How to escape \n in ArcSight query
For one of the rule I have to give condition like this :
destinationProcessName = C:\windows\system32\net1.exe
when I add this condition in ArcSight (ESM 6.0 Patch 3) will change condition like this (to escape special characters) :
Destination Process Name = "C:\\windows\\system32\net1.exe"
If you see properly it is adding extra '\' before \, but for last \ (\net1.exe) it is not adding escape character, as per my understanding ArcSight is considering this as a special character '\n' and because of that condition which I want to give here is not working.
Can you tell me how I can add a escape here for last \, so that in sql query string should go like this C:\windows\system32\net1.exe?
For workaround I have made the query like this :
Destination Process Name STARTSWITH "C:\\windows\\system32\\"
Destination Process Name ENDSWITH "net1.exe"
You can use last index of variable for capturing / and then use ur substring to get the exe. Please use the variable in ur rule directly then.