I got closer.....In further investigation, it tags if the case is the same. but not if it comes in all lower case for example
On Friday, February 10, 2017 at 3:54:01 PM UTC-6, Tom Powers wrote: > > Looking to do a Regex for a string in full_message > > I have the first stream rule tagging EventID:4688 (works great) > > Trying to then do a second rule where it will match any .exe that ran out > of any user appdata folder. > > For example... (AppData\\Local\\Temp\\.+.exe) works for my powershell > queries but not for Graylog. > > What am I missing here? I have other Regexes working fine, searching for > different keywords, but this one eludes me > > The goal is to tag into the stream any Event 4688 with any exe that ran > out of any users appdata\local\temp folder > > All insight is appreciated > > Thanks > TP > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5fdd9e5f-450a-4635-af2b-9765a3e6c24f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
