Views:

Create and import custom filters containing queries that match specified patterns with regular expressions (regex).

  • Custom filters support regex in English and for the string data type.
  • Escape (type a backslash before) these characters:
    • backslashes (\)
    • forward slashes (/)
    • quotation marks (")
  • Custom filters do not support character class escape including Unicode and ASCII.
  • For more information, see Use regex in queries.

Syntax examples

Action
Example
Explanation
Create custom filter
 
endpointHostName: /^(W|m)/
  • To use regex when creating a custom filter, enclose the pattern you want to query with forward slashes (/). Add a space before and after forward slashes to avoid syntax errors.
  • You can include up to 5 regex per query.
Import custom filter
 
# imported yaml file
detection:
    selection:
        CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
  • To use regex in imported custom filters, add |re after the field name.