cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 1 of 10

REGEX - 2 letters & 2 Digits

Jump to solution

Hi Dear McAfee Community.

I'm trying to Create a Watchlist for Source users that have 2 letters and after that 2 digits.

e.g.  fg45  hj23  as12  kl89 etc.

In the regex101.com i tested it with  - ^[A-Za-z]{2}[0-9]{2}$  and it worked fine.

but when trying to Paste the syntax in the ESM it returns with no results. (and i know there's a lot of users that have 2 letters & 2 digits...)

why McAfee Is Creating a different REGEX format ??

I need your help!

Thank's & Best Regards👍👍👍

David.

1 Solution

Accepted Solutions
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Hi everyone and specially Brenta.

A managed to work it out right now.

the Syntax for it is:

(?m)^[a-zA-Z]{2}\d{2}\s*$

first i inserted the multi line modifier - (?m)

then ^ & $ for start and beginning.

before the $ i inserted \s* that means to include spaces after the letters till the end of string.

Thank's for trying anyway.

 

Best Regards👍👍👍

David.

9 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Are you trying to create this watchlist with the ESM Strings type?

Brent
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 3 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

After a little digging into how that function works. It seems as if your problem is the start of line anchor, this means under the hood the regex is doing something else, like concatenating many strings together and only doing string extraction on your expression.

I'd suggest giving a boundary a try.

\b[A-Za-z]{2}[0-9]{2}\b

It will also catch other strings that have a word with that syntax in it. If that's a problem it does look like the end of line anchor works ($). So you can try appending that on the end.

Brent
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Hi, Thank's Brenta for the Quick response.

It's a good idea to use the \d  - word boundary.

but it finds also Strings that have the above syntax in them.

and that's a problem.....

do you know what replaces the ^ function (start of string) in the McAfee ESM ?!

 

Thank's!!!

Best Regards👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 5 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

You could try some look behind and look ahead shenanigans.

(?<!.).{4}(?<=[A-Za-z]{2}[0-9]{2})(?!.+?)

Brent
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Oh I also wanted to mention that ESM Strings, if you are building the list frequently, it is terribly slow, and will have a performance impact on your SIEM.

This feature scans the entire database for strings that match, the reads from this cause delays for writes the platform is doing, and ultimately the GUI queries are impacted, which makes the platform "seem" slow.

Might be easier to create a correlation rule that looks for usernames of that format, that are not contained in your watchlist, then create an alarm on that rule that adds those users. Also, this should find new users that match that format quicker than running ESM strings, (for example) once a day .

Brent
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 7 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Hi Brenta.

first thank's on your Impressive answers.

But the REGEX you suggest didn't work in my ESM. (no results...)

also i would like to know how to configure the Correlation Rule your offerd.

because i don't see that it's possible to insert REGEX syntax in the 

Source User or Destination User.

the only field that's possible is the Source User ID or Destination User ID

but i see thees fields just when creating a new user etc.

 

Best Regards👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

You are correct, to run REGEX on fields, they must be contained in a database field that is a "Random String" as opposed to a "String" field. You may need to modify your parser to achieve this.

Brent
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 9 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Hi everyone and specially Brenta.

A managed to work it out right now.

the Syntax for it is:

(?m)^[a-zA-Z]{2}\d{2}\s*$

first i inserted the multi line modifier - (?m)

then ^ & $ for start and beginning.

before the $ i inserted \s* that means to include spaces after the letters till the end of string.

Thank's for trying anyway.

 

Best Regards👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: REGEX - 2 letters & 2 Digits

Jump to solution

Oh, interesting. Wonder why that is required. I'll have to make a note of that and do some digging later.

Glad you found a way to do it.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator