Skip to main content

Hello, I am currently creating a Chronicle rule that checks specific registry key values and was wondering if I reference a list am I able to put the entire file path? For example I have the following file path that is returned in the events:
c:\\program files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe

 
Right now I am using the RegEx syntax for the List and have the following:
vpnagent.exe // From c:\\program files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe
 
Now it does work but I really would like to reference the entire path and not just the name of the exe file. Any ideas?

Can you try the following regex expression that escapes characters like backslash and parentheses?


c:\\\\program files \\(x86\\)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpnagent\\.exe

A little bit of testing is wise to make sure you handle all potential escape characters as @David-French mentions above. I would also suggest adding a strings.to_lower (or strings.to_upper) against the field or variable being compared.


For instance if your list is like what is above, the criteria might look like this:


strings.to_lower($registry.target.process.file_path) IN %reglist

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.