cancel
Showing results for 
Search instead for 
Did you mean: 

custom rule PCRE and string replace

Jump to solution

Hi,

Can I use Mcafee SIEM's normalization rules (pcre based) to not to match but to replace? For example I have a log file containing important information but with a custom rule i want to first match and then replace it (For example log files I am normalizing can contain CC-Credit Card-) or first replace and then match fields using PCRE on Mcafee SIEM custom rule editor?

PS: With this i want to Mask some certain fileds so SIEM DB wont contain sensitive information which normally appear if i use match (group) only.

Regards

1 Solution

Accepted Solutions
Highlighted

Re: custom rule PCRE and string replace

Jump to solution

The way to do this in the product today is with Data Enrichment.  You can get to it from the System Properties dialog.  When you add a new data enrichment, you get a box with three tabs.  The first tab changes the options on the next two, so it is important that you select "string literal" and "string literal".  This will work fine for your use case..

regex_main.png

Next you need to put in the regex.  I didn't have one handy for credit cards but not a hard one to come by.

regex_source.png

This also allows you to test your regex.

Now you need to map the enrichment, on the destination tab.

regex_destination.png

Here I used Object, but you need to use whatever field you mapped the value into (maybe a custom type?).

You also select the device(s) that will use the enrichment here.

You should check the documentation on Data Enrichment, but basically it allows to you to modify a value of one field and replace that value or overwrite the value of another field.

Cheers,

Grant

View solution in original post

6 Replies
Highlighted

Re: custom rule PCRE and string replace

Jump to solution

The way to do this in the product today is with Data Enrichment.  You can get to it from the System Properties dialog.  When you add a new data enrichment, you get a box with three tabs.  The first tab changes the options on the next two, so it is important that you select "string literal" and "string literal".  This will work fine for your use case..

regex_main.png

Next you need to put in the regex.  I didn't have one handy for credit cards but not a hard one to come by.

regex_source.png

This also allows you to test your regex.

Now you need to map the enrichment, on the destination tab.

regex_destination.png

Here I used Object, but you need to use whatever field you mapped the value into (maybe a custom type?).

You also select the device(s) that will use the enrichment here.

You should check the documentation on Data Enrichment, but basically it allows to you to modify a value of one field and replace that value or overwrite the value of another field.

Cheers,

Grant

View solution in original post

Re: custom rule PCRE and string replace

Jump to solution

Thank you Grant I will try it.

Re: custom rule PCRE and string replace

Jump to solution

A CC regex is (Just hoping it will help someone else)

An easier way is to replace all , and - by an empty string before proceeding.

Thanks to @Michael's comment, here's a regex that matches Visa, MasterCard, American Express, Diners Club, Discover, and JCB cards:

^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

http://stackoverflow.com/questions/9315647/regex-credit-card-number-tests

Re: custom rule PCRE and string replace

Jump to solution

data_enrichment_Source_no_regex.png

Hi,

On data enrichment wizard, on Source tab there is no Regular Expression type ? I am using 9.1.3 20130214. Am I missing something here? I have looked at the documentation (I already used String Literal for Lookup type)

c.Enter the field type of the key column in the select query in the Lookup Type field.

embim1  If you want to use a Perl-compatible regular expression (PCRE) expression as the source for the data enrichment, you need to select String Literal in the Lookup Type field.

Untitled.png



Re: custom rule PCRE and string replace

Jump to solution

Just in case there is a problem with my computer. I have tried with 2 different computers and 3 different browser result is the same

McAfee Employee kcole
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: custom rule PCRE and string replace

Jump to solution

This is a 9.2 feature so you will need to be on a 9.2 version. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community