Forum Discussion
Kusto - How to identify content from array of regex
Hi, I want to create an alert, that given an input, will validate the input content match at least one of the regex from a given structure (array/list/etc'...) How can I do that? Example will he...
This example one will match multiple regex against a column (it's using "not", so asking for where they don't match but you can edit)
https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Queries/SecurityEvent/RareProcessPath.yaml
You can see a short version here, which will match either regex to the column:
Go to Log Analytics and run query
SecurityEvent
| where EventID==4688
| where NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\DismHost\.exe" or //you can use "and" instead of "or"
NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\MpSigStub\.exe"
| summarize count() by NewProcessName
| NewProcessName | count_ |
|---|---|
| C:\Windows\Temp\3EB27418-1D7E-487F-87C2-5FA574848368\DismHost.exe | 1 |
| C:\Windows\Temp\B5572FE3-E791-4968-8F3E-EF77ED75459E\DismHost.exe | 1 |
| C:\Windows\Temp\FFBB967A-F90C-4950-88EF-1386D25C7EBC\DismHost.exe | 1 |
Hi,
The "or" option definitely gives the solution.
In my head I thought of more classic solution using loop/while instead of multiple "or".
It does the job, thanks!
The "or" option definitely gives the solution.
In my head I thought of more classic solution using loop/while instead of multiple "or".
It does the job, thanks!