You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 KiB
16 KiB
| 1 | datamodel | field | validation_regex |
|---|---|---|---|
| 2 | UBA_Authentication | action | ^(success|failure|unknown|added)$ |
| 3 | UBA_Badge | failure_reason | .* |
| 4 | UBA_Badge | object_name | .* |
| 5 | UBA_Badge | object_type | .* |
| 6 | UBA_Badge | site_name | .* |
| 7 | UBA_Badge | vendor | .* |
| 8 | UBA_Cloud | change_type | ^(download|preview|delete|create|edit)$ |
| 9 | UBA_Cloud | object | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 10 | UBA_Cloud | object_path | \/.*\/.* |
| 11 | UBA_Cloud | object_type | ^(file|folder|document|image)$ |
| 12 | UBA_Cloud | parent_category | .* |
| 13 | UBA_Database | action_name | ^[A-Za-z\s]+$ |
| 14 | UBA_Database | command_name | ^[A-Za-z\s]+$ |
| 15 | UBA_Database | commits | ^\d+$ |
| 16 | UBA_Database | cpu_used | ^\d+$ |
| 17 | UBA_Database | elapsed_time | ^\d+$ |
| 18 | UBA_Database | eventtype | .* |
| 19 | UBA_Database | instance_name | ^[A-Za-z\s]+$ |
| 20 | UBA_Database | object | .* |
| 21 | UBA_Database | query | /^\s*(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|AND|OR|ORDER BY|GROUP BY|HAVING|JOIN|INNER JOIN|LEFT JOIN|RIGHT JOIN|OUTER JOIN|ON|VALUES|SET|LIMIT)\b.*/gm |
| 22 | UBA_Database | records_affected | ^\d+$ |
| 23 | UBA_Database | tables_hit | .* |
| 24 | UBA_Database | tablespace_name | .* |
| 25 | UBA_Database | vendor | .* |
| 26 | UBA_DHCP | lease_duration | ^\d+(:?\.\d{1,6})?$ |
| 27 | UBA_DLP | action | ^(allowed|blocked)$ |
| 28 | UBA_DLP | dest_path | \/.*\/.* |
| 29 | UBA_DLP | dlp_status | .* |
| 30 | UBA_DLP | match_count | .* |
| 31 | UBA_DLP | policy | .* |
| 32 | UBA_DLP | prevention_status | .* |
| 33 | UBA_DLP | recipient | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b |
| 34 | UBA_DLP | restricted | ^(yes|no)$ |
| 35 | UBA_DLP | sender | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b |
| 36 | UBA_DLP | serial_number | ^\d+$ |
| 37 | UBA_DLP | src_path | \/.*\/.* |
| 38 | UBA_DLP | subject | .* |
| 39 | UBA_DLP | vendor | .* |
| 40 | UBA_DNS | answer | ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$ |
| 41 | UBA_DNS | message_type | .* |
| 42 | UBA_DNS | query | ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$ |
| 43 | UBA_DNS | query_type | \b(Query|IQuery|Status|Notify|Update|unknown|A|MX|NS|PTR)\b |
| 44 | UBA_DNS | record_type | ^(A|DNAME|MX|NS|PTR)$ |
| 45 | UBA_DNS | ttl | ^\d+$ |
| 46 | UBA_Email | action | \b(delivered|blocked|quarantined|deleted|unknown)\b |
| 47 | UBA_Email | recipient | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b |
| 48 | UBA_Email | subject | .* |
| 49 | UBA_Endpoint_Filesystem | action | \b(?:allowed|blocked)\b |
| 50 | UBA_Endpoint_Filesystem | alarmCategories | \b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b |
| 51 | UBA_Endpoint_Filesystem | eventtype | .* |
| 52 | UBA_Endpoint_Port | action | \b(?:allowed|blocked)\b |
| 53 | UBA_Endpoint_Port | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 54 | UBA_Endpoint_Port | cpu_load_percent | ^\d+$ |
| 55 | UBA_Endpoint_Port | creation_time | ^\d+$ |
| 56 | UBA_Endpoint_Port | eventtype | .* |
| 57 | UBA_Endpoint_Port | mem_used | ^\d+$ |
| 58 | UBA_Endpoint_Port | os | .* |
| 59 | UBA_Endpoint_Port | state | .* |
| 60 | UBA_Endpoint_Processes | action | \b(?:allowed|blocked)\b |
| 61 | UBA_Endpoint_Processes | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 62 | UBA_Endpoint_Processes | eventtype | .* |
| 63 | UBA_Endpoint_Processes | parent_process_exec | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 64 | UBA_Endpoint_Processes | parent_process_guid | ^[^\n\r]+$ |
| 65 | UBA_Endpoint_Processes | parent_process_name | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 66 | UBA_Endpoint_Processes | parent_process_path | \/.*\/.* |
| 67 | UBA_Endpoint_Processes | process | \/.*\/.* |
| 68 | UBA_Endpoint_Processes | process_current_directory | /^\/(?:[a-zA-Z0-9_]+\/?)+$ |
| 69 | UBA_Endpoint_Processes | process_exec | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 70 | UBA_Endpoint_Processes | process_guid. | .* |
| 71 | UBA_Endpoint_Processes | process_integrity_level | .* |
| 72 | UBA_Endpoint_Processes | process_path | \/.*\/.* |
| 73 | UBA_Endpoint_Registry | action | \b(?:allowed|blocked)\b |
| 74 | UBA_Endpoint_Registry | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 75 | UBA_Endpoint_Registry | eventtype | .* |
| 76 | UBA_Endpoint_Registry | registry_hive | .* |
| 77 | UBA_Endpoint_Registry | registry_key_name | .* |
| 78 | UBA_Endpoint_Registry | registry_path | ^\\[a-zA-Z]+(?:\\[a-zA-Z]+)*(?:\\[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*)*\\{[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}}\\[a-zA-Z0-9_]+$ |
| 79 | UBA_Endpoint_Registry | registry_value_data | .* |
| 80 | UBA_Endpoint_Registry | registry_value_name | .* |
| 81 | UBA_Endpoint_Registry | registry_value_text | .* |
| 82 | UBA_Endpoint_Registry | registry_value_type | .* |
| 83 | UBA_Endpoint_Registry | status | \b(?:failure|success)\b |
| 84 | UBA_Endpoint_Services | action | \b(?:allowed|blocked)\b |
| 85 | UBA_Endpoint_Services | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 86 | UBA_Endpoint_Services | description | \b\w+(?:[.-]\w+)*\b |
| 87 | UBA_Endpoint_Services | eventtype | .* |
| 88 | UBA_Endpoint_Services | service_dll | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 89 | UBA_Endpoint_Services | service_dll_path | \/.*\/.* |
| 90 | UBA_Endpoint_Services | service_dll_signature_exists | ^[a-zA-Z\s_]+$ |
| 91 | UBA_Endpoint_Services | service_dll_signature_verified | ^[a-zA-Z\s_]+$ |
| 92 | UBA_Endpoint_Services | service_exec | ^[^\/]+\.[a-zA-Z0-9]+$ |
| 93 | UBA_Endpoint_Services | service_name | .* |
| 94 | UBA_Endpoint_Services | service_path | \/.*\/.* |
| 95 | UBA_Endpoint_Services | start_mode | .* |
| 96 | UBA_Endpoint_Services | status | \b(?:critical|started|stopped|warning|failure|success)\b |
| 97 | UBA_External_Alarm | action | \b(?:allowed|blocked|deferred)\b |
| 98 | UBA_External_Alarm | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 99 | UBA_External_Alarm | dest_zone | ^[a-zA-Z\s_]+$ |
| 100 | UBA_External_Alarm | signature or eventtype | ^[a-zA-Z\s_]+$ |
| 101 | UBA_External_Alarm | src_zone | .* |
| 102 | UBA_External_Alarm | url | ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$ |
| 103 | UBA_Firewall | action | ^(allowed|blocked|dropped|teardown|delivered|quarantined|deleted|unknown|deferred|added)$ |
| 104 | UBA_Firewall | dest_zone | ^[a-zA-Z\s_]+$ |
| 105 | UBA_Firewall | src_zone | ^[a-zA-Z\s_]+$ |
| 106 | UBA_Firewall | url | ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$ |
| 107 | UBA_Firewall | vendor_action | \b\w+(?:[.-]\w+)*\b |
| 108 | UBA_Host AV | action | \b(?:allowed|blocked)\b |
| 109 | UBA_Host AV | alarmCategories | \b(?:Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|Local|Signature|Behavior|FlightRisk|DataDestruction|Allowed|PeerGroup|Incoming|Internal|Outgoing|Blocked|Blacklisted|Beaconing|Outlier|UnusualActivity|ExternalAlarm|ExternalAttack|SuspiciousPattern|SuspiciousDownload|WebShell|UnusualResourceAccess|RuleBased|NetworkConnection|DataDeletion|CloudStorage|ExternalScan|ApplicationLog|External|Network|EndPoint|AD|Firewall|IPS|CloudData|Correlation|Printer|Badge|RareUser|RareProcess|RareDevice|RareDomain|RareNetwork|RareApplication|RareLocation|Unknown|CIS|Reconnaissance|ActionsonObjectives|Delivery|Installation|Exploitation|ValidAccounts|NetworkSniffing|AccountManipulation|ExploitationofVulnerability|SystemInformationDiscovery|DataStaged|EmailCollection|CommonlyUsedPort|StandardNon-ApplicationLayer|ExfiltrationOverAlternativeProtocol|StandardApplicationLayerProtocol|ExfiltrationOverCommandandControlChannel|PowerShell|Scripting|CredentialDumping|Command-LineInterface|DisablingSecurityTools|ModifyRegistry|NewService|NodifyExistingService|RegistryRunKeys\/StartFolder|AppInitDLLs|AuthenticationPackage|ScheduledTask|WebService|Third-partySoftware|AccountDiscovery|RemoteDesktopProtocol|PasstheHash|IndicatorRemovalonHost|Masquerading|WindowsManagementInstrumentation|ChangeDefaultFileAssociation|ApplicationShimming|LocalPortMonitor|AccessibilityFeatures|Rundll32|CreateAccount|PR|ID|RS|DE)\b |
| 110 | UBA_Host AV | eventtype | \b\w+(?:[.-]\w+)*\b |
| 111 | UBA_Host AV | url | ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$ |
| 112 | UBA_IDS_IPS | action | \b(?:allowed|blocked)\b |
| 113 | UBA_IDS_IPS | alarmCategories | \b(Exfiltration|Info|InsiderThreat|MalwareActivity|MalwareInstall|MalwarePersistence|PolicyViolation|ProductAttack|ReducedVisibility|SystemAttack|MalformedTraffic|AccountTakeover|Enumeration|LateralMovement|Vulnerability|Recon|InitialAccess|Execution|Persistence|PrivilegeEscalation|DefenseEvasion|CredentialAccess|Discovery|Collection|CommandAndControl|Infection|DenialOfService|LossOfControl|BruteForce|L |
| 114 | UBA_IDS_IPS | eventtype | .* |
| 115 | UBA_Printer | data_type | .* |
| 116 | UBA_Printer | driver_process | .* |
| 117 | UBA_Printer | operation | .* |
| 118 | UBA_Printer | page_printed | ^\d+$ |
| 119 | UBA_Printer | parameters | ^\d+$ |
| 120 | UBA_Printer | print_processor | .* |
| 121 | UBA_Printer | printer | .* |
| 122 | UBA_Printer | priority | ^\d+$ |
| 123 | UBA_Printer | status | .* |
| 124 | UBA_Printer | submitted_time | .* |
| 125 | UBA_Printer | total_pages | ^\d+$ |
| 126 | UBA_Printer | type | .* |
| 127 | UBA_Web_Proxy | action | \b(?:allowed|blocked)\b |
| 128 | UBA_Web_Proxy | response_time | ^\d+$ |
| 129 | UBA_Web_Proxy | status | ^\d+$ |
| 130 | UBA_Web_Proxy | url | ^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$ |
| 131 | UBA_HR_Data | memberOf | .* |
| 132 | UBA_HR_Data | groups | .* |
| 133 | UBA_HR_Data | l | ^[A-Za-z\s.'-]+$ |
| 134 | UBA_HR_Data | city | ^[A-Za-z\s.'-]+$ |
| 135 | UBA_HR_Data | co | ^[A-Za-z\s.'-]+$ |
| 136 | UBA_HR_Data | country | ^[A-Za-z\s.'-]+$ |
| 137 | UBA_HR_Data | departingUser | ^(true|false)$ |
| 138 | UBA_HR_Data | displayName | ^[A-Za-z\s.'-]+$ |
| 139 | UBA_HR_Data | domainLoginId | ^[a-zA-Z0-9\/\\@]+$ |
| 140 | UBA_HR_Data | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b | |
| 141 | UBA_HR_Data | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b | |
| 142 | UBA_HR_Data | employeeType | .* |
| 143 | UBA_HR_Data | accountExpires | .* |
| 144 | UBA_HR_Data | preferredName | .* |
| 145 | UBA_HR_Data | givenName | .* |
| 146 | UBA_HR_Data | firstname | .* |
| 147 | UBA_HR_Data | highRiskUser | ^(true|false)$ |
| 148 | UBA_HR_Data | hireDate | .* |
| 149 | UBA_HR_Data | lastLogon | .* |
| 150 | UBA_HR_Data | lastLogonTimestamp | .* |
| 151 | UBA_HR_Data | sn | .* |
| 152 | UBA_HR_Data | lastname | .* |
| 153 | UBA_HR_Data | sAMAccountName | ^[a-zA-Z0-9_]+$ |
| 154 | UBA_HR_Data | loginId | ^[a-zA-Z0-9_]+$ |
| 155 | UBA_HR_Data | manager | .* |
| 156 | UBA_HR_Data | manageremployeeId | .* |
| 157 | UBA_HR_Data | initials | .* |
| 158 | UBA_HR_Data | MiddleName | .* |
| 159 | UBA_HR_Data | department | .* |
| 160 | UBA_HR_Data | ou | .* |
| 161 | UBA_HR_Data | onPerformanceImprovementPlan | ^(true|false)$ |
| 162 | UBA_HR_Data | onPIP | ^(true|false)$ |
| 163 | UBA_HR_Data | telephoneNumber | .* |
| 164 | UBA_HR_Data | phone | .* |
| 165 | UBA_HR_Data | st | .* |
| 166 | UBA_HR_Data | state | .* |
| 167 | UBA_HR_Data | hrstatuscode | .* |
| 168 | UBA_HR_Data | streetAddress | .* |
| 169 | UBA_HR_Data | street | .* |
| 170 | UBA_HR_Data | terminatedUser | ^(true|false)$ |
| 171 | UBA_HR_Data | terminationDate | .* |
| 172 | UBA_HR_Data | title | .* |
| 173 | UBA_HR_Data | traveling | ^(true|false)$ |
| 174 | UBA_HR_Data | UAC | .* |
| 175 | UBA_HR_Data | status | ^(InActive|Active)$ |
| 176 | UBA_HR_Data | postalCode | .* |
| 177 | UBA_HR_Data | zip | .* |
| 178 | UBA_DLP_Email | action | ^(allowed|blocked)$ |
| 179 | UBA_DLP_Email | dest_path | \/.*\/.* |
| 180 | UBA_DLP_Email | dlp_status | .* |
| 181 | UBA_DLP_Email | match_count | .* |
| 182 | UBA_DLP_Email | policy | .* |
| 183 | UBA_DLP_Email | prevention_status | .* |
| 184 | UBA_DLP_Email | recipient | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b |
| 185 | UBA_DLP_Email | restricted | ^(yes|no)$ |
| 186 | UBA_DLP_Email | sender | \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b |
| 187 | UBA_DLP_Email | serial_number | ^\d+$ |
| 188 | UBA_DLP_Email | src_path | \/.*\/.* |
| 189 | UBA_DLP_Email | subject | .* |
| 190 | UBA_DLP_Email | vendor | .* |
| 191 | UBA_Asset_Data | hostname | ^[\w\.-]+$ |
| 192 | UBA_Asset_Data | denyListDeviceIr | ^(true|false)$ |
| 193 | UBA_Asset_Data | denyListUserIr | ^(true|false)$ |
| 194 | UBA_Asset_Data | asset_tag | .* |
| 195 | UBA_Asset_Data | bunit | .* |
| 196 | UBA_Asset_Data | city | ^[A-Za-z\s.'-]+$ |
| 197 | UBA_Asset_Data | cost_center | .* |
| 198 | UBA_Asset_Data | country | .* |
| 199 | UBA_Asset_Data | created_by | .* |
| 200 | UBA_Asset_Data | department | .* |
| 201 | UBA_Asset_Data | deviceType | .* |
| 202 | UBA_Asset_Data | dns | .* |
| 203 | UBA_Asset_Data | ip | ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$ |
| 204 | UBA_Asset_Data | is_expected | ^(true|false)$ |
| 205 | UBA_Asset_Data | latitude | .* |
| 206 | UBA_Asset_Data | longitude | .* |
| 207 | UBA_Asset_Data | mac | ^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$ |
| 208 | UBA_Asset_Data | managed_by | .* |
| 209 | UBA_Asset_Data | os | .* |
| 210 | UBA_Asset_Data | owner | .* |
| 211 | UBA_Asset_Data | serial | .* |
| 212 | UBA_Asset_Data | status | .* |
| 213 | UBA_Asset_Data | substatus | .* |
| 214 | UBA_Asset_Data | sys_created_on | .* |
| 215 | UBA_Asset_Data | sys_updated_on | .* |
| 216 | * | tag | .* |
| 217 | * | severity | ^(critical|high|medium|low|informational)$ |
| 218 | * | action | ^(success|failure|allowed|blocked|deferred)$ |
| 219 | * | dest | ^[\w\.-]+$ |
| 220 | * | src | ^[\w\.-]+$ |
| 221 | * | dvc | ^[\w\.-]+$ |
| 222 | * | *_ip | ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$ |
| 223 | * | *_port | ^\d{1,5}$ |
| 224 | * | *_mac | ^[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}$ |
| 225 | * | direction | ^(inbound|outbound)$ |
| 226 | * | bytes* | ^\d+$ |
| 227 | * | duration | ^\d+(:?\.\d{1,6})?$ |
| 228 | * | packets* | ^\d+$ |
| 229 | * | protocol | ^[a-z0-9]+$ |
| 230 | * | transport | ^[a-z0-9]+$ |
| 231 | * | vendor_product | ^[\w\d\s\-:]+$ |
| 232 | * | ids_type | ^(network|host|application)$ |
| 233 | * | category | ^.{3,100}$ |
| 234 | * | signature | ^.{3,100}$ |
| 235 | * | *user | ^[\w\/\\\-\.$]{1,30}$ |
| 236 | * | app | ^[\w:\-\d\s]+$ |
| 237 | * | *_nt_domain | ^[\w\/\\\-\.$]{1,20}$ |
| 238 | * | file_hash | ^[0-9a-fA-F]{32,512}$ |
| 239 | * | file_name | ^.{1,255}$ |
| 240 | * | date | ^[01]\d-[0123]\d-[12]\d{3}$ |
| 241 | * | http_method | ^(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE|CONNECT)$ |
| 242 | * | *_length | ^\d+$ |
| 243 | * | channel | ^\d+$ |
| 244 | * | url | ^(?:https?|ftp):\/{2}.+ |
| 245 | * | http_referrer | ^(?:https?|ftp):\/{2}.+ |
| 246 | * | http_content_type | ^\w+\/[\w\-\+\.]+$ |
| 247 | * | cached | ^(?:true|false|1|0)$ |
| 248 | * | *_id | ^\d+$ |
| 249 | * | *_host | ^.{1,80}$ |