1 Reply Latest reply on Aug 7, 2014 5:13 AM by mp63

    ACE Rules


      I am running 9.3.2. I need to create a correlation rule that looks for a process_name running under a users context.




      where * is the user's local profile.


      Is there a way to specify a 'Like' condition?

        • 1. Re: ACE Rules

          Maybe use some regex filtering.  I hadn't tried this in a correlation yet, but it does work when filtering a view. 


          In the Process_Name field, filter on..


          In your case, this would be...



          When I filtered on an app name for a view this way, it returned all events with the Process_Name containing that app name.   No matter what directory it was in.