Skip to main content

Responses are generated using AI and may contain mistakes.

Exabeam SearchExabeam Search Guide

Query Using Regex

Search supports all standard Regex searches.

Regex use in Search is based on the Golang flavor of Regex. For reference information about regex syntax, see the following sites:

  • regex101 – Select the Golang flavor from the panel on the left. Then enter a specific Regex pattern to see an explanation.

  • https://regexr.com/ – Enter a specific Regex pattern to see an explanation (not Golang-specific but very user-friendly).

  • https://github.com/google/re2/wiki/Syntax – Reference to understand the specific Regex capabilities Exabeam supports.

Note

Regex can be complex with a steep learning curve, so you might want to experiment and test your queries before entering them into the Search application.

Use the following tool to test your queries: regex101.

The following subsections describe the regular expression syntax that is supported by Search and provide some syntax examples:

Note

Exabeam Search supports the regex capabilities of the RE2 engine. Certain syntax, such as back referencing, is not supported by the RE2 engine and can return inaccurate results when used in Search queries. For the full list of regex operators supported or not supported by RE2 syntax, refer to the RE2 Syntax documentation: https://github.com/google/re2/wiki/Syntax

Regex (RGX) Operators

Perform complex case sensitive or case insensitive queries using the RGX or RGXi operators.

Note

Regex operators will also work with query by field searches.

Operator Descriptions

Example Syntax

To indicate that an expression should be treated as Regex, start with either RGX or RGXi and enclose the Regex in double quotes inside of parentheses.

Case Sensitive

Syntax: RGX("MiCrO[a-z0-9]{4}")

Performs a case-sensitive search and will match MiCrO followed by up to 4 additional lower-case characters or numbers.

Case Insensitive

Syntax: RGXi("micro[a-z0-9]{4}")

Performs a case-insensitive search and will match micro, with any combination of upper- or lower-case letters, followed by up to 4 additional lower-case characters or numbers.

To group expressions within Regex, use parentheses.

Syntax: RGX("(Micro){2}soft")

Will match MicroMicrosoft.

A double quote is a reserved character in Regex. To use a double quote within a Regex but preserve its literal meaning, it must be escaped by preceding it with a backslash.

Syntax: RGX("Micro\"soft")

Will match Micro"soft.

The following syntax that uses un-escaped quotes will return an error: RGX("Micro"soft")

Parentheses are reserved characters in Regex. To use parentheses within a Regex but preserve their literal meaning, they must be escaped by preceding them with a backslash.

Syntax: RGX("\(Microsoft\)")

Will match (Microsoft).

The following syntax that uses un-escaped parentheses within parentheses will return an error: RGX("(Microsoft)")

A backslash is a reserved character in both Regex and Exabeam Query Language. To use a backslash within a Regex but preserve its literal meaning, it must be escaped from both languages using additional backslashes. This requires using four backslashes in a row, as shown below.

backslash-escape.png

  1. The first backslash from the right represents the literal backslash character.

  2. The second backslash escapes the character in Regex.

  3. The third backslash escapes the literal character (#1) in the Exabeam Query Language.

  4. The fourth backslash escapes the Regex escape backslash (#2) in the Exabeam Query Language.

RGX("back\\\\slash")

Will match back\slash.

Regular Expression Examples

The following table illustrates examples of regular expressions, including sample results of what the Search query might find:

Regex Syntax Examples

Description

Sample Results

vendor = RGX("BlueCat[\s]")

Run a case-sensitive search for any vendor field value that contains the token BlueCat with a single trailing space.

  • BlueCat Networks

  • BlueCat Systems

  • BlueCat NetSystems

vendor = RGX(".*Cat[\s]")

Run a case-sensitive search for any vendor field value that contains the token string Cat, preceded by by 0 or more characters and followed by a single space.

  • BlueCat Networks

  • BlueCat Systems

  • BlueCat NetSystems

src_ip = RGX("^10.249[.][\d]")

Search for any src_ip field value that start with token 10.249 followed by a dot character and numbers.

  • 10.249.23.69

  • 10.249.34.73

user = RGX("^SQK$")

Search for any user field value that exactly matches the string SQK, with no other characters before or after it.

SQK

user = RGX("[0-9]{7,15}")

Search for any user field values that have any numeric character occurring between 7 and 15 times, inclusive.

  • USER1156373

  • USER109343302

  • USER10934538

url = RGX("^(https?:\/\/)?([\da-z.-]+)\.net")

Search for any url field value that has the .net domain name extension..

Use a backslash to escape any forward slashes: \/

  • https://www.example.net

  • http://www.example.net

  • www.example.net

  • example.net

  • https://www.example.net/sample

log = RGX("\x22.*Cat\x22 tails")

log = RGX("DP\x2D\/d")

log = RGX("delete()\x3B}")

Search with the hex representation of a character.

  • "BigCat" tails

  • DP-5

  • delete();}