QRadar: Regular expression filters starting and ending with square brackets fail

Troubleshooting

Problem

If a 'Payload Matches Regular Expression' filter is created with an expression starting and ending with square brackets, the filter add will fail with a ValidationException stating 'This is not a valid regular expression: Unclosed character class near ...'

Cause

QRadar removes the outer brackets from the expression.

Resolving The Problem

To resolve this issue, you need an additional set of square brackets included at the ends of Regular Expression.

Example:

[aA][aA].\.[sS][tT][aA][gG][eE]
needs to be written as

[[aA][aA].\.[sS][tT][aA][gG][eE]]
Results: By adding the additional set of square brackets the Regular Expression works.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Admin Console","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Regular expression filters starting and ending with square brackets fail

Troubleshooting

Problem

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?