AnsweredAssumed Answered

How do I enter an IP range in EPL using RegEx?

Question asked by Hidayat Lal Baz on Apr 11, 2018
Latest reply on Apr 19, 2018 by Hidayat Lal Baz

Hello everybody,

I hope you can help me out.
I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP range occurs. In order not to list the entire IP range, I would like to use RegExp here. Can either of you tell me how to integrate RegExp into my rule?

 

My code looks like this, but unfortunately I get a syntax error:

 

SELECT * FROM
Event(
medium = 32 AND
ec_activity = 'Logon' AND
ec_theme = 'Authentication' AND
ec_outcome = 'Failure' AND
result = 'failed publickey' AND

(matchRegex(device_ip, "(10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))"))  AND
user_dst IS NOT NULL AND
host_src IS NULL
).std:groupwin(user_dst_hash , device_ip , device_host).win:time_length_batch(120 seconds, 3) GROUP BY user_dst_hash , device_ip , device_host HAVING COUNT(*) = 3;

Outcomes