peterregin 0 Posted September 15, 2017 Share Posted September 15, 2017 It seems like the dynamic groups are very finicky. Can someone assist with a simple Dynamic Group that lists computer names that do NOT have a space in them. I know how to regex, it just will not work. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted September 15, 2017 ESET Staff Share Posted September 15, 2017 I think there are at least two issues: you are not using correct regular expression to match strings with white characters. ERA uses perl syntax, and so correct regular expression should be .*\s.* there seems to be also logic error in expression. Multiple alternatives are available but simplest would be to use NAND instead of NOR operator. I was not able to verify, but I would recommend test following template: Link to comment Share on other sites More sharing options...
peterregin 0 Posted September 15, 2017 Author Share Posted September 15, 2017 Thank you for this, but it still does not work. I've tried lots of combinations. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted September 16, 2017 ESET Staff Share Posted September 16, 2017 Just to be sure we have not missed anything, short summary of how dynamic groups are evaluated: when dynamic group template is created or modified, it has to be delivered to client machine (AGENT) for evaluation. This means it can take some time, and working connection of AGENT is required. Dynamic groups are evaluated on client, and based on client data. In this case, ComputerName is not name of computer as seen in console, but it is computer name reported by AGENT -> it can be seen also in console, in computer details, device identifiers section. Used operators were added in recent ERA versions and will work only with newest AGENT versions If it won't help, as a last resort it is possible to enable full trace logging on AGENT and search generated trace.log for entries like this one: Dynamic group template 'uuid { uuid: "edf8d75f-eefb-49b4-8cdb-d8a2c8d0e53e" } versionGuard: 5' with expression 'logicOperator: NAND compositeFilters { logicOperator: AND filters { operand { val_res_id: 508906757892866565 } symbol_id: 274 used_operator: OP_EQUAL } filters { operand { val_string: ".*\\s.*" } symbol_id: 275 used_operator: OP_REGEX } }' and symbols [274,val_res_id: 508906757892866564 val_res_id: 508906757892866565 val_res_id: 508906757892866566][275,val_string: "0" val_string: "era.local" val_string: "era.local"] is true which shows result of dynamic group expressions matching with data, that were actually evaluated. Be aware that multiple parts of this trace entry will be different for your environment. Link to comment Share on other sites More sharing options...
peterregin 0 Posted September 18, 2017 Author Share Posted September 18, 2017 (edited) Ok that does help. I'm looking for the computer name in ERA, We've renamed machines in ERA. So this is looking for computers that we have not renamed. Based on the information you provided, it does not sound like Dynamic Groups are a viable option since I'm looking for something purely cosmetic. Edited September 18, 2017 by peterregin Link to comment Share on other sites More sharing options...
kubasz 0 Posted September 18, 2017 Share Posted September 18, 2017 (edited) try condition with AND and maybe with regex: ^\S+$ (big S ) condition requires from begin to end every non white-space character one or more Times. Edited September 18, 2017 by kubasz Link to comment Share on other sites More sharing options...
peterregin 0 Posted September 18, 2017 Author Share Posted September 18, 2017 (edited) 5 minutes ago, kubasz said: try condition with AND and maybe with regex: ^/S+$ (big S ) every non white-space character one or more Times. I don't think regex is the problem based on what MartinK said. I think it's the data. ComputerName will always be what the agent reports and not what we've cosmetically changed it to in ERA. Edited September 18, 2017 by peterregin Link to comment Share on other sites More sharing options...
Recommended Posts