AnsweredAssumed Answered

ESA EPL Syntax for String Array with REGEXP

Question asked by Drew Contractor on Mar 27, 2018
Latest reply on Mar 27, 2018 by Drew Contractor

The following EPL syntax never alerts in NetWitness Packets despite passing tests in the EPSER Tech website. I am also able to confirm that valid domains fitting the alert criteria are seen by our NetWitness Packets system. Additionally, replacing the regular expression with an overly broad one (i.e. '[a-z0-9]+') creates tons of alerts

 

The alert syntax is looking for long domains broken up by underscores.

 

SELECT * FROM Event(
( service IN ( 53 ) )
AND
alias_host.anyOf(a=> a regexp '([a-z0-9]+\_){3,}.*')
);

 

Any suggestions or ideas as to what could be wrong?

Outcomes