This is an article to help with regex in SCOM. This Microsoft article explains it more.

Regex test site here. It's not that useful because the syntax is slightly different in SCOM .

It's important to note that in SCOM, group membership is done with Perl whilst expression filters use .NET 🤯.

Populating groups

Examples

Match string starting with jump OR sql. The ?i: ignores case. This article helped.

(?i:^jump)|(?i:^sql)

Match string starting with EMLXM (ignores case) and a domain name of your.ad.domain.name. These work but note the different starting characters:

(?i:^EMLXM.*.your.ad.domain.name)

^(?i:EMLXM.*.your.ad.domain.name)

Match any character (not blank). Yes it's just a dot.

Expression filters

I had to use regex in a discovery in my Trellix mp to discover computers running the Trellix ePolicy Orchestrator role. The computers in my environment had a reg key with one of these values:

C:/PROGRA~2/McAfee/EPOLIC~1
D:/McAfee/EPOLIC~1

The discovery expression looked like this:

<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">Values/ePolicyOrchestratorInstalled</XPathQuery>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>epolic</Pattern>
</RegExExpression>
</Expression>

What is strange here is that the discovery works, but if you test this in a regex website it doesn't. For example if you put C:/PROGRA~2/McAfee/EPOLIC~1 in the website, you need to add this regex for the pattern to match:

(?i:epolic)

Search This Blog

realscom

Regex with SCOM

Populating groups

Examples

Match string starting with jump OR sql. The ?i: ignores case. This article helped.

(?i:^jump)|(?i:^sql)

Expression filters

Comments

Post a Comment