Technical Tip: How to write a regular expressions ...

FortiSIEM

FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)

Article Id 403735

Description

This article describes how to write a regex filter in the Event Dropping rule.

Scope

FortiSIEM.

Solution

To achieve the desired event dropping for specific queries based on the raw logs, it is necessary to configure as below:

Event Type: AO-WUA-DNS-A-Query-Success. DNS logs in Raw event log:

(7)outlook(6)office(3)com(0)

Regex For Office: \(\d+\)outlook\(\d+\)office\(\d+\)com\(\d+\)

Event Type: AccelOps-WUA-DNS. DNS logs in Raw event log:

(16)onedscolprdeus11(6)eastus(8)cloudapp(5)azure(3)com(0)

Regex for Azure: \(\d+\)cloudapp\(\d+\)azure\(\d+\)com\(\d+\)

Event Type: AccelOps-WUA-DNS. DNS logs in Raw event log:

(5)teams(9)microsoft(3)com(0)

Regex for Microsoft: \(\d+\)teams\(\d+\)microsoft\(\d+\)com\(\d+\)

This regex filter is working as expected. Performed a lookup query and generated other events from the Windows DNS server.

The events did not appear in the real-time analytics, which aligns with our expectation, since the relevant drop event has been enabled.

111

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: How to write a regular expressions (regex) for DNS queries in event dropping rule

You are leaving our website