So here is what I am trying to accomplish.
I have a rule that detects the presence of various random file extensions. For example “.0x0”
The problem is that windows powershell spits out all of these temporary .ps1 files with random 3 characters and it constantly trips my rule because I have A LOT of file extensions. Since I do care about .ps1 files, but I do not care about temporary .xxx.ps1 files I want to create a regex rule that will NOT alert me if it detects the pattern is .xxx.ps1. (x’s being any character)
Here is an example of a line of the rule that gets tripped:
contains(to_string($message.file_name), “.0x0”, true)
So I would want something like:
contains(to_string($message.file_name), “.0x0”, true) AND NOT
regex file_name contains .xxx.ps1 (needs to be case insensitive as well)
Can anyone tell me how to write the bolded portion? Sorry I am very new to regex and graylog so any help would be appreciated.