When leveraging values in dynamic lists, Sentinel currently enforces case sensitivity when using those values in correlation rules. In some cases, this can be misleading if the collector processes the data in a different way than exists in the native log...for example when AD group memberships are changed and you want to specify target trust name as a value to compare against a dynamic list, the AD collector sets the target trust name to all lowercase, regardless of how it shows up in Active Directory Users and Computers. This can cause the correlation rule to mismatch if you entered the value in the dynamic list as it shows up in ADUC. For these scenarios, a checkbox to toggle whether values are case sensitive in the dynamic list config screen might be helpful.
by: Eric L. | over a year ago | Configuration
Comments
Eric, thanks for submitting this idea. We will probably have additional questions for all of you concerning possible implementations. Thanks again