# Regex Library Nightfall provides detectors for the most common data protection use cases. For unique situations, you can build custom detectors using regular expressions. ### **Secrets Detection** Please double-check our [detection\_glossary](https://help.nightfall.ai/detection_platform/detection_glossary "mention") before creating your own, including the API and cryptographic key detectors listed below, as regex detectors can introduce noise. [**Nightfall's** **API key Detector**](https://docs.nightfall.ai/docs/detecting-secrets) Nightfall's API key supports specific detection and validation of API keys for the top 50 vendors and use cases, as shown below. |

• AWS

• Azure

• Confluence

• Confluent

• Datadog

• ElasticSearch

• Facebook
• GCP

• Google API

• GitHub

• GitLab

• Hugging Face

• JIRA

• Nightfall

• Notion

• Okta

• OpenAI

• PagerDuty

• Paypal

• Plaid

• Postmark

• Postman

• Salesforce

• Sendgrid

• Slack

• Snyk

• Square

• Stripe

• Twitter

• Twilio

• Zapier

|



• Authentication Token

• CSRF Token

• OAuth Token

• Generic API Key

• Generic Token

• JWT

• Private Key

• Refresh Token

• Session Token

| | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | [**Nightfall's Cryptographic Key Detector**](https://docs.nightfall.ai/docs/detector-glossary#secrets) Nightfall's identifies popular keys for locking or unlocking cryptographic functions, including authentication, authorization, and encryption. |

• DSA Private Key

• RSA Private Key

|

• EC Private Key

• OpenSSH Private Key

• Private Key

|

• Encrypted Private Key

• PGP Private Key Block

| | -------------------------------------------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------- | You can send us a request for new ML detectors directly in [Nightfall](https://app.nightfall.ai/detection-engine/detectors).
## REGEX Library Here is a list of regex detectors used by other Nightfall customers.
NameDetectorCategoryTypeStatus
google_two_factor_backup^(?:BACKUP VERIFICATION CODES|SAVE YOUR BACKUP CODES)[\s\S]{0,300}@$CredentialsRegexGlobal
heroku_key^(heroku_api_key|HEROKU_API_KEY|heroku_secret|HEROKU_SECRET)[a-z_ =\s"'\:]{0,10}[^a-zA-Z0-9-]\w{8}(?:-\w{4}){3}-\w{12}[^a-zA-Z0-9\-]$CredentialsRegexGlobal
MailGun API Key^key-[0-9a-zA-Z]{32}$CredentialsRegexGlobal
microsoft_office_365_oauth_context^https://login.microsoftonline.com/common/oauth2/v2.0/token|https://login.windows.net/common/oauth2/token$CredentialsRegexGlobal
PayPal Braintree Access Token^access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}$CredentialsRegexGlobal
Picatic API Key^sk_live_[0-9a-z]{32}$CredentialsRegexGlobal
ECDSA Private Key^-----BEGIN ECDSA PRIVATE KEY-----\s.*,ENCRYPTED(?:.|\s)+?-----END ECDSA PRIVATE KEY-----$CredentialsRegexGlobal
KeePass 1.x CSV Passwords^"Account","Login Name","Password","Web Site","Comments"$CredentialsRegexGlobal
KeePass 1.x XML Passwords^<pwlist>\s*?<pwentry>[\S\s]*?<password>[\S\s]*?<\/pwentry>\s*?<\/pwlist>$CredentialsRegexGlobal
Password etc passwd^[a-zA-Z0-9\-]+:[x|\*]:\d+:\d+:[a-zA-Z0-9/\- "]*:/[a-zA-Z0-9/\-]*:/[a-zA-Z0-9/\-]+$CredentialsRegexGlobal
Password etc shadow^[a-zA-Z0-9\-]+:(?:(?:!!?)|(?:\*LOCK\*?)|\*|(?:\*LCK\*?)|(?:\$.*\$.*\$.*?)?):\d*:\d*:\d*:\d*:\d*:\d*:$CredentialsRegexGlobal
MailChimp API Key^[0-9a-f]{32}-us[0-9]{1,2}$CredentialsRegexGlobal
PGP Header^-{5}(?:BEGIN|END)\ PGP\ MESSAGE-{5}$CredentialsRegexGlobal
PKCS7 Encrypted Data^(?:Signer|Recipient)Info(?:s)?\ ::=\ \w+|[D|d]igest(?:Encryption)?Algorithm|EncryptedKey\ ::= \w+$CredentialsRegexGlobal
PuTTY SSH DSA Key^PuTTY-User-Key-File-2: ssh-dss\s*Encryption: none(?:.|\s?)*?Private-MAC:$CredentialsRegexGlobal
PuTTY SSH RSA Key^PuTTY-User-Key-File-2: ssh-rsa\s*Encryption: none(?:.|\s?)*?Private-MAC:$CredentialsRegexGlobal
Samba Password config file^[a-z]*:\d{3}:[0-9a-zA-Z]*:[0-9a-zA-Z]*:\[U\ \]:.*$CredentialsRegexGlobal
SSH DDS Public^ssh-dss [0-9A-Za-z+/]+[=]{2}$CredentialsRegexGlobal
SSH RSA Public^ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} [^@]+@[^@]+$CredentialsRegexGlobal
SSL Certificate^-----BEGIN CERTIFICATE-----(?:.|\n)+?\s-----END CERTIFICATE-----$CredentialsRegexGlobal
Lightweight Directory Access Protocol^(?:dn|cn|dc|sn):\s*[a-zA-Z0-9=, ]*$CredentialsRegexGlobal
Arista network configuration^via\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},\ \d{2}:\d{2}:\d{2}$NetworkRegexGlobal
John the Ripper^[J,j]ohn\ [T,t]he\ [R,r]ipper|john-[1-9].[1-9].[1-9]|Many\ salts:|Only\ one\ salt:|openwall.com/john/|List.External:[0-9a-zA-Z]*|Loaded\ [0-9]*\ password hash|guesses:\ \d*\ \ time:\ \d*:\d{2}:\d{2}:\d{2}|john\.pot$NetworkRegexGlobal
Huawei config file^sysname\ HUAWEI|set\ authentication\ password\ simple\ huawei$NetworkRegexGlobal
Metasploit Module^require\ 'msf/core'|class\ Metasploit|include\ Msf::Exploit::\w+::\w+$NetworkRegexGlobal
Network Proxy Auto-Config^proxy\.pac|function\ FindProxyForURL\(\w+,\ \w+\)$NetworkRegexGlobal
Nmap Scan Report^Nmap\ scan\ report\ for\ [a-zA-Z0-9.]+$NetworkRegexGlobal
Cisco Router Config^service\ timestamps\ [a-z]{3,5}\ datetime\ msec|boot-[a-z]{3,5}-marker|interface\ [A-Za-z0-9]{0,10}[E,e]thernet$NetworkRegexGlobal
Simple Network Management Protocol Object Identifier^(?:\d\.\d\.\d\.\d\.\d\.\d{3}\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d\.\d{4}\.\d)|[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z]+[)(0-9]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+\.[a-zA-Z0-9)(]+$NetworkRegexGlobal
Bank of America Routing Numbers - California^(?:121|026)00(?:0|9)(?:358|593)$FinanceRegexCalifornia
BBVA Compass Routing Number - California^321170538$FinanceRegexCalifornia
Chase Routing Numbers - California^322271627$FinanceRegexCalifornia
Citibank Routing Numbers - California^32(?:11|22)71(?:18|72)4$FinanceRegexCalifornia
USBank Routing Numbers - California^12(?:1122676|2235821)$FinanceRegexCalifornia
United Bank Routing Number - California^122243350$FinanceRegexCalifornia
Wells Fargo Routing Numbers - California^121042882$FinanceRegexCalifornia
SWIFT Codes^[A-Za-z]{4}(?:GB|US|DE|RU|CA|JP|CN)[0-9a-zA-Z]{2,5}$FinanceRegexGlobal
CVE Number^CVE-\d{4}-\d{4,7}$GeneralRegexGlobal
Dropbox Links^https://www.dropbox.com/(?:s|l)/\S+$GeneralRegexGlobal
Box Links^https://app.box.com/[s|l]/\S+$GeneralRegexGlobal
Large number of US Zip Codes^(\d{5}-\d{4}|\d{5})$GeneralRegexUnited States
MySQL database dump^DROP DATABASE IF EXISTS(?:.|\n){5,200}CREATE DATABASE(?:.|\n){5,200}DROP TABLE IF EXISTS(?:.|\n){5,200}CREATE TABLE$DatabaseRegexGlobal
MySQLite database dump^DROP\ TABLE\ IF\ EXISTS\ \[[a-zA-Z]*\];|CREATE\ TABLE\ \[[a-zA-Z]*\];$DatabaseRegexGlobal
If you need help with regexes or have regexes you'd like to share, please reach out to .