Skip to content

Additional reading

Using Regular Expressions

A regular expression (regex or regexp for short) is a special text string for describing a search pattern. There are many software applications and programming languages that support regular expressions. You can often accomplish with a single regular expression in one or a few lines of code what would otherwise take dozens or hundreds.

Many applications and programming languages have their own implementation of regular expressions, often with slight and sometimes with significant differences from other implementations. When two applications use a different implementation of regular expressions, we say that they use different "regular expression flavors".

CYBERQUEST uses standard regular expressions syntax and dictionary that you can find very well described here.

You will need regular expressions to build custom parsers for various data sources you may have to accommodate for collection. This short appendix guides you to the process of creating a custom data source (parser).

Step 1: The regex

Once you have the message, you can use the help of a regular expression to extract useful information as seen below:

Alt text

Step 2: The parser

After creating and testing the regular expression, go to Settings > Rules > DTS Objects page and create a new JS parser (DTS object) based on the earlier regex:

Alt text

Step 3: View event

Once you have the new parser, accommodate the proper filter rules and data acquisition rules as detailed in chapter Data flow rules and filters. Filters after keywords or expressions using the logical operators AND, OR, NOT:

Alt text

Additional filters and combining method are available in the vertical tabs (Additional filters) and (Combining method):

Alt text

Useful information will be placed in the S1, S2... Sn fields.

Logical comparators and their use

Additional filters, simple or complex, can be added by using logical operators AND, OR and NOT. For example, in a search that results from only certain users and a category (ex: Logoff), a complex filter can be created like the following examples.

1. Logical AND (&&)

UserName:"Administrator" AND Category:"Logoff"

Alt text

As shown, on UserName appears "Administrator" and on Category appears "Logoff".

2. Logical NOT (!) 

UserName:"Administrator" NOT Category:"Logoff"

Also, in the case that you are searching for a user event that doesn't include the Log Off category, a complex filter can be created like this:

Alt text

As shown, on UserName appears "Administrator" and on Category does not appear "Logoff".

3. Logical OR (||)

UserName:"Administrator" OR Category:"Logoff"

Alt text

As shown, on UserName appears "Administrator" and on Category appears "Logoff".

4. _exists_

EventID:4624 AND _exists_:UserName

Alt text

As shown, appears EventID:4624 and UserName.

5. _missing_

EventID:4624 AND _missing_:DestIP

Alt text

As shown, appears EventID:4624 but not DestIP.

6. X TO Y

EventID:[4000 TO 5000]

Alt text

As shown, appears starting with 4000, 4001 ... and ending with 5000.