We have a need to look for wildcard matches in a string array within an ESA correlation alert.
I can get the string value to match using the syntax below, but need to get a wildcard match as we need to see matches of domains that match prior to this value.
Syntax for static match of 'maliciousdomain'. Need to get a wildcard to match anything before 'maliciousDomain'.
@Description('')
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
medium = 1
AND ('maliciousDomain' = ALL( alias_host )));
Do you mean something like "bad.maliciousdomain.com" or "really.bad.maliciousdomain.com" ?