or you can prepend
(?i)
On Friday, February 10, 2017 at 5:58:45 PM UTC-6, Richard S. Westmoreland
wrote:
>
> Yea regex is case sensitive. You could try:
>
> [Aa]pp[Dd]ata\\[Ll]ocal\\[Tt]emp\\.+\.(EXE|exe)
>
>
> > On Feb 11, 2017, at 6:54 AM, Tom Powers > wrote:
> >
> > AppData\\Local\\Te
Yea regex is case sensitive. You could try:
[Aa]pp[Dd]ata\\[Ll]ocal\\[Tt]emp\\.+\.(EXE|exe)
> On Feb 11, 2017, at 6:54 AM, Tom Powers wrote:
>
> AppData\\Local\\Temp\\.+.exe
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe f
Looking to do a Regex for a string in full_message
I have the first stream rule tagging EventID:4688 (works great)
Trying to then do a second rule where it will match any .exe that ran out
of any user appdata folder.
For example... (AppData\\Local\\Temp\\.+.exe) works for my powershell
q
