what if, i want to leave out certain keywords in search.
eg: everything except "particular keyword" . Is this possible through regex ??
Yes, it is. Your forum post subject references Event Viewer specifically, so in that case... on the Analysis tab, Event Viewer page, Check the "Display advanced filter options" check box, and inside one of the "String Matching" boxes type in your regex pattern for the keyword(s) you want to exclude, then uncheck the "Contains" box, and check the Regex box.
If you have multiple keywords you can use a pipe symbol and enter them all in the same "String Matching" expression box.
For example... server1|122\.155\.200\.111|jdsample|keyword1|keyword2
would exclude all events containing any of the following:
thanks ryan, unchecking the "contains" did the job in the analysis tab.
but if i want to make a correlation rule and while setting the filter i want to exclude something using regex.
...then inside your corelation rule circuit, drill into your specific statement and set a Statement Filter. In the Statement Filter choose the variable you want (or use [CONTENT] for the entire message payload) and specify the "REGEX" option in the "Comparison" field. From there you just plug your regex expression into the "Criteria" field, and check the box weather or not you want it case sensitive or not.
Does this answer your question?
actually i wanted to know, how to exclude something with the help of regex in the statement filter !!
for eg: if i want to exclude "KEYWORD" in content or any other variable
will this work?
You can´t direct negate a REGEX filter. (Ex: \$ (all usernames that dont terminate with $ - AKA Computers).
However you can create a Watchlist with any REGEX and set "NOT IN" filter. It will do the job to exclude with REGEX.
Correct. But in this case, he's using it within the context of a corelation alerts filter statement. A filter statement will filter OUT anything that it matches, and only pass through whatever's left.
In this case, he's wanting to filter out anything that matches his specific regex pattern, so this usage would be correct.
Unless I misread his request.
Retrieving data ...