Solved: McAfee Support Community - Re: Correlation rule match regex or contains

ppineda · ‎11-07-2018

Hi, I'm working with ESM 10.2

I want to do a correlation rule that triggers when the field "Process_Name" has a value of example firefox, chrome or iexplore. but I'm unable to make it work.

Example:

Process_Name: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

regex(*/chrome/i*) to do case insensitive and the rest of the string

but it says error when rollout.Need Help please

David1111 · ‎11-08-2018

Hi

Sorry but your REGEX is not to effective..

try this:

(?i).*chrome.*

hope it helps

Best regards!

David1111 · ‎11-08-2018

Hi

Sorry but your REGEX is not to effective..

try this:

(?i).*chrome.*

hope it helps

Best regards!

ppineda · ‎11-09-2018

Thanks

I'll give it a try and let you know what happens.

David1111 · ‎11-10-2018

Hi ppineda

intrested if it workes.

please updeate the result

Best regards!

David

ppineda · ‎12-04-2018

Sorry for the wait.

I can confirm that it fired an event.

David1111 · ‎12-05-2018

Thank you very much

Best regsards.

Correlation rule match regex or contains

Correlation

regex

SIEM

Re: Correlation rule match regex or contains

Re: Correlation rule match regex or contains

Re: Correlation rule match regex or contains

Re: Correlation rule match regex or contains

Re: Correlation rule match regex or contains

Re: Correlation rule match regex or contains