Regular Expressions 101

Community Patterns

Tenable Identity Exposure - Indicator of Attack - Syslog regex

1

Regular Expression
PCRE2 (PHP >=7.3)

/
^[""]*<(?<alert_type>\d+)>(?<timestamp>.*\d+:\d+:\d+)\s(?<tenable_instance_hostname>[^""]+)\s(?<tenable_product_name>[^""]+)\[\d+\]:[\s""]*(?<tenable_internal_mtype>[^""]+)[""\s]*(?<tenable_internal_alertid>\d+)[""\s]*(?<ad_forest_name>[^""]+)[""\s]*(?<ad_domain_name>[^""]+)[""\s]*(?<ad_attack_name>[^""]+)[""\s]*(?<tenable_severity_level>[^""]+)[""\s]*(?<source_name>[^""]+)[""\s]*(?<source_ip>[^""]+)[""\s]*(?<destination_name>[^""]+)[""\s]*(?<destination_ip>[^""]+)[""]*\s(?<tenable_insertion_strings>.*?)$
/
gm

Description

A regex for IOA syslog messages sent by Tenable Identity Exposure.

Submitted by Taher Karaki - a month ago