Regular Expressions 101

Save & Share

Regex Version: ver. 1
Update Regex
ctrl+⇧+s
Save new Regex
ctrl+s
Add to Community Library

Flavor

PCRE2 (PHP >=7.3)
PCRE (PHP <7.3)
ECMAScript (JavaScript)
Python
Golang
Java 8
.NET 7.0 (C#)
Rust
Regex Flavor Guide

Function

Match
Substitution
List
Unit Tests

Tools

Code Generator
Regex Debugger
Export Matches
Benchmark Regex

Regular Expression
No Match

Test String

Code Generator

Language

Generated Code

$re = '/\<Event xmlns\=\'http:\/\/schemas\.microsoft\.com\/win\/\d+\/\d+\/events\/event\'>/m';
$str = '1. Sample Event:

<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2023-11-27T13:10:29.381318400Z\'/><EventRecordID>151284011</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'8768\'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>XXX$</Data><Data Name=\'SubjectDomainName\'>EC</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'NewProcessId\'>0x3878</Data><Data Name=\'NewProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x41c4</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>NULL SID</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data><Data Name=\'MandatoryLabel\'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>


2. Sample Event

<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2023-11-27T14:14:10.024210800Z\'/><EventRecordID>151288549</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'17052\'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>XXX$</Data><Data Name=\'SubjectDomainName\'>EC</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'NewProcessId\'>0x21ac</Data><Data Name=\'NewProcessName\'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x2f0</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>NULL SID</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data><Data Name=\'MandatoryLabel\'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>

3. Sample Event

<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2023-11-27T14:15:17.894533600Z\'/><EventRecordID>151288597</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'9860\'/><Channel>Security</Channel><Computer>sXXX.com</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>XXX$</Data><Data Name=\'SubjectDomainName\'>EC</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'NewProcessId\'>0x2fa0</Data><Data Name=\'NewProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0x37a4</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>NULL SID</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data><Data Name=\'MandatoryLabel\'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>

4. sample event

<Event xmlns=\'http://schemas.microsoft.com/win/2004/08/events/event\'><System><Provider Name=\'Microsoft-Windows-Security-Auditing\' Guid=\'{54849625-5478-4994-A5BA-3E3B0328C30D}\'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime=\'2023-11-27T14:14:35.584807300Z\'/><EventRecordID>151288563</EventRecordID><Correlation/><Execution ProcessID=\'4\' ThreadID=\'6164\'/><Channel>Security</Channel><Computer>XXX.com</Computer><Security/></System><EventData><Data Name=\'SubjectUserSid\'>NT AUTHORITY\\SYSTEM</Data><Data Name=\'SubjectUserName\'>XXX$</Data><Data Name=\'SubjectDomainName\'>EC</Data><Data Name=\'SubjectLogonId\'>0x3e7</Data><Data Name=\'NewProcessId\'>0x218c</Data><Data Name=\'NewProcessName\'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data><Data Name=\'TokenElevationType\'>%%1936</Data><Data Name=\'ProcessId\'>0xb08</Data><Data Name=\'CommandLine\'></Data><Data Name=\'TargetUserSid\'>NULL SID</Data><Data Name=\'TargetUserName\'>-</Data><Data Name=\'TargetDomainName\'>-</Data><Data Name=\'TargetLogonId\'>0x0</Data><Data Name=\'ParentProcessName\'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data><Data Name=\'MandatoryLabel\'>Mandatory Label\\System Mandatory Level</Data></EventData></Event>

<Data Name=\'NewProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>
<Data Name=\'ParentProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe</Data>
<Data Name=\'NewProcessName\'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</Data>
<Data Name=\'ParentProcessName\'>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</Data>
<Data Name=\'NewProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumFileInfo.exe</Data>
<Data Name=\'ParentProcessName\'>C:\\Program Files (x86)\\Tanium\\Tanium Client\\Patch\\tools\\TaniumExecWrapper.exe</Data>
<Data Name=\'NewProcessName\'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\SenseCnCProxy.exe</Data>
<Data Name=\'ParentProcessName\'>C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\10.8560.25364.1036\\MsSense.exe</Data>';

preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);

// Print the entire match result
var_dump($matches);

Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php

Regular Expressions 101

Save & Share

Flavor

Function

Tools

Explanation

Match Information

Quick Reference

Regular Expression
No Match

Test String

Code Generator

Language

Generated Code

Save & Share

Flavor

Function

Tools

Explanation

Match Information

Quick Reference

Regular ExpressionNo Match

Test String

Regular Expression
No Match