Solved: Is it possible to append/concatenate regexes for o...

hexerino · ‎03-28-2019

Currently I have a search as follows:

myFieldName="mySearchValue" | where match(path,`startOfPath`)
`startOfPath` expands to f.e. "^C\:\\\Windows\\\.*"

Some cases, however, I'd need to specify additional paths. In order to avoid to have a lot of repetition, my question was whether it was possible to use startOfPath + rest of path to validate the path.

As requested by mydog8it I'll elaborate with a concrete example of what I'm trying to accomplish.

macro 1 : filter_CLIENT_CONTROL
ThreatName="Client Control" | where match(SourcePath,`path_windows` + CustomRestOfPath)

macro 2 : path_windows
"^C\:\\\Windows\\\.*"

Whilst what I'm trying to accomplish is as follows for the filter_CLIENT_CONTROL macro:
ThreatName="Client Control" | where match(SourcePath,`path_windows` + ".*\\(COMPATTELRUNNER)\.EXE" ")

So in essence, the regex within the filter_CLIENT_CONTROL macro expands to ^C\:\\(WINDOWS)\\.*\\(COMPATTELRUNNER)\.EXE

Thank you

hexerino · ‎04-17-2019

After having provided information but not having received any feedback I solved the problem through an alternative approach.

View solution in original post

hexerino · ‎04-17-2019

After having provided information but not having received any feedback I solved the problem through an alternative approach.

mydog8it · ‎03-28-2019

Can you provide example data and an example of how you would like it parsed? It sounds to me like you could just use two capture groups with the names "startOfPath" and another named "restOfPath".

Is it possible to append/concatenate regexes for one field check?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?