Jump to content

Creating a Dynamic Group with regex

peterregin

By peterregin
in ESET Endpoint Products

 Share

Recommended Posts

peterregin

peterregin 0

Posted
Posted

It seems like the dynamic groups are very finicky.

Can someone assist with a simple Dynamic Group that lists computer names that do NOT have a space in them.

I know how to regex, it just will not work.

2017-09-15 07_28_48-ESET Remote Administrator.png

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

I think there are at least two issues:

  • you are not using correct regular expression to match strings with white characters. ERA uses perl syntax, and so correct regular expression should be .*\s.*
  • there seems to be also logic error in expression. Multiple alternatives are available but simplest would be to use NAND instead of NOR operator.

I was not able to verify, but I would recommend test following template:

image.png

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

Just to be sure we have not missed anything, short summary of how dynamic groups are evaluated:

  • when dynamic group template is created or modified, it has to be delivered to client machine (AGENT) for evaluation. This means it can take some time, and working connection of AGENT is required.
  • Dynamic groups are evaluated on client, and based on client data. In this case, ComputerName is not name of computer as seen in console, but it is computer name reported by AGENT -> it can be seen also in console, in computer details, device identifiers section.
  • Used operators were added in recent ERA versions and will work only with newest AGENT versions

If it won't help, as a last resort it is possible to enable full trace logging on AGENT and search generated trace.log for entries like this one: 

Dynamic group template 'uuid { uuid: "edf8d75f-eefb-49b4-8cdb-d8a2c8d0e53e" } versionGuard: 5' with expression 'logicOperator: NAND compositeFilters { logicOperator: AND filters { operand { val_res_id: 508906757892866565 } symbol_id: 274 used_operator: OP_EQUAL } filters { operand { val_string: ".*\\s.*" } symbol_id: 275 used_operator: OP_REGEX } }' and symbols [274,val_res_id: 508906757892866564 val_res_id: 508906757892866565 val_res_id: 508906757892866566][275,val_string: "0" val_string: "era.local" val_string: "era.local"] is true

which shows result of dynamic group expressions matching with data, that were actually evaluated. Be aware that multiple parts of this trace entry will be different for your environment.

Link to comment
Share on other sites
peterregin

peterregin 0

Posted
  • Author
Posted (edited)

Ok that does help. I'm looking for the computer name in ERA, We've renamed machines in ERA. So this is looking for computers that we have not renamed.

Based on the information you provided, it does not sound like Dynamic Groups are a viable option since I'm looking for something purely cosmetic.

Edited by peterregin
Link to comment
Share on other sites
kubasz

kubasz 0

Posted
Posted (edited)

try condition with AND and maybe with regex: ^\S+$
(big S ) condition  requires from begin to end every non white-space character one or more Times.
 

Edited by kubasz
Link to comment
Share on other sites
peterregin

peterregin 0

Posted
  • Author
Posted (edited)
5 minutes ago, kubasz said:

try condition with AND and maybe with regex: ^/S+$
(big S ) every non white-space character one or more Times.
 

I don't think regex is the problem based on what MartinK said. I think it's the data. ComputerName will always be what the agent reports and not what we've cosmetically changed it to in ERA.

Edited by peterregin
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...