Kusto - How to identify content from array of regex

%3CLINGO-SUB%20id%3D%22lingo-sub-2812489%22%20slang%3D%22en-US%22%3EKusto%20-%20How%20to%20identify%20content%20from%20array%20of%20regex%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2812489%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20create%20an%20alert%2C%20that%20given%20an%20input%2C%20will%20validate%20the%20input%20content%20match%20%3CSTRONG%3Eat%20least%3C%2FSTRONG%3E%20one%20of%20the%20regex%20from%20a%20given%20structure%20(array%2Flist%2Fetc'...)%3C%2FP%3E%3CP%3EHow%20can%20I%20do%20that%3F%20Example%20will%20help...%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2813260%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20-%20How%20to%20identify%20content%20from%20array%20of%20regex%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2813260%22%20slang%3D%22en-US%22%3EAre%20you%20looking%20for%20this%2C%20as%20an%20example%20you%20can%20build%20from%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2F60866cf25e4af0cc1817a8d3fd1d94e53dd85853%2FDetections%2FThreatIntelligenceIndicator%2FEmailEntity_OfficeActivity.yaml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2F60866cf25e4af0cc1817a8d3fd1d94e53dd85853%2FDetections%2FThreatIntelligenceIndicator%2FEmailEntity_OfficeActivity.yaml%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%20OfficeActivity%20%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(dt_lookBack)%20and%20isnotempty(UserId)%3CBR%20%2F%3E%20%7C%20where%20UserId%20matches%20regex%20emailregex%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20see%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Findexofregexfunction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Findexofregexfunction%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fregex-operator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fregex-operator%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2816253%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20-%20How%20to%20identify%20content%20from%20array%20of%20regex%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2816253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EHi%2C%20no...%3C%2FP%3E%3CP%3ESince%20here%20you%20check%20if%20there%20is%20a%20match%20to%20%3CSTRONG%3E1%20regex.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EI%20want%20to%20validate%20match%20against%20list%20of%20regexes.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I want to create an alert, that given an input, will validate the input content match at least one of the regex from a given structure (array/list/etc'...)

How can I do that? Example will help...

Thanks.

 

4 Replies

@Clive Watson 
Hi, no...

Since here you check if there is a match to 1 regex.

I want to validate match against list of regexes.

@MatRock345 

 

This example one will match multiple regex against a column (it's using "not", so asking for where they don't match but you can edit)
https://github.com/Azure/Azure-Sentinel/blob/c69fda6e8b90aa3ae797560b670a42fa8fce2859/Hunting%20Quer...

 

You can see a short version here, which will match either regex to the column:

Go to Log Analytics and run query

SecurityEvent
where EventID==4688
where NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\DismHost\.exe" or //you can use "and" instead of "or"
        NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\MpSigStub\.exe"
summarize count() by NewProcessName
 
NewProcessName count_
C:\Windows\Temp\3EB27418-1D7E-487F-87C2-5FA574848368\DismHost.exe 1
C:\Windows\Temp\B5572FE3-E791-4968-8F3E-EF77ED75459E\DismHost.exe 1
C:\Windows\Temp\FFBB967A-F90C-4950-88EF-1386D25C7EBC\DismHost.exe 1



 

Hi,

The "or" option definitely gives the solution.
In my head I thought of more classic solution using loop/while instead of multiple "or".
It does the job, thanks!