Skip to main content

Exabeam SearchExabeam Search Guide

Query Using Regex

Search supports all standard Regex searches.

Regex use in Search is based on the Golang flavor of Regex. For reference information about regex syntax, see the following sites:

  • regex101 – Select the Golang flavor from the panel on the left. Then enter a specific Regex pattern to see an explanation.

  • https://regexr.com/ – Enter a specific Regex pattern to see an explanation (not Golang-specific but very user-friendly).

  • https://github.com/google/re2/wiki/Syntax – Reference to understand the specific Regex capabilities Exabeam supports.

Note

Regex can be complex with a steep learning curve, so you might want to experiment and test your queries before entering them into the Search application.

Use the following tool to test your queries: regex101.

The following topics describe the regular expression syntax supported by Search:

Regex (RGX) Operators

Perform complex case sensitive or case insensitive queries using the RGX or RGXi operators.

Note

Regex operators will also work with query by field searches.

Operator Descriptions

Example Syntax

To indicate that an expression should be treated as Regex, start with either RGX or RGXi and enclose the Regex in double quotes inside of parentheses.

Case Sensitive

Syntax: RGX("MiCrO[a-z0-9]{4}")

Performs a case-sensitive search and will match MiCrO followed by up to 4 additional lower-case characters or numbers.

Case Insensitive

Syntax: RGXi("micro[a-z0-9]{4}")

Performs a case-insensitive search and will match micro followed by up to 4 additional lower-case characters or numbers.

To group expressions within Regex, use parentheses.

Syntax: RGX("(Micro){2}soft")

Will match MicroMicrosoft.

A double quote is a reserved character in Regex. To use a double quote within a Regex but preserve its literal meaning, it must be escaped by preceding it with a backslash.

Syntax: RGX("Micro\"soft")

Will match Micro"soft.

The following syntax (with un-escaped quotes) will return an error: RGX("Micro"soft")

Brackets are reserved characters in Regex. To use brackets within a Regex but preserve their literal meaning, they must be escaped by preceding them with a backslash.

Syntax: RGX("\(Microsoft\)")

Will match (Microsoft).

The following syntax that uses brackets within brackets will return an error: RGX("(Microsoft)")

A backslash is a reserved character in both Regex and Exabeam Query Language. To use a backslash within a Regex but preserve its literal meaning, it must be escaped from both languages using additional backslashes. This requires using four backslashes in a row, as shown below.

backslash-escape.png

  1. The first backslash from the right represents the literal backslash character.

  2. The second backslash escapes the character in Regex.

  3. The third backslash escapes the literal character (#1) in the Exabeam Query Language.

  4. The fourth backslash escapes the Regex escape backslash (#2) in the Exabeam Query Language.

RGX("back\\\\slash")

Will match back\slash.

Regular Expression Examples

Important

Search now supports new regex and wildcard operators. The new syntax supersedes earlier syntax which will be deprecated in a later release. For more information, see Query Syntax.

The following table illustrates examples of regular expressions, including sample results of what this query might find:

Regex Syntax Examples

Description

Sample Results

vendor = RGX("BlueCat[\s]")

Run a case-sensitive search for any vendor field value that contains the token BlueCat with a single trailing space.

  • BlueCat Networks

  • BlueCat Systems

  • BlueCat NetSystems

vendor = RGX(".*Cat[\s]")

Run a case-sensitive search for any vendor field value that contains the token string Cat, preceded by by 0 or more characters and followed by a single space.

  • BlueCat Networks

  • BlueCat Systems

  • BlueCat NetSystems

src_ip = RGX("^10.249[.][\d]")

Search for any src_ip field value that start with token 10.249 followed by a dot character and numbers.

  • 10.249.23.69

  • 10.249.34.73

user = RGX("^SQK$")

Search for any user field value that exactly matches the string SQK, with no other characters before or after it.

SQK

user = RGX("[0-9]{7,15}")

Search for any user field values that have any numeric character occurring between 7 and 15 times, inclusive.

  • USER1156373

  • USER109343302

  • USER10934538

url = RGX("^(https?:\/\/)?([\da-z.-]+)\.net")

Search for any url field value that has the .net domain name extension..

Use a backslash to escape any forward slashes: \/

  • https://www.example.net

  • http://www.example.net

  • www.example.net

  • example.net

  • https://www.example.net/sample

log = RGX("\x22.*Cat\x22 tails")

log = RGX("DP\x2D\/d")

log = RGX("delete()\x3B}")

Search with the hex representation of a character.

  • "BigCat" tails

  • DP-5

  • delete();}

Note

Search does not support listing comma-separated Regex expressions enclosed within parentheses ().

For example:

  • This query results in an error: vendor = RGX("Ap\w\w/","/Ex.*/","/Micr.*")

  • These equivalent queries work: vendor = RGX("Ap\w\w") OR vendor = RGX("Ex.*") OR vendor = RGX("Micr.*")

Wildcard (WLD) Operators

Perform complex case sensitive or case insensitive wildcard queries using the WLD or WLDi operators.

Note

Wildcard operators will also work with query by field searches.

Operator Descriptions

Example Syntax

To indicate that an expression is using wildcard characters, start with either WLD or WLDi and enclose the expression in double quotes inside of parentheses.

Case Sensitive Syntax: WLD("MiCrO*")

Case Insensitive Syntax: WLDi ("micro*")

* represents zero or more matches.

Syntax: WLD("MiCrO*")

Will match MiCrOsoft.

Syntax: WLDi("micro*")

Will match microsoft.

? represents a match for any 1 character (besides line terminators).

Syntax: WLD("W?b")

Will match Web.

Syntax: WLDi("w?b")

Will match web.