cancel
Showing results for 
Search instead for 
Did you mean: 
alfoc
Level 8
Report Inappropriate Content
Message 1 of 8

On ESM 9.3.2, using filters with regular expressions

Jump to solution

Hi,

I'm using ESM 9.3.2 (20140108) and I'm unsuccessfully trying to use regular expression in right side panel, specifically on the "URL" field, visualizing some HTTP events.

Trying, for examples, the following strings:

http://eicar.com

eicar.com

/eicar.com/

/*eicar.com/

/(.*)eicar.com(.*)/

it doesn't work at all and I'm getting a "Invalid regular expression (ER5-0015)" error.

May someone report an example of correct regular expression syntax to use?

Thank you all

1 Solution

Accepted Solutions

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

You can use Dynamic Watchlists to populate your watchlists based on regular expressions without the "contains()" clause.  To do this create a new watchlist:

On the "Main" tab:

  • Type: Dynamic
  • Enable automatic updates if you like.  This will re-run your regular expression-based search to repopulate your watchlist on a schedule you configure

On the "Source" tab:

  • Select "ESM Strings" (this is the current label...might have been different in previous product releases, but should be similar)
  • Enter your regex in the "Search" box.  No need to use the "contains()" syntax...just enter the raw experssion.

On the Values tab:

  • Select "Command" as your type, or another field if desired.
  • Click "Run Now" to test.  You should see values populate.  Use this to double-check your regex.  Save the dynamic watchlist when you're happy with it.

Scott

7 Replies

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

Are you starting your query with the word "contains"?  I dont believe you can drop straight regex in the filter pane for a query.

ex. contains(/(.*)eicar.com(.*)/)

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

And the release notes for 9.3.2 say this:

To add a regular expression in a search or filter field, type regexp(https.*). You can apply case insensitivity to these regular expressions by typing regexp(/https.*/i).

So the exact syntax is still a bit vague.....contains or regexp....or both??

cheers,

Andrew

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

The "regexp()" syntax is an error in the release notes.  "contains()" is the proper syntax.

Scott

alfoc
Level 8
Report Inappropriate Content
Message 5 of 8

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

Can I use "contains" into a watchlist (i.e. using "commands" filter)?

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

You can use Dynamic Watchlists to populate your watchlists based on regular expressions without the "contains()" clause.  To do this create a new watchlist:

On the "Main" tab:

  • Type: Dynamic
  • Enable automatic updates if you like.  This will re-run your regular expression-based search to repopulate your watchlist on a schedule you configure

On the "Source" tab:

  • Select "ESM Strings" (this is the current label...might have been different in previous product releases, but should be similar)
  • Enter your regex in the "Search" box.  No need to use the "contains()" syntax...just enter the raw experssion.

On the Values tab:

  • Select "Command" as your type, or another field if desired.
  • Click "Run Now" to test.  You should see values populate.  Use this to double-check your regex.  Save the dynamic watchlist when you're happy with it.

Scott

alfoc
Level 8
Report Inappropriate Content
Message 7 of 8

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

I've a doubt. Is it possible that "contains" doesn't works with ALL filter fields?

For example, it seems not works with "Source User" field on SIEM 9.3.2.

Thank you

Re: On ESM 9.3.2, using filters with regular expressions

Jump to solution

So we are trying to search for all "Domains" that are an IP address as this can be indication of something suspicious, the Regex is something like "^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$". How do we filter the Domain field for IP addresses?

I haven't been able to get the Regex to work in the search filter.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator