Taking regular expression group name contents to action

[TheScriptGuy]

Hi,

I'm trying to figure out a way to capture a named regular expression group and add that to the actionban command.

I have an IPS device that produces log entries in a sample format like so:
2024/05/04 05:09:05,THREAT,vulnerability,123.123.123.123,Vulnerability for AppX (unique ID)$

Now the Vulnerability for AppX (unique ID) is a dynamic field based on what the IPS finds. I want to take this dynamic field and add it to the actionban command.

The failregex expression I have is:
^\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2},THREAT,vulnerability,<HOST>,(?P<vulnerability_reason>.*)$

As you can see, I have labeled the dynamic field vulnerability_reason.

How do I bring that vulnerability_reason value into the actionban command?

I've been struggling to find any documentation on this (if it is even possible?).
As an extension to this, I'd like to strip the (unique ID) portion of the vulnerability name before the actionban command is executed.

Any guidance is most welcome!

TIA

[sebres]

- (?P<vulnerability_reason>.*)
+ <F-vulnerability_reason>.*</F-vulnerability_reason>

And then tag <F-vulnerability_reason> may be used in actions.

See description for <F-*>...</F-*> in jail.conf.5#failregex