This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
kishangupta
Lieutenant Lieutenant
Lieutenant
‎2014-12-16 11:16
490 views

How to escape \n in ArcSight query

Hi,

For one of the rule I have to give condition like this :

destinationProcessName = C:\windows\system32\net1.exe

when I add this condition in ArcSight (ESM 6.0 Patch 3) will change condition like this (to escape special characters) :

Destination Process Name = "C:\\windows\\system32\net1.exe"

If you see properly it is adding extra '\' before \, but for last \ (\net1.exe) it is not adding escape character, as per my understanding ArcSight is considering this as a special character '\n' and because of that condition which I want to give here is not working.

Can you tell me how I can add a escape here for last \, so that in sql query string should go like this C:\windows\system32\net1.exe?

For workaround I have made the query like this :

Destination Process Name STARTSWITH "C:\\windows\\system32\\"

AND

Destination Process Name ENDSWITH "net1.exe"

Thank you.

Thanks and Regards,
Kishan Gupta
Labels (1)
Labels
Tags (2)
0 Likes
Reply
Report Inappropriate Content
2 Replies
balahasan.v1
Fleet Admiral
Fleet Admiral
‎2014-12-17 11:22

Hi Kishan,

You can use last index of variable for capturing / and then use ur substring to get the exe. Please use the variable in ur rule directly then.

PFA.

2.JPG

0 Likes
Reply
Report Inappropriate Content
kishangupta
Lieutenant Lieutenant
Lieutenant
‎2015-01-29 08:35

Dear Bala,

Thanks for the solution, I will try it.

Thanks and Regards,
Kishan Gupta
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.