet doesn’t support traditional wildcards like *.domain.com in Watchlists directly. Best workaround I found was scripting API-based updates to the list with all variations. Not ideal, but it gets the job done if you automate it right.

gauravpawar · ‎08-31-2025

@tylerkelley1980 thanks for sharing will try this

Secusaurus · ‎08-31-2025

Hi everyone,

Just as a note: At the moment, a workaround is the only option. The database query using watchlists only understands "is it in the list?", which means a 100% match.

You could, however, have a look at the Advanced Queries (from 7.3 onwards), which is coming more and more to the rules as well, and try to build something to improve your lookup. But this also has limitations at the moment.

Best,

Christian

FCX #003451 | Fortinet Advanced Partner

sioannou · ‎09-01-2025

@gauravpawar , the closest we came to that functionality is the utilisation of dnstwist and API to update watchlist.

Regards,

S

cdurkin_FTNT · ‎09-02-2025

You could use an Advanced Search (SQL) to do this, as long as your event database is ClickHouse.

If you want to use a rule, make sure the SQL display columns do not contain spaces.

Can we add wildcards in Watchlist

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website