Forum Discussion

akshay250692's avatar
akshay250692
Brass Contributor
Oct 31, 2022

How to combined query with same table.

Hi Guys,   I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is g...
KQL
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Oct 31, 2022
Would this help?

CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| where AdditionalExtensions contains "cat="
| extend threat_ = iif (Activity=="THREAT",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend system_ = iif (Activity=="SYSTEM",extract('cat=([^;]+)',1, AdditionalExtensions),"")
| extend all_ = strcat(threat_,system_)
akshay250692's avatar
akshay250692
Brass Contributor
Oct 31, 2022
not working as expected
    • SocInABox's avatar
      SocInABox
      Iron Contributor
      Oct 31, 2022

      Clive_Watson 

      works for me, unless akshay was expecting another result.

      (I don't have system logs coming in so an empty column is expected)

       

      • akshay250692's avatar
        akshay250692
        Brass Contributor
        Oct 31, 2022
        clive define for particular
        | where AdditionalExtensions contains "cat="
        that is not my requirement.
    • akshay250692's avatar
      akshay250692
      Brass Contributor
      Oct 31, 2022
      CommonSecurityLog
      | where Activity in ("TRAFFIC", "THREAT")
      | extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
      | extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
      | extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
      up to here i m good.
      now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen.
      i want merge above query with below query
      | whrer activity in ("SYSTEM")
      | extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)

      is it possible ?

Resources