Added a specialized form element for regex parameters. (Velocidex#1367)

artifacts/definitions/Admin/Client/Uninstall.yaml

@@ -17,6 +17,7 @@ required_permissions:
 
 parameters:
   - name: DisplayNameRegex
+    type: regex
     default: Velociraptor
     description: A regex that will match the package to uninstall.
 

artifacts/definitions/Admin/System/CompressUploads.yaml

@@ -24,8 +24,9 @@ type: SERVER_EVENT
 
 parameters:
   - name: blacklistCompressionFilename
+    type: regex
     description: Filenames which match this regex will be excluded from compression.
-    default: '(?i).+ntuser.dat'
+    default: 'ntuser.dat$'
 
 sources:
   - queries:

artifacts/definitions/Demo/Plugins/GUI.yaml

@@ -19,6 +19,10 @@ parameters:
       - Second Choice
       - Third Choice
 
+  - name: RegularExpression
+    type: regex
+    default: "."
+
   - name: Flag
     type: bool
     default: Y

artifacts/definitions/Elastic/Flows/Upload.yaml

@@ -13,6 +13,7 @@ type: SERVER_EVENT
 parameters:
   - name: ArtifactNameRegex
     default: .
+    type: regex
     description: Only upload these artifacts to elastic
   - name: elasticAddresses
     default: http://127.0.0.1:9200/

artifacts/definitions/Generic/System/Pstree.yaml

@@ -11,13 +11,16 @@ description: |
 parameters:
   - name: ProcessNameRegex
     default: .
+    type: regex
 
   - name: PidFilter
     description: Filter pids by this regex
     default: .
+    type: regex
 
   - name: CallChainFilter
     default: .
+    type: regex
 
   - name: CallChainSep
     default: " <- "

artifacts/definitions/Linux/Detection/Yara/Process.yaml

@@ -20,8 +20,10 @@ type: CLIENT
 parameters:
   - name: ProcessRegex
     default: .
+    type: regex
   - name: PidRegex
     default: .
+    type: regex
   - name: UploadHits
     type: bool
   - name: YaraUrl

artifacts/definitions/Linux/Network/Netstat.yaml

@@ -7,6 +7,7 @@ type: CLIENT
 
 parameters:
    - name: StateRegex
+     type: regex
      default: "Listening|Established"
      description: Only show these states
 

artifacts/definitions/Linux/Sys/BashHistory.yaml

@@ -1,24 +1,26 @@
 name: Linux.Sys.BashHistory
 author: "Matt Green - @mgreen27"
 description: |
-  This artifact enables grep of Bash and alternate shell history files.  
-  
-  It can also be used to target other files located in the user profile such as 
-  *_profile and *rc files.  
-  shell history: /{root,home/*}/.*_history  
-  profile: /{root,home/*}/.*_profile  
-  *rc file: /{root,home/*}/.*rc  
-  
+  This artifact enables grep of Bash and alternate shell history files.
+
+  It can also be used to target other files located in the user profile such as
+  *_profile and *rc files.
+  shell history: /{root,home/*}/.*_history
+  profile: /{root,home/*}/.*_profile
+  *rc file: /{root,home/*}/.*rc
+
   tags: .bash_history .bash_profile .bashrc
-  
-  
+
+
 parameters:
   - name: TargetGlob
     default: /{root,home/*}/.*_history
   - name: SearchRegex
+    type: regex
     description: "Regex of strings to search in line."
     default: '.'
   - name: WhitelistRegex
+    type: regex
     description: "Regex of strings to leave out of output."
     default:
 
@@ -29,7 +31,7 @@ sources:
       SELECT * FROM foreach(row=files,
           query={
               SELECT Line, FullPath FROM parse_lines(filename=FullPath)
-              WHERE 
+              WHERE
                 Line =~ SearchRegex
                 AND NOT if(condition= WhitelistRegex,
                     then= Line =~ WhitelistRegex,

artifacts/definitions/Linux/Sys/Maps.yaml

@@ -13,6 +13,7 @@ parameters:
   - name: processRegex
     description: A regex applied to process names.
     default: .
+    type: regex
 
 sources:
   - queries:

artifacts/definitions/Linux/Sys/Pslist.yaml

@@ -5,6 +5,7 @@ description: |
 parameters:
   - name: processRegex
     default: .
+    type: regex
 
 precondition: SELECT OS From info() where OS = 'linux'
 

artifacts/definitions/Server/Alerts/PsExec.yaml

@@ -22,7 +22,7 @@ sources:
           row={
             SELECT * from watch_monitoring(
               artifact='Windows.Events.ProcessCreation')
-            WHERE Name =~ '(?i)psexesvc'
+            WHERE Name =~ 'psexesvc'
           },
           query={
             SELECT * FROM mail(

artifacts/definitions/Server/Alerts/TheHive/Case.yaml

@@ -16,6 +16,7 @@ parameters:
     default: https://myvelo
   - name: ArtifactsToAlertOn
     default: .
+    type: regex
   - name: DisableSSLVerify
     type: bool
     default: true

artifacts/definitions/Server/Information/Users.yaml

@@ -10,6 +10,7 @@ parameters:
   - name: StandardUserAccounts
     description: Well known SIDs to hide from the output.
     default: "(-5..$|S-1-5-18|S-1-5-19|S-1-5-20)"
+    type: regex
 
 sources:
   - query: |

artifacts/definitions/Server/Monitoring/ScheduleHunt.yaml

@@ -9,8 +9,10 @@ type: SERVER_EVENT
 parameters:
   - name: ScheduleDayRegex
     default: Tuesday
+    type: regex
   - name: ScheduleTimeRegex
     default: "01:28:"
+    type: regex
   - name: HuntDescription
     default:
 

artifacts/definitions/Server/Utils/BackupS3.yaml

@@ -17,6 +17,8 @@ parameters:
    - name: ArtifactNameRegex
      default: "."
      description: A regular expression to select which artifacts to upload
+     type: regex
+
    - name: Bucket
    - name: Region
    - name: CredentialsKey

artifacts/definitions/Splunk/Flows/Upload.yaml

@@ -28,6 +28,7 @@ type: SERVER_EVENT
 parameters:
    - name: ArtifactNameRegex
      default: "."
+     type: regex
      description: Names of artifacts to upload to Splunk
    - name: url
      default: http://127.0.0.1:8088/services/collector

artifacts/definitions/Windows/Application/Firefox/History.yaml

@@ -10,6 +10,7 @@ parameters:
         SELECT *,url as url_visited FROM moz_historyvisits, moz_places WHERE moz_historyvisits.place_id=moz_places.id
   - name: userRegex
     default: .
+    type: regex
 
 precondition: SELECT OS From info() where OS = 'windows'
 

artifacts/definitions/Windows/Application/IISLogs.yaml

@@ -1,6 +1,6 @@
 name: Windows.Application.IISLogs
 description: |
-  This artifact enables grep of IISLogs.  
+  This artifact enables grep of IISLogs.
   Parameters include SearchRegex and WhitelistRegex as regex terms.
 
 author: "Matt Green - @mgreen27"
@@ -11,9 +11,11 @@ parameters:
   - name: SearchRegex
     description: "Regex of strings to search in line."
     default: ' POST '
+    type: regex
   - name: WhitelistRegex
     description: "Regex of strings to leave out of output."
     default:
+    type: regex
 
 sources:
   - precondition: SELECT OS From info() where OS = 'windows'
@@ -24,9 +26,9 @@ sources:
       SELECT * FROM foreach(row=files,
           query={
               SELECT Line, FullPath FROM parse_lines(filename=FullPath)
-              WHERE 
+              WHERE
                 Line =~ SearchRegex
                 AND NOT if(condition= WhitelistRegex,
                     then= Line =~ WhitelistRegex,
                     else= FALSE)
-          })
+          })

artifacts/definitions/Windows/Application/MegaSync.yaml

@@ -1,11 +1,11 @@
 name: Windows.Application.MegaSync
 description: |
-  This artifact will parse MEGASync logs and enables using regex to search for 
+  This artifact will parse MEGASync logs and enables using regex to search for
   entries of interest.
-  
+
   With UploadLogs selected a copy of the logs are uploaded to the server.
   SearchVSS enables search over VSS and dedup support.
-  
+
 author: "Matt Green - @mgreen27"
 
 reference:
@@ -19,17 +19,19 @@ parameters:
   - name: SearchRegex
     description: "Regex of strings to search in line."
     default: 'Transfer\s\(UPLOAD\)|upload\squeue|local\sfile\saddition\sdetected|Sync\s-\ssending\sfile|\"user\"'
+    type: regex
   - name: WhitelistRegex
     description: "Regex of strings to leave out of output."
     default:
+    type: regex
   - name: SearchVSS
     description: "Add VSS into query."
     type: bool
   - name: UploadLogs
     description: "Upload MEGASync logs."
     type: bool
-    
-    
+
+
 sources:
   - query: |
       -- Find target files
@@ -61,7 +63,7 @@ sources:
           })
         GROUP BY Line
 
-      SELECT 
+      SELECT
         Line as RawLine,
         FullPath
       FROM output
@@ -70,7 +72,7 @@ sources:
   - name: LogFiles
     queries:
       - |
-        SELECT 
+        SELECT
             FullPath,
             if(condition=UploadLogs,
                 then= upload(file=FullPath,accessor='ntfs')
@@ -81,4 +83,4 @@ sources:
             Ctime,
             Size
         FROM output
-        GROUP BY FullPath
+        GROUP BY FullPath

artifacts/definitions/Windows/Applications/Chrome/Cookies.yaml

@@ -21,6 +21,7 @@ parameters:
       FROM cookies
   - name: userRegex
     default: .
+    type: regex
 
 precondition: SELECT OS From info() where OS = 'windows'
 

artifacts/definitions/Windows/Applications/Chrome/Extensions.yaml

@@ -16,6 +16,7 @@ parameters:
     default: \AppData\Local\Google\Chrome\User Data\*\Extensions\*\*\manifest.json
   - name: userRegex
     default: .
+    type: regex
 
 sources:
   - precondition: |

artifacts/definitions/Windows/Applications/Chrome/History.yaml

@@ -12,6 +12,7 @@ parameters:
       FROM urls
   - name: userRegex
     default: .
+    type: regex
 
 precondition: SELECT OS From info() where OS = 'windows'
 

artifacts/definitions/Windows/Applications/NirsoftBrowserViewer.yaml

@@ -21,6 +21,7 @@ parameters:
    - name: URLRegex
      default: .
      description: Filter URLs by this regex
+     type: regex
    - name: DateAfter
      type: timestamp
    - name: DateBefore

artifacts/definitions/Windows/Applications/SBECmd.yaml

@@ -32,6 +32,7 @@ precondition: SELECT OS From info() where OS = 'windows'
 parameters:
   - name: userRegex
     default: .
+    type: regex
 
   - name: UploadFiles
     description: "Select to Upload SBECmd Output files."

artifacts/definitions/Windows/Applications/TeamViewer/Incoming.yaml

@@ -25,12 +25,15 @@ parameters:
   - name: TeamViewerIDRegex
     description: "Regex of TeamViewer ID"
     default: .
+    type: regex
   - name: SourceHostRegex
     description: "Regex of source host"
     default: .
+    type: regex
   - name: UserRegex
     description: "Regex of user"
     default: .
+    type: regex
   - name: SearchVSS
     description: "Add VSS into query."
     type: bool