cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

Correlation rules and regex

Jump to solution

Dear community,

We are running version 9.5.2 20160128 on our environnement and it seems that it is not possible to create working correlation rules with regex containing negative lookahead.

Does anyone got them work correctly?

Thank you in advance

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 6

Re: Correlation rules and regex

Jump to solution

Apparently it is not possible to perform negative lookahead rules in correlation rules.

Closing the subjet, feel free to request (again) a PER to be able to perform such

Regards

View solution in original post

5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6

Re: Correlation rules and regex

Jump to solution

Can you supply an example of what you are trying to match?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: Re: Correlation rules and regex

Jump to solution

Sure

We want to create a rule to trigger whenever there is other files than images in the Filename field for email events, for example:

FilenameShould match ?
test.pngno
test.png.docyes
test.docyes
testyes
test.png, test.doc, test.pngyes
test.doc.pngno
test.png, test.png, test.docyes

The only way we thought we could achieve this is by using regex (probably with negative lookahead).

Any ideas are welcome

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 6

Re: Correlation rules and regex

Jump to solution

This may be a backwards way of doing it but you could find the parsing rule(s) that do the matching and disable them and copy the regex and create a new rule. Then tweak the Reg Ex to capture the field that is the file extension, create a custom type, Assign the field value, Then create your correlation rule based on the custom type.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: Correlation rules and regex

Jump to solution

Hi,

I have the same issue.

Sample Negative Look-up (inputted in the filter view in ESM - right pane in ESM):          Regex (^(.(?!Station))*$)

This negative lookup will look for an event (specific signature ID), but excludes a filename with "Station" string on it.

During the testing, the Regex (negative Lookup) is working on the ESM filter view but when you apply it in the custom rule, there is parse error during the roll-out

Im hoping anyone have a solution to this as the support will only refer you to professional services.

Thanks in advance.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 6

Re: Correlation rules and regex

Jump to solution

Apparently it is not possible to perform negative lookahead rules in correlation rules.

Closing the subjet, feel free to request (again) a PER to be able to perform such

Regards

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community