Copy regular expressions to a single click
RegEx for SIEM
··1 min read·

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified.

# QRadar AQL

SELECT 'CmdSet' from events where LOGSOURCENAME(logsourceid) ilike '%cisco%' and (search_payload ilike '%monitor capture point%' or search_payload ilike '%set span%' or search_payload ilike '%set rspan%')

# Splunk

("monitor capture point" OR "set span" OR "set rspan") | table CmdSet

# Elastic Query

\*.keyword:(*monitor\ capture\ point* OR *set\ span* OR *set\ rspan*)

# EDR Carbon Black

(monitor capture point OR set span OR set rspan)

# Windows PowerShell

Get-WinEvent | where {($_.message -match "monitor capture point" -or $_.message -match "set span" -or $_.message -match "set rspan") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

# RegEx

^(?:.(?:.monitor capture point|.set span|.set rspan))

Related

Your email address will not be published. Required fields are marked *