CSN3: Using Regular Expressions in Rules

Document created by jmerrill on Sep 28, 2009Last modified by jmerrill on Jul 8, 2014
Version 2Show Document
  • View in full screen mode
Using Regular Expressions in Rules
Speaker: Pete Babcock, Lead Security Analyst-Fortune 200 Financial Company
In the ArcSight ESM manual, there is a section that describes “Matches” that has a very intriguing definition: “For extended regular expression pattern-matching for string types using Perl 5 syntax. Supports regular expressions (regex). Note that Matches is used in rules only.” I was curious and developed the perfect use case to learn more: detecting when users accidentally expose their passwords in log files. This session will share what I have learned using RegEx in ESM rules and how to automate the detection of those exposures. Attendees should be familiar with at least basic rules writing to receive the full value of the session.
Level: Intermediate
6 people found this helpful