I tried to create a Dashboard Card and a custom alert notification for my intended use case just that when I try to use my query from the Card in the custom alert it doesn’t actually accept it. And I realized that what am trying to get a custom alert would need a RegEx equivalent. Problem is am really a beginner in RegEx. Would anyone willing to help me on this?
Goal: Create a Card representation and a corresponding notification whenever a user shares a file outside of the listed domains in Office365
Here’s my Card Query:
where(source_user CONTAINS-ANY [@domain1.net.ph, @domain1_1.net.ph, @domain2.com.ph, @domain2_1.com.ph, @domain3.ph, @domain4.com] AND source_json.TargetUserOrGroupType=“Guest” AND source_json.TargetUserOrGroupType NOT IN [@domain1.net.ph, @domain1_1.net.ph, @domain2.com.ph, @domain2_1.com.ph, @domain3.ph, @domain4.com]) groupby(source_user)
Custom Alert Goal: To create a notification whenever there is a positive match of the above.
Initial Attempt: As I really suck at RegEx, I tried going around the LEQL and made the below which actually doesn’t return an error in the Priority and Trigger under Custom Alert Setup.
(source_user CONTAIN @domain1.net.ph)
AND (source_json.TargetUserOrGroupType NOT @domain1.net.ph OR
source_json.TargetUserOrGroupType NOT @domain1_1.net.ph OR
source_json.TargetUserOrGroupType NOT @domain2.com.ph OR source_json.TargetUserOrGroupType NOT @domain2_1.com.ph OR source_json.TargetUserOrGroupType NOT @domain3.ph OR
source_json.TargetUserOrGroupType NOT @domain4.com)
If I go with this, then I need to create an entry for each source_user=domain one by one. Not sure if its the best way though as I think the regex should be one.
Any help or advise would be very much appreciated.
Thanks for the question!
Let me follow up with your approach without complex regex, although I must note that we shouldn’t use CONTAINS keyword in Custom Alerts
Also ensure correct escaping of symbols in regex.
source_user = /@domain1\.net\.ph/
OR source_user = /@domain1_1\.net\.ph/
OR source_user = /@domain2\.com\.ph/
OR source_user = /@domain2_1\.com\.ph/
OR source_user = /@domain3\.ph/
OR source_user = /@domain4\.com/
AND source_json.TargetUserOrGroupType="Guest" AND NOT
source_json.TargetUserOrGroupType = @domain1.net.ph
OR source_json.TargetUserOrGroupType = @domain1_1.net.ph
OR source_json.TargetUserOrGroupType = @domain2.com.ph
OR source_json.TargetUserOrGroupType = @domain2_1.com.ph
OR source_json.TargetUserOrGroupType = @domain3.ph
OR source_json.TargetUserOrGroupType = @domain4.com
Could you pls take a look if all the values in key-value conditions are correct?
@nowel As long as the keywords do in fact match up with what your logs show, you could test the following in your custom pattern detection and see if any matches appear:
where((source_user=/.*\@domain1\.net\.ph|.*\@domain1_1\.net\.ph|.*\@domain2\.com\.ph|.*\@domain2_1\.com\.ph|.*\@domain3\.ph|.*\@domain4\.com/i) AND source_json.TargetUserOrGroupType=“Guest” AND source_json.TargetUserOrGroupType!=/.*\@domain1\.net\.ph|.*\@domain1_1\.net\.ph|.*\@domain2\.com\.ph|.*\@domain2_1\.com\.ph|.*\@domain3\.ph|.*\@domain4\.com/i)groupby(source_user)
I also wanted to share that we are actively working on bringing the full suite of LEQL keywords to custom alerts. We have a tentative plan to deliver this in the coming month. For now regex is required, but once we release the new LEQL custom alerts anything you can do in search in terms of keywords will be available in alerting.
Note: Groupby alerting is not included in this upcoming, we have other plans to address the use case of more complex custom alerting in the future.
Thanks a lot! @alexey_shulga @david_smith
Will do a run on this one based on your suggestions.
Thanks for giving out that info on the enhancement, hope this would come out the soonest.
One other tool I’d recommend utilizing if you want some help with regex queries is regex101.com . You plop it in the text you’re looking to match against and then can fine tune your regex.