Search code examples
regex

Match any time in the ISO 8601 format between 06:40:00 and 06:59:59 am (UTC)

Timestamp Parsing You are Kaylee Walmsley, a security engineer at ComTech. The SOC has received security alerts every day for the past few weeks for an account (SVCnetops) logging into multiple endpoints from the same source. Each time it occurs, you contact the system owner and are told it is normal.

You noticed that the logins always occur around the same time, so you contact the system owner to ask how this account is used and you are told that they use a script that logs into a few endpoints at roughly the same time each day to collect information. Their time window is 06:40:00 am to 06:59:59 am (UTC), so any logins outside that time range would be considered suspicious.

You have started to create a rule to suppress these alerts in the SIEM, however, the SIEM does not support time ranges. Therefore, you must use regex in order to match the timestamps of the expected logins by the account.

So far, your rule looks like this:

Source IP address equals 192.168.5.13 Destination IP address equals 192.168.5.20 OR 192.168.5.21 OR 192.168.5.30 Username equals SVCnetops Timestamp matches In order to complete the rule, you must create a regex that matches the following timestamps only (regardless of date):

06:40:00 am to 06:59:59 am (UTC)

The timestamp always appears in the logs in the ISO 8601 format, which looks like this:

2022-07-21T06:40:12.000Z

It is made up of the date in reverse (YYYY-MM-DD), followed by a "T" and then the time. The "Z" at the end indicates the UTC time zone.

The regex code has to match the timestamps:

Timestamp: 2020-06-01T06:52:46.000Z
Timestamp: 2006-02-28T06:41:44.000Z
Timestamp: 2011-03-08T06:50:21.000Z
Timestamp: 2014-01-09T06:54:42.000Z
Timestamp: 2007-04-04T06:59:46.000Z
Timestamp: 2010-08-20T06:55:41.000Z
Timestamp: 2016-02-26T06:57:45.000Z
Timestamp: 2017-12-16T06:53:22.000Z
Timestamp: 2007-04-23T06:44:22.000Z
Timestamp: 2008-10-19T06:51:56.000Z
Timestamp: 2005-09-07T06:44:11.000Z
Timestamp: 2022-02-07T06:41:46.000Z
Timestamp: 2013-07-24T06:56:36.000Z
Timestamp: 2012-03-08T06:58:20.000Z
Timestamp: 2014-08-16T06:48:37.000Z
Timestamp: 2015-07-02T06:44:16.000Z
Timestamp: 2020-02-26T06:58:59.000Z
Timestamp: 2022-03-05T06:40:46.000Z
Timestamp: 2016-04-15T06:49:17.000Z
Timestamp: 2016-10-15T06:53:42.000Z

But not these timestamps:

Timestamp: 2007-09-17T00:14:11.000Z
Timestamp: 2008-06-30T19:23:45.000Z
Timestamp: 2014-03-04T21:03:15.000Z
Timestamp: 2005-01-22T05:00:03.000Z
Timestamp: 2012-01-10T02:47:57.000Z
Timestamp: 2021-04-07T06:17:18.000Z
Timestamp: 2019-04-30T11:05:00.000Z
Timestamp: 2007-04-14T23:26:44.000Z
Timestamp: 2021-09-03T06:27:07.000Z
Timestamp: 2008-05-04T11:08:07.000Z
Timestamp: 2014-12-10T06:34:54.000Z
Timestamp: 2008-09-12T16:56:24.000Z
Timestamp: 2018-09-12T10:45:04.000Z
Timestamp: 2005-02-14T21:07:45.000Z
Timestamp: 2006-03-18T13:08:54.000Z
Timestamp: 2007-02-17T09:45:08.000Z
Timestamp: 2016-10-01T04:37:18.000Z
Timestamp: 2014-06-12T03:10:53.000Z
Timestamp: 2022-02-13T03:01:20.000Z
Timestamp: 2009-12-26T06:21:01.000Z
Timestamp: 2007-03-14T05:54:11.000Z
Timestamp: 2017-03-02T16:35:59.000Z
Timestamp: 2014-05-12T10:25:20.000Z
Timestamp: 2016-08-06T21:57:24.000Z
Timestamp: 2006-09-17T15:18:25.000Z

I tried: ^06:(4{0-9}|5{0-9}):{0-5}{0-9}$. This did not work.
I also tried: \d{4}(.\d{2}){2}(\s|T)(\d{2}.){2}\d{2} (\d{4}-\d{2}-\d{2}) (\d{2}:\d{2}:\d{2})

The ones that did have results were: (06:4[0-9]:[0-5][0-9]|06:59:[0-5][0-9]) (\d{2}:\d{2}:\d{2}) These got me close but I needed to make adjustments still.

enter image description here

Solution

  • Your question doesn't say what groups and what you tried is inconsistent so I just selected everything after the space:

    \s(.+T06:[45].+)