BlueTeam
Others
Regular-Expressions
Regular Expression

What are Regular expression

Regular expressions (regex) are indispensable for pinpointing precise data patterns within text. In the context of blue team operations within SIEM systems, regex aids analysts in parsing log files swiftly, extracting pertinent details such as IP addresses and timestamps, and formulating correlation rules to flag suspicious activities. Overall, it stands as a remarkably potent tool to employ in various cybersecurity endeavors.

Commands

# Normal Querry
[A-Z]             ---> Anything between A - Z
[0-9]             ---> Anything between 0 - 9
[A-Za-z]          ---> Anything Between A - Z (Upper & Lowers)
[^ABC]            ---> Does not contain A,B or C
^[ABC]            ---> Start with A,B or C
\t+.$             ---> Match everything follower by tab,anything until line finish


# Special characters
\s                ---> All the white spaces (Tabs, Space, ...)
\S                ---> All none white spaces (Letters, Numbers, Characters)
\t                ---> Tab
\W                ---> All the none Words (Ponctuation, Spaces, Tabs, ...)
\w                ---> All word (Word and Number)
\w+               ---> All words (Words and Numbers)
\D                ---> All the none digits (Everything else)
\d                ---> All digit
\d+               ---> All digits
|                 ---> OR (Ex: [A-Z|a-z]) Match A-Z or a-z
^                 ---> Start of the line
$                 ---> End of the line
\n                ---> New Line
\                 ---> Back slash used to escape special characters (!?;:,{[]}...)

# Quantifiers
[a-z]{4,}         ---> Match if contain a-z text and longer then 4 a-z characters
[a-z]{,4}         ---> Match if contain a-z text and shorter then 4 a-z characters
[a-z]{4,6}        ---> Match if contain a-z text and between 4-6 a-z characters
e(2,)             ---> Match if contain 2 or more letter e (ee+)
1(2,)             ---> Match if contain 2 or more number 1 (11+)
be*               ---> Match b, be, bee, beee, beeee, ... (0 or more e)
be+               ---> Match be, bee, beee, beeee, ... (1 or more e)
be?               ---> Optional match (match b and be) optional for last character
b(er)             ---> Optional match (match b and ber) optinal for last group

# Capture Group
Find
\t(\w+\t[0-9,]+$) ---> Match tab,word,tab,numbers (Create a groupe, default id=1)

Replace
\n$1              ---> Create a new line and add the first group

# Grep
grep -e "REGEX"   ---> Expression