Forum Discussion
MatRock345
Oct 05, 2021Copper Contributor
Kusto - How to identify content from array of regex
Hi,
I want to create an alert, that given an input, will validate the input content match at least one of the regex from a given structure (array/list/etc'...)
How can I do that? Example will help...
Thanks.
- CliveWatson
Microsoft
Are you looking for this, as an example you can build from?
https://github.com/Azure/Azure-Sentinel/blob/60866cf25e4af0cc1817a8d3fd1d94e53dd85853/Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml
OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)
| where UserId matches regex emailregex
Also see:
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/indexofregexfunction
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/regex-operator- MatRock345Copper Contributor
CliveWatson
Hi, no...Since here you check if there is a match to 1 regex.
I want to validate match against list of regexes.
- CliveWatson
Microsoft
This example one will match multiple regex against a column (it's using "not", so asking for where they don't match but you can edit)
https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/SecurityEvent/RareProcessPath.yamlYou can see a short version here, which will match either regex to the column:
Go to Log Analytics and run query
SecurityEvent| where EventID==4688| where NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\DismHost\.exe" or //you can use "and" instead of "or"NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\MpSigStub\.exe"| summarize count() by NewProcessNameNewProcessName count_ C:\Windows\Temp\3EB27418-1D7E-487F-87C2-5FA574848368\DismHost.exe 1 C:\Windows\Temp\B5572FE3-E791-4968-8F3E-EF77ED75459E\DismHost.exe 1 C:\Windows\Temp\FFBB967A-F90C-4950-88EF-1386D25C7EBC\DismHost.exe 1