I tried to create a Dashboard Card and a custom alert notification for my intended use case just that when I try to use my query from the Card in the custom alert it doesn’t actually accept it. And I realized that what am trying to get a custom alert would need a RegEx equivalent. Problem is am really a beginner in RegEx. Would anyone willing to help me on this?
Goal: Create a Card representation and a corresponding notification whenever a user shares a file outside of the listed domains in Office365
Here’s my Card Query:
where(source_user CONTAINS-ANY [@domain1.net.ph, @domain1_1.net.ph, @domain2.com.ph, @domain2_1.com.ph, @domain3.ph, @domain4.com] AND source_json.TargetUserOrGroupType=“Guest” AND source_json.TargetUserOrGroupType NOT IN [@domain1.net.ph, @domain1_1.net.ph, @domain2.com.ph, @domain2_1.com.ph, @domain3.ph, @domain4.com]) groupby(source_user)
Custom Alert Goal: To create a notification whenever there is a positive match of the above.
Initial Attempt: As I really suck at RegEx, I tried going around the LEQL and made the below which actually doesn’t return an error in the Priority and Trigger under Custom Alert Setup.
(source_user CONTAIN @domain1.net.ph)
AND source_json.TargetUserOrGroupType=“Guest”
AND (source_json.TargetUserOrGroupType NOT @domain1.net.ph OR
source_json.TargetUserOrGroupType NOT @domain1_1.net.ph OR
source_json.TargetUserOrGroupType NOT @domain2.com.ph OR source_json.TargetUserOrGroupType NOT @domain2_1.com.ph OR source_json.TargetUserOrGroupType NOT @domain3.ph OR
source_json.TargetUserOrGroupType NOT @domain4.com)
If I go with this, then I need to create an entry for each source_user=domain one by one. Not sure if its the best way though as I think the regex should be one.
Any help or advise would be very much appreciated.
Let me follow up with your approach without complex regex, although I must note that we shouldn’t use CONTAINS keyword in Custom Alerts
Also ensure correct escaping of symbols in regex.
where(
(
source_user = /@domain1\.net\.ph/
OR source_user = /@domain1_1\.net\.ph/
OR source_user = /@domain2\.com\.ph/
OR source_user = /@domain2_1\.com\.ph/
OR source_user = /@domain3\.ph/
OR source_user = /@domain4\.com/
)
AND source_json.TargetUserOrGroupType="Guest" AND NOT
(
source_json.TargetUserOrGroupType = @domain1.net.ph
OR source_json.TargetUserOrGroupType = @domain1_1.net.ph
OR source_json.TargetUserOrGroupType = @domain2.com.ph
OR source_json.TargetUserOrGroupType = @domain2_1.com.ph
OR source_json.TargetUserOrGroupType = @domain3.ph
OR source_json.TargetUserOrGroupType = @domain4.com
)
)
groupby(source_user)
Could you pls take a look if all the values in key-value conditions are correct?
Thanks,
Alexey
@nowel As long as the keywords do in fact match up with what your logs show, you could test the following in your custom pattern detection and see if any matches appear:
where((source_user=/.*\@domain1\.net\.ph|.*\@domain1_1\.net\.ph|.*\@domain2\.com\.ph|.*\@domain2_1\.com\.ph|.*\@domain3\.ph|.*\@domain4\.com/i) AND source_json.TargetUserOrGroupType=“Guest” AND source_json.TargetUserOrGroupType!=/.*\@domain1\.net\.ph|.*\@domain1_1\.net\.ph|.*\@domain2\.com\.ph|.*\@domain2_1\.com\.ph|.*\@domain3\.ph|.*\@domain4\.com/i)groupby(source_user)
I also wanted to share that we are actively working on bringing the full suite of LEQL keywords to custom alerts. We have a tentative plan to deliver this in the coming month. For now regex is required, but once we release the new LEQL custom alerts anything you can do in search in terms of keywords will be available in alerting.
Note: Groupby alerting is not included in this upcoming, we have other plans to address the use case of more complex custom alerting in the future.
One other tool I’d recommend utilizing if you want some help with regex queries is regex101.com . You plop it in the text you’re looking to match against and then can fine tune your regex.