datamodel,field,"validation_regex"
"UBA_Authentication",action,"^(success|failure|unknown|added)$"
"UBA_Badge","failure_reason",".*"
"UBA_Badge","object_name",".*"
"UBA_Badge","object_type",".*"
"UBA_Badge","site_name",".*"
"UBA_Badge",vendor,".*"
"UBA_Cloud","change_type","^(download|preview|delete|create|edit)$"
"UBA_Cloud",object,"^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Cloud","object_path","\/.*\/.*"
"UBA_Cloud","object_type","^(file|folder|document|image)$"
"UBA_Cloud","parent_category",".*"
"UBA_Database","action_name","^[A-Za-z\s]+$"
"UBA_Database","command_name","^[A-Za-z\s]+$"
"UBA_Database",commits,"^\d+$"
"UBA_Database","cpu_used","^\d+$"
"UBA_Database","elapsed_time","^\d+$"
"UBA_Database",eventtype,".*"
"UBA_Database","instance_name","^[A-Za-z\s]+$"
"UBA_Database",object,".*"
"UBA_Database",query,"/^\s*(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|AND|OR|ORDER BY|GROUP BY|HAVING|JOIN|INNER JOIN|LEFT JOIN|RIGHT JOIN|OUTER JOIN|ON|VALUES|SET|LIMIT)\b.*/gm"
"UBA_Database","records_affected","^\d+$"
"UBA_Database","tables_hit",".*"
"UBA_Database","tablespace_name",".*"
"UBA_Database",vendor,".*"
"UBA_DHCP","lease_duration","^\d+(:?\.\d{1,6})?$"
"UBA_DLP",action,"^(allowed|blocked)$"
"UBA_DLP","dest_path","\/.*\/.*"
"UBA_DLP","dlp_status",".*"
"UBA_DLP","match_count",".*"
"UBA_DLP",policy,".*"
"UBA_DLP","prevention_status",".*"
"UBA_DLP",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_DLP",restricted,"^(yes|no)$"
"UBA_DLP",sender,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_DLP","serial_number","^\d+$"
"UBA_DLP","src_path","\/.*\/.*"
"UBA_DLP",subject,".*"
"UBA_DLP",vendor,".*"
"UBA_DNS",answer,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
"UBA_DNS","message_type",".*"
"UBA_DNS",query,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$"
"UBA_DNS","query_type","\b(Query|IQuery|Status|Notify|Update|unknown|A|MX|NS|PTR)\b"
"UBA_DNS","record_type","^(A|DNAME|MX|NS|PTR)$"
"UBA_DNS",ttl,"^\d+$"
"UBA_Email",action,"\b(delivered|blocked|quarantined|deleted|unknown)\b"
"UBA_Email",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_Email",subject,".*"
"UBA_Endpoint_Filesystem",action,"\b(?:allowed|blocked)\b"
"UBA_Endpoint_Filesystem",alarmCategories,"\b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b"
"UBA_Endpoint_Filesystem",eventtype,".*"
"UBA_Endpoint_Port",action,"\b(?:allowed|blocked)\b"
"UBA_Endpoint_Port",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_Endpoint_Port","cpu_load_percent","^\d+$"
"UBA_Endpoint_Port","creation_time","^\d+$"
"UBA_Endpoint_Port",eventtype,".*"
"UBA_Endpoint_Port","mem_used","^\d+$"
"UBA_Endpoint_Port",os,".*"
"UBA_Endpoint_Port",state,".*"
"UBA_Endpoint_Processes",action,"\b(?:allowed|blocked)\b"
"UBA_Endpoint_Processes",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_Endpoint_Processes",eventtype,".*"
"UBA_Endpoint_Processes","parent_process_exec","^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Endpoint_Processes","parent_process_guid","^[^\n\r]+$"
"UBA_Endpoint_Processes","parent_process_name","^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Endpoint_Processes","parent_process_path","\/.*\/.*"
"UBA_Endpoint_Processes",process,"\/.*\/.*"
"UBA_Endpoint_Processes","process_current_directory","/^\/(?:[a-zA-Z0-9_]+\/?)+$"
"UBA_Endpoint_Processes","process_exec","^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Endpoint_Processes","process_guid.",".*"
"UBA_Endpoint_Processes","process_integrity_level",".*"
"UBA_Endpoint_Processes","process_path","\/.*\/.*"
"UBA_Endpoint_Registry",action,"\b(?:allowed|blocked)\b"
"UBA_Endpoint_Registry",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_Endpoint_Registry",eventtype,".*"
"UBA_Endpoint_Registry","registry_hive",".*"
"UBA_Endpoint_Registry","registry_key_name",".*"
"UBA_Endpoint_Registry","registry_path","^\\[a-zA-Z]+(?:\\[a-zA-Z]+)*(?:\\[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*)*\\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}}\\[a-zA-Z0-9_]+$"
"UBA_Endpoint_Registry","registry_value_data",".*"
"UBA_Endpoint_Registry","registry_value_name",".*"
"UBA_Endpoint_Registry","registry_value_text",".*"
"UBA_Endpoint_Registry","registry_value_type",".*"
"UBA_Endpoint_Registry",status,"\b(?:failure|success)\b"
"UBA_Endpoint_Services",action,"\b(?:allowed|blocked)\b"
"UBA_Endpoint_Services",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_Endpoint_Services",description,"\b\w+(?:[.-]\w+)*\b"
"UBA_Endpoint_Services",eventtype,".*"
"UBA_Endpoint_Services","service_dll","^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Endpoint_Services","service_dll_path","\/.*\/.*"
"UBA_Endpoint_Services","service_dll_signature_exists","^[a-zA-Z\s_]+$"
"UBA_Endpoint_Services","service_dll_signature_verified","^[a-zA-Z\s_]+$"
"UBA_Endpoint_Services","service_exec","^[^\/]+\.[a-zA-Z0-9]+$"
"UBA_Endpoint_Services","service_name",".*"
"UBA_Endpoint_Services","service_path","\/.*\/.*"
"UBA_Endpoint_Services","start_mode",".*"
"UBA_Endpoint_Services",status,"\b(?:critical|started|stopped|warning|failure|success)\b"
"UBA_External_Alarm",action,"\b(?:allowed|blocked|deferred)\b"
"UBA_External_Alarm",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_External_Alarm","dest_zone","^[a-zA-Z\s_]+$"
"UBA_External_Alarm","signature or eventtype","^[a-zA-Z\s_]+$"
"UBA_External_Alarm","src_zone",".*"
"UBA_External_Alarm",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$"
"UBA_Firewall",action,"^(allowed|blocked|dropped|teardown|delivered|quarantined|deleted|unknown|deferred|added)$"
"UBA_Firewall","dest_zone","^[a-zA-Z\s_]+$"
"UBA_Firewall","src_zone","^[a-zA-Z\s_]+$"
"UBA_Firewall",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$"
"UBA_Firewall","vendor_action","\b\w+(?:[.-]\w+)*\b"
"UBA_Host AV",action,"\b(?:allowed|blocked)\b"
"UBA_Host AV",alarmCategories,"\b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b"
"UBA_Host AV",eventtype,"\b\w+(?:[.-]\w+)*\b"
"UBA_Host AV",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$"
"UBA_IDS_IPS",action,"\b(?:allowed|blocked)\b"
"UBA_IDS_IPS",alarmCategories,"\b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L"
"UBA_IDS_IPS",eventtype,".*"
"UBA_Printer","data_type",".*"
"UBA_Printer","driver_process",".*"
"UBA_Printer",operation,".*"
"UBA_Printer","page_printed","^\d+$"
"UBA_Printer",parameters,"^\d+$"
"UBA_Printer","print_processor",".*"
"UBA_Printer",printer,".*"
"UBA_Printer",priority,"^\d+$"
"UBA_Printer",status,".*"
"UBA_Printer","submitted_time",".*"
"UBA_Printer","total_pages","^\d+$"
"UBA_Printer",type,".*"
"UBA_Web_Proxy",action,"\b(?:allowed|blocked)\b"
"UBA_Web_Proxy","response_time","^\d+$"
"UBA_Web_Proxy",status,"^\d+$"
"UBA_Web_Proxy",url,"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$"
"UBA_HR_Data",memberOf,".*"
"UBA_HR_Data",groups,".*"
"UBA_HR_Data",l,"^[A-Za-z\s.'-]+$"
"UBA_HR_Data",city,"^[A-Za-z\s.'-]+$"
"UBA_HR_Data",co,"^[A-Za-z\s.'-]+$"
"UBA_HR_Data",country,"^[A-Za-z\s.'-]+$"
"UBA_HR_Data",departingUser,"^(true|false)$"
"UBA_HR_Data",displayName,"^[A-Za-z\s.'-]+$"
"UBA_HR_Data",domainLoginId,"^[a-zA-Z0-9\/\\@]+$"
"UBA_HR_Data",mail,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_HR_Data",email,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_HR_Data",employeeType,".*"
"UBA_HR_Data",accountExpires,".*"
"UBA_HR_Data",preferredName,".*"
"UBA_HR_Data",givenName,".*"
"UBA_HR_Data",firstname,".*"
"UBA_HR_Data",highRiskUser,"^(true|false)$"
"UBA_HR_Data",hireDate,".*"
"UBA_HR_Data",lastLogon,".*"
"UBA_HR_Data",lastLogonTimestamp,".*"
"UBA_HR_Data",sn,".*"
"UBA_HR_Data",lastname,".*"
"UBA_HR_Data",sAMAccountName,"^[a-zA-Z0-9_]+$"
"UBA_HR_Data",loginId,"^[a-zA-Z0-9_]+$"
"UBA_HR_Data",manager,".*"
"UBA_HR_Data",manageremployeeId,".*"
"UBA_HR_Data",initials,".*"
"UBA_HR_Data",MiddleName,".*"
"UBA_HR_Data",department,".*"
"UBA_HR_Data",ou,".*"
"UBA_HR_Data",onPerformanceImprovementPlan,"^(true|false)$"
"UBA_HR_Data",onPIP,"^(true|false)$"
"UBA_HR_Data",telephoneNumber,".*"
"UBA_HR_Data",phone,".*"
"UBA_HR_Data",st,".*"
"UBA_HR_Data",state,".*"
"UBA_HR_Data",hrstatuscode,".*"
"UBA_HR_Data",streetAddress,".*"
"UBA_HR_Data",street,".*"
"UBA_HR_Data",terminatedUser,"^(true|false)$"
"UBA_HR_Data",terminationDate,".*"
"UBA_HR_Data",title,".*"
"UBA_HR_Data",traveling,"^(true|false)$"
"UBA_HR_Data",UAC,".*"
"UBA_HR_Data",status,"^(InActive|Active)$"
"UBA_HR_Data",postalCode,".*"
"UBA_HR_Data",zip,".*"
"UBA_DLP_Email",action,"^(allowed|blocked)$"
"UBA_DLP_Email","dest_path","\/.*\/.*"
"UBA_DLP_Email","dlp_status",".*"
"UBA_DLP_Email","match_count",".*"
"UBA_DLP_Email",policy,".*"
"UBA_DLP_Email","prevention_status",".*"
"UBA_DLP_Email",recipient,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_DLP_Email",restricted,"^(yes|no)$"
"UBA_DLP_Email",sender,"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"
"UBA_DLP_Email","serial_number","^\d+$"
"UBA_DLP_Email","src_path","\/.*\/.*"
"UBA_DLP_Email",subject,".*"
"UBA_DLP_Email",vendor,".*"
"UBA_Asset_Data",hostname,"^[\w\.-]+$"
"UBA_Asset_Data",denyListDeviceIr,"^(true|false)$"
"UBA_Asset_Data",denyListUserIr,"^(true|false)$"
"UBA_Asset_Data","asset_tag",".*"
"UBA_Asset_Data",bunit,".*"
"UBA_Asset_Data",city,"^[A-Za-z\s.'-]+$"
"UBA_Asset_Data","cost_center",".*"
"UBA_Asset_Data",country,".*"
"UBA_Asset_Data","created_by",".*"
"UBA_Asset_Data",department,".*"
"UBA_Asset_Data",deviceType,".*"
"UBA_Asset_Data",dns,".*"
"UBA_Asset_Data",ip,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
"UBA_Asset_Data","is_expected","^(true|false)$"
"UBA_Asset_Data",latitude,".*"
"UBA_Asset_Data",longitude,".*"
"UBA_Asset_Data",mac,"^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$"
"UBA_Asset_Data","managed_by",".*"
"UBA_Asset_Data",os,".*"
"UBA_Asset_Data",owner,".*"
"UBA_Asset_Data",serial,".*"
"UBA_Asset_Data",status,".*"
"UBA_Asset_Data",substatus,".*"
"UBA_Asset_Data","sys_created_on",".*"
"UBA_Asset_Data","sys_updated_on",".*"
"*",tag,".*"
"*",severity,"^(critical|high|medium|low|informational)$"
"*",action,"^(success|failure|allowed|blocked|deferred)$"
"*",dest,"^[\w\.-]+$"
"*",src,"^[\w\.-]+$"
"*",dvc,"^[\w\.-]+$"
"*","*_ip","^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
"*","*_port","^\d{1,5}$"
"*","*_mac","^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$"
"*",direction,"^(inbound|outbound)$"
"*","bytes*","^\d+$"
"*",duration,"^\d+(:?\.\d{1,6})?$"
"*","packets*","^\d+$"
"*",protocol,"^[a-z0-9]+$"
"*",transport,"^[a-z0-9]+$"
"*","vendor_product","^[\w\d\s\-:]+$"
"*","ids_type","^(network|host|application)$"
"*",category,"^.{3,100}$"
"*",signature,"^.{3,100}$"
"*","*user","^[\w\/\\\-\.$]{1,30}$"
"*",app,"^[\w:\-\d\s]+$"
"*","*_nt_domain","^[\w\/\\\-\.$]{1,20}$"
"*","file_hash","^[0-9a-fA-F]{32,512}$"
"*","file_name","^.{1,255}$"
"*",date,"^[01]\d-[0123]\d-[12]\d{3}$"
"*","http_method","^(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE|CONNECT)$"
"*","*_length","^\d+$"
"*",channel,"^\d+$"
"*",url,"^(?:https?|ftp):\/{2}.+"
"*","http_referrer","^(?:https?|ftp):\/{2}.+"
"*","http_content_type","^\w+\/[\w\-\+\.]+$"
"*",cached,"^(?:true|false|1|0)$"
"*","*_id","^\d+$"
"*","*_host","^.{1,80}$"