This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Trouble with creating a reference list

Posted on 11-11-2024 10:50 AM
GSCoNist-
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello, I am currently creating a Chronicle rule that checks specific registry key values and was wondering if I reference a list am I able to put the entire file path? For example I have the following file path that is returned in the events:
c:\program files (x86)\cisco\cisco anyconnect secure mobility client\vpnagent.exe

 
Right now I am using the RegEx syntax for the List and have the following:
vpnagent.exe // From c:\program files (x86)\cisco\cisco anyconnect secure mobility client\vpnagent.exe
 
Now it does work but I really would like to reference the entire path and not just the name of the exe file. Any ideas?
0 2 117
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
David-French
Staff
Reply posted on --/--/---- --:-- AM

Can you try the following regex expression that escapes characters like backslash and parentheses?

c:\\program files \(x86\)\\cisco\\cisco anyconnect secure mobility client\\vpnagent\.exe

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

A little bit of testing is wise to make sure you handle all potential escape characters as @David-French mentions above. I would also suggest adding a strings.to_lower (or strings.to_upper) against the field or variable being compared.

For instance if your list is like what is above, the criteria might look like this:

strings.to_lower($registry.target.process.file_path) IN %reglist
Top Solution Authors
View all