Copy regular expressions to a single click

Telegram API Access

Regular expressions and life hacks for monitoring and monitoring the Telegram service in the DLP and SIEM system.

# Elastic Query

((destination.domain:("api.telegram.org") OR url.domain:("api.telegram.org")) AND (NOT (user_agent.original.keyword:(*Telegram* OR *Bot*))))

# QRadar AQL

SELECT 'sourceip', 'URL', 'user_agent' from events where (("FQDN" = 'api.telegram.org') and not (("user_agent" ilike '%Telegram%' or "user_agent" ilike '%Bot%')))

# Splunk

((r-dns="api.telegram.org") NOT ((c-useragent="*Telegram*" OR c-useragent="*Bot*"))) | table ClientIP,c-uri,c-useragent

# EDR Carbon Black

(r-dns:api.telegram.org AND ( -(c-useragent:Telegram* OR c-useragent:Bot*)))

# Windows PowerShell

Get-WinEvent | where {(($_.message -match "api.telegram.org") -and -not (($_.message -match "c-useragent.*.*Telegram.*" -or $_.message -match "c-useragent.*.*Bot.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

# RegEx

^(?:.*(?=.*(?:.*api\.telegram\.org))(?=.*(?!.*(?:.*(?=.*(?:.*.*Telegram.*|.*.*Bot.*))))))