One of the questions that I get about QRadar is how to write a case insensitive regex. One of the common examples is to search for all variations of the word “administrator” in the username field.
There are 2 ways of doing this in programming languages using the “i” flag that is indicated below.
(?i) administrator /administrator/i
However, none of these options work in QRadar as of now, and there is an open ticket for it with the QRadar team.
As a workaround, you can use a character set in your regex to cover all the possible variations. Below is an example on how to cover all the possible varations of the word “administrator”.
[aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR]