diff --git a/data/features.yaml b/data/features.yaml
index 177ba8cdd1..ecbd1e1763 100644
--- a/data/features.yaml
+++ b/data/features.yaml
@@ -121,149 +121,145 @@ ssh_client_ipv4_addresses:
         query_string: 'reporter:"sshd"'
         attribute: 'message'
         store_as: 'client_ip'
-        re: '^\[sshd\] \[\d+\]: Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3})
-          port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$'
+        re: 'Connection from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+ on (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+(?: rdomain ? .*)?$'
 
 ssh_client_ipv4_addresses_2:
         query_string: 'reporter:"sshd"'
         attribute: 'message'
         store_as: 'client_ip'
-        re: '\[sshd, pid: \d+\] Connection [a-z]+ by
-          ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
+        re: 'Connection [a-z]+ by ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
 
 ssh_host_ipv4_addresses:
         query_string: 'reporter:"sshd"'
         attribute: 'message'
         store_as: 'host_ip'
-        re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3}
-          port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$'
+        re: '^\[sshd\] \[\d+\]: Connection from (?:[0-9]{1,3}\.){3}[0-9]{1,3} port \d+ on ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+(?: rdomain ? .*)?$'
 
 ssh_client_password_ipv4_addresses:
         query_string: 'reporter:"sshd"'
         attribute: 'message'
         store_as: 'client_ip'
-        re: '^\[sshd, pid: \d+\] (?:Accepted|Failed) (?:password|publickey) for \w+
-          from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
+        re: '(?:Accepted|Failed) (?:password|publickey) for \w+ from ((?:[0-9]{1,3}\.){3}[0-9]{1,3}) port \d+'
 
 ssh_disconnected_username:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'username'
-        re: '^Disconnected\s+from user (?P<username>[^\s]+) [^\s]+ port \d+$'
+        re: 'Disconnected\s+from user (?P<username>[^\s]+) [^\s]+ port \d+$'
 
 ssh_disconnected_ip_address:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'ip_address'
-        re: '^Disconnected from user [^\s]+ (?P<ip_address>[^\s]+) port \d+$'
+        re: 'Disconnected from user [^\s]+ (?P<ip_address>[^\s]+) port \d+$'
 
 ssh_disconnected_port:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'port'
-        re: '^Disconnected from user [^\s]+ [^\s]+ port (?P<port>\d+)$'
+        re: 'Disconnected from user [^\s]+ [^\s]+ port (?P<port>\d+)$'
 
 ssh_failed_username:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'username'
-        re: '^Failed password for (?:invalid user)?\s*(?P<username>[^\s]+) from [^\s]+ port \d+ ssh\d'
+        re: 'Failed password for (?:invalid user)?\s*(?P<username>[^\s]+) from [^\s]+ port \d+ ssh\d'
 
 ssh_failed_ip_address:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'ip_address'
-        re: '^Failed password for (?:invalid user)?\s*[^\s]+ from (?P<ip_address>[^\s]+) port \d+ ssh\d'
+        re: 'Failed password for (?:invalid user)?\s*[^\s]+ from (?P<ip_address>[^\s]+) port \d+ ssh\d'
 
 ssh_failed_port:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'port'
-        re: '^Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P<port>\d+) ssh\d'
+        re: 'Failed password for (?:invalid user)?\s*[^\s]+ from [^\s]+ port (?P<port>\d+) ssh\d'
 
 ssh_failed_method:
         query_string: 'reporter:"sshd"'
         attribute: 'body'
         store_as: 'authentication_method'
-        re: '^Failed (?P<authentication_method>[^\s]+) for .*ssh\d'
+        re: 'Failed (?P<authentication_method>[^\s]+) for .*ssh\d'
 
 win_login_subject_username:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'subject_username'
-        re: '.*"SubjectUserName">(?P<subject_username>[^<]+)</Data>'
+        re: '"SubjectUserName">(?P<subject_username>[^<]+)</Data>'
 
 win_login_subject_domain:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'subject_domain'
-        re: '.*"SubjectDomainName">(?P<subject_domain>[^<]+)</Data>'
+        re: '"SubjectDomainName">(?P<subject_domain>[^<]+)</Data>'
 
 win_login_subject_logon_id:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'subject_logon_id'
-        re: '.*"SubjectLogonId">(?P<subject_logon_id>[^<]+)</Data>'
+        re: '"SubjectLogonId">(?P<subject_logon_id>[^<]+)</Data>'
 
 win_login_username:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'username'
-        re: '.*"TargetUserName">(?P<username>[^<]+)</Data>'
+        re: '"TargetUserName">(?P<username>[^<]+)</Data>'
 
 win_login_domain:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'domain'
-        re: '.*"TargetDomainName">(?P<domain>[^<]+)</Data>'
+        re: '"TargetDomainName">(?P<domain>[^<]+)</Data>'
 
 win_login_logon_id:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'logon_id'
-        re: '.*"TargetLogonId">(?P<logon_id>[^<]+)</Data>'
+        re: '"TargetLogonId">(?P<logon_id>[^<]+)</Data>'
 
 win_login_logon_type:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'logon_type'
-        re: '.*"LogonType">(?P<logon_type>[^<]+)</Data>'
+        re: '"LogonType">(?P<logon_type>[^<]+)</Data>'
 
 win_login_logon_process_name:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'logon_process_name'
-        re: '.*"LogonProcessName">(?P<logon_process_name>[^<]+)</Data>'
+        re: '"LogonProcessName">(?P<logon_process_name>[^<]+)</Data>'
 
 win_login_workstation_name:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'workstation_name'
-        re: '.*"WorkstationName">(?P<workstation_name>[^<]+)</Data>'
+        re: '"WorkstationName">(?P<workstation_name>[^<]+)</Data>'
 
 win_login_process_id:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'process_id'
-        re: '.*"ProcessId">(?P<process_id>[^<]+)</Data>'
+        re: '"ProcessId">(?P<process_id>[^<]+)</Data>'
 
 win_login_process_name:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'process_name'
-        re: '.*"ProcessName">(?P<process_name>[^<]+)</Data>'
+        re: '"ProcessName">(?P<process_name>[^<]+)</Data>'
 
 win_login_ip_address:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'ip_address'
-        re: '.*"IpAddress">(?P<ip_address>[^<]+)</Data>'
+        re: '"IpAddress">(?P<ip_address>[^<]+)</Data>'
 
 win_login_port:
         query_string: 'source_name:Microsoft-Windows-Security-Auditing AND (event_identifier:4624 OR event_identifier:4625)'
         attribute: 'xml_string'
         store_as: 'port'
-        re: '.*"IpPort">(?P<port>[^<]+)</Data>'
+        re: '"IpPort">(?P<port>[^<]+)</Data>'
 
 win_bits_client_ipv4_addresses:
         query_string: 'data_type:"windows:evtx:record" AND source_name:Microsoft-Windows-Bits-Client'