Lieutenant Lieutenant
Lieutenant
490 views

How to escape \n in ArcSight query

Hi,

For one of the rule I have to give condition like this :

destinationProcessName = C:\windows\system32\net1.exe

when I add this condition in ArcSight (ESM 6.0 Patch 3) will change condition like this (to escape special characters) :

Destination Process Name = "C:\\windows\\system32\net1.exe"

If you see properly it is adding extra '\' before \, but for last \ (\net1.exe) it is not adding escape character, as per my understanding ArcSight is considering this as a special character '\n' and because of that condition which I want to give here is not working.

Can you tell me how I can add a escape here for last \, so that in sql query string should go like this C:\windows\system32\net1.exe?

For workaround I have made the query like this :

Destination Process Name STARTSWITH "C:\\windows\\system32\\"

AND

Destination Process Name ENDSWITH "net1.exe"

Thank you.

Thanks and Regards,
Kishan Gupta
Labels (1)
Tags (2)
0 Likes
2 Replies
Fleet Admiral
Fleet Admiral

Hi Kishan,

You can use last index of variable for capturing / and then use ur substring to get the exe. Please use the variable in ur rule directly then.

PFA.

2.JPG

0 Likes
Lieutenant Lieutenant
Lieutenant

Dear Bala,

Thanks for the solution, I will try it.

Thanks and Regards,
Kishan Gupta
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.