Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Kusto - How to identify content from array of regex

Copper Contributor

Hi,

 

I want to create an alert, that given an input, will validate the input content match at least one of the regex from a given structure (array/list/etc'...)

How can I do that? Example will help...

Thanks.

 

4 Replies

@CliveWatson 
Hi, no...

Since here you check if there is a match to 1 regex.

I want to validate match against list of regexes.

@MatRock345 

 

This example one will match multiple regex against a column (it's using "not", so asking for where they don't match but you can edit)
https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Quer...

 

You can see a short version here, which will match either regex to the column:

Go to Log Analytics and run query

SecurityEvent
where EventID==4688
where NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\DismHost\.exe" or //you can use "and" instead of "or"
        NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\MpSigStub\.exe"
summarize count() by NewProcessName
 
NewProcessName count_
C:\Windows\Temp\3EB27418-1D7E-487F-87C2-5FA574848368\DismHost.exe 1
C:\Windows\Temp\B5572FE3-E791-4968-8F3E-EF77ED75459E\DismHost.exe 1
C:\Windows\Temp\FFBB967A-F90C-4950-88EF-1386D25C7EBC\DismHost.exe 1



 

Hi,

The "or" option definitely gives the solution.
In my head I thought of more classic solution using loop/while instead of multiple "or".
It does the job, thanks!