1 Reply Latest reply on Aug 7, 2014 5:13 AM by mp63

    ACE Rules

    pfabrizi

      I am running 9.3.2. I need to create a correlation rule that looks for a process_name running under a users context.

       

      c:\users*\AppData\Local\google\Chrome\Application\chrome.exe

       

      where * is the user's local profile.

       

      Is there a way to specify a 'Like' condition?

        • 1. Re: ACE Rules
          mp63

          Maybe use some regex filtering.  I hadn't tried this in a correlation yet, but it does work when filtering a view. 

           

          In the Process_Name field, filter on..

          contains(/text*/i)

          In your case, this would be...

          contains(/chrome.exe*/i)

           

          When I filtered on an app name for a view this way, it returned all events with the Process_Name containing that app name.   No matter what directory it was in.