cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation rule match regex or contains

Jump to solution

Hi, I'm working with ESM 10.2

I want to do a correlation rule that triggers when the field "Process_Name" has a value of example firefox, chrome or iexplore. but I'm unable to make it work.

Example:

Process_Name: C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

regex(*/chrome/i*)  to do case insensitive and the rest of the string

but it says error when rollout.Capture.PNGNeed Help please

 

 

 

Labels (3)
1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Correlation rule match regex or contains

Jump to solution

Hi

Sorry but your REGEX is not to effective..

try this:

(?i).*chrome.*

hope it helps

Best regards!

5 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Correlation rule match regex or contains

Jump to solution

Hi

Sorry but your REGEX is not to effective..

try this:

(?i).*chrome.*

hope it helps

Best regards!

Re: Correlation rule match regex or contains

Jump to solution

Thanks

I'll give it a try and let you know what happens.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Correlation rule match regex or contains

Jump to solution

Hi ppineda

intrested if it workes.

please updeate the result

Best regards!

David

Highlighted

Re: Correlation rule match regex or contains

Jump to solution

Sorry for the wait.

I can confirm that it fired an event.

Capture.PNG

Capture2.PNG

 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Correlation rule match regex or contains

Jump to solution

Thank you very much

Best regsards.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator