Additional reading
Using Regular Expressions
A regular expression (regex or regexp for short) is a special text string for describing a search pattern. There are many software applications and programming languages that support regular expressions. You can often accomplish with a single regular expression in one or a few lines of code what would otherwise take dozens or hundreds.
Many applications and programming languages have their own implementation of regular expressions, often with slight and sometimes with significant differences from other implementations. When two applications use a different implementation of regular expressions, we say that they use different "regular expression flavors".
CYBERQUEST uses standard regular expressions syntax and dictionary that you can find very well described here.
You will need regular expressions to build custom parsers for various data sources you may have to accommodate for collection. This short appendix guides you to the process of creating a custom data source (parser).
Step 1: The regex
Once you have the message, you can use the help of a regular expression to extract useful information as seen below:
Step 2: The parser
After creating and testing the regular expression, go to Settings > Rules > DTS Objects page and create a new JS parser (DTS object) based on the earlier regex:
Step 3: View event
Once you have the new parser, accommodate the proper filter rules and data acquisition rules as detailed in chapter Data flow rules and filters. Filters after keywords or expressions using the logical operators AND, OR, NOT:
Additional filters and combining method are available in the vertical tabs (Additional filters) and (Combining method):
Useful information will be placed in the S1, S2... Sn fields.
Logical comparators and their use
Additional filters, simple or complex, can be added by using logical operators AND, OR and NOT. For example, in a search that results from only certain users and a category (ex: Logoff), a complex filter can be created like the following examples.
1. Logical AND (&&)
UserName:"Administrator" AND Category:"Logoff"
As shown, on UserName appears "Administrator" and on Category appears "Logoff".
2. Logical NOT (!)
UserName:"Administrator" NOT Category:"Logoff"
Also, in the case that you are searching for a user event that doesn't include the Log Off category, a complex filter can be created like this:
As shown, on UserName appears "Administrator" and on Category does not appear "Logoff".
3. Logical OR (||)
UserName:"Administrator" OR Category:"Logoff"
As shown, on UserName appears "Administrator" and on Category appears "Logoff".
4. _exists_
EventID:4624 AND _exists_:UserName
As shown, appears EventID:4624 and UserName.
5. _missing_
EventID:4624 AND _missing_:DestIP
As shown, appears EventID:4624 but not DestIP.
6. X TO Y
EventID:[4000 TO 5000]
As shown, appears starting with 4000, 4001 ... and ending with 5000.