Regular expressions and life hacks for monitoring and monitoring the Telegram service in the DLP and SIEM system.
# Elastic Query
((destination.domain:("api.telegram.org") OR url.domain:("api.telegram.org")) AND (NOT (user_agent.original.keyword:(*Telegram* OR *Bot*))))
# QRadar AQL
SELECT 'sourceip', 'URL', 'user_agent' from events where (("FQDN" = 'api.telegram.org') and not (("user_agent" ilike '%Telegram%' or "user_agent" ilike '%Bot%')))
# Splunk
((r-dns="api.telegram.org") NOT ((c-useragent="*Telegram*" OR c-useragent="*Bot*"))) | table ClientIP,c-uri,c-useragent
# EDR Carbon Black
(r-dns:api.telegram.org AND ( -(c-useragent:Telegram* OR c-useragent:Bot*)))
# Windows PowerShell
Get-WinEvent | where {(($_.message -match "api.telegram.org") -and -not (($_.message -match "c-useragent.*.*Telegram.*" -or $_.message -match "c-useragent.*.*Bot.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
# RegEx
^(?:.*(?=.*(?:.*api\.telegram\.org))(?=.*(?!.*(?:.*(?=.*(?:.*.*Telegram.*|.*.*Bot.*))))))
