Can you supply an example of what you are trying to match?
We want to create a rule to trigger whenever there is other files than images in the Filename field for email events, for example:
Filename Should match ? test.png no test.png.doc yes test.doc yes test yes test.png, test.doc, test.png yes test.doc.png no test.png, test.png, test.doc yes
The only way we thought we could achieve this is by using regex (probably with negative lookahead).
Any ideas are welcome
This may be a backwards way of doing it but you could find the parsing rule(s) that do the matching and disable them and copy the regex and create a new rule. Then tweak the Reg Ex to capture the field that is the file extension, create a custom type, Assign the field value, Then create your correlation rule based on the custom type.
I have the same issue.
Sample Negative Look-up (inputted in the filter view in ESM - right pane in ESM): Regex (^(.(?!Station))*$)
This negative lookup will look for an event (specific signature ID), but excludes a filename with "Station" string on it.
During the testing, the Regex (negative Lookup) is working on the ESM filter view but when you apply it in the custom rule, there is parse error during the roll-out
Im hoping anyone have a solution to this as the support will only refer you to professional services.
Thanks in advance.
Apparently it is not possible to perform negative lookahead rules in correlation rules.
Closing the subjet, feel free to request (again) a PER to be able to perform such