cancel
Showing results for 
Search instead for 
Did you mean: 

custom rule PCRE and string replace

Jump to solution

Hi,

Can I use Mcafee SIEM's normalization rules (pcre based) to not to match but to replace? For example I have a log file containing important information but with a custom rule i want to first match and then replace it (For example log files I am normalizing can contain CC-Credit Card-) or first replace and then match fields using PCRE on Mcafee SIEM custom rule editor?

PS: With this i want to Mask some certain fileds so SIEM DB wont contain sensitive information which normally appear if i use match (group) only.

Regards

1 Solution

Accepted Solutions

Re: custom rule PCRE and string replace

Jump to solution

The way to do this in the product today is with Data Enrichment.  You can get to it from the System Properties dialog.  When you add a new data enrichment, you get a box with three tabs.  The first tab changes the options on the next two, so it is important that you select "string literal" and "string literal".  This will work fine for your use case..

regex_main.png

Next you need to put in the regex.  I didn't have one handy for credit cards but not a hard one to come by.

regex_source.png

This also allows you to test your regex.

Now you need to map the enrichment, on the destination tab.

regex_destination.png

Here I used Object, but you need to use whatever field you mapped the value into (maybe a custom type?).

You also select the device(s) that will use the enrichment here.

You should check the documentation on Data Enrichment, but basically it allows to you to modify a value of one field and replace that value or overwrite the value of another field.

Cheers,

Grant

6 Replies

Re: custom rule PCRE and string replace

Jump to solution

The way to do this in the product today is with Data Enrichment.  You can get to it from the System Properties dialog.  When you add a new data enrichment, you get a box with three tabs.  The first tab changes the options on the next two, so it is important that you select "string literal" and "string literal".  This will work fine for your use case..

regex_main.png

Next you need to put in the regex.  I didn't have one handy for credit cards but not a hard one to come by.

regex_source.png

This also allows you to test your regex.

Now you need to map the enrichment, on the destination tab.

regex_destination.png

Here I used Object, but you need to use whatever field you mapped the value into (maybe a custom type?).

You also select the device(s) that will use the enrichment here.

You should check the documentation on Data Enrichment, but basically it allows to you to modify a value of one field and replace that value or overwrite the value of another field.

Cheers,

Grant

Re: custom rule PCRE and string replace

Jump to solution

Thank you Grant I will try it.

Re: custom rule PCRE and string replace

Jump to solution

A CC regex is (Just hoping it will help someone else)

An easier way is to replace all , and - by an empty string before proceeding.

Thanks to @Michael's comment, here's a regex that matches Visa, MasterCard, American Express, Diners Club, Discover, and JCB cards:

^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

http://stackoverflow.com/questions/9315647/regex-credit-card-number-tests

Re: custom rule PCRE and string replace

Jump to solution

data_enrichment_Source_no_regex.png

Hi,

On data enrichment wizard, on Source tab there is no Regular Expression type ? I am using 9.1.3 20130214. Am I missing something here? I have looked at the documentation (I already used String Literal for Lookup type)

c.Enter the field type of the key column in the select query in the Lookup Type field.

embim1  If you want to use a Perl-compatible regular expression (PCRE) expression as the source for the data enrichment, you need to select String Literal in the Lookup Type field.

Untitled.png



Re: custom rule PCRE and string replace

Jump to solution

Just in case there is a problem with my computer. I have tried with 2 different computers and 3 different browser result is the same

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: custom rule PCRE and string replace

Jump to solution

This is a 9.2 feature so you will need to be on a 9.2 version.